Unforeseen circumstances can cause your security risk profile to shift in unexpected ways — and the consequences can be serious. In a world where change can happen suddenly, security teams can play a crucial role in helping their organizations stay protected no matter what happens.
There's no way to anticipate and prepare for every possible scenario, but the right approach to business continuity can help you respond effectively in any situation. The key is to focus on agility and sustainability. Here are a few guiding principles that can help.
Now More Than Ever, Focus on Culture
Security has been traditionally viewed as a function that aimed simply to reduce risk. Since change introduces risk, security teams were often seen as the "department of no" and considered to be a necessary impediment to velocity. But the changes last year caused by the unprecedented and rapid shift to doing everything online challenged that premise, and many security best practices gave way in favor of speed.
Now it's time to take a pause and look at how security teams can shift the cultural mindset of being a blocker to an enabler and find ways to say "yes" to urgently needed projects and changing priorities. This doesn't mean throwing standards and best practices out the window. Rather, security teams should focus not just on flagging problems but also on helping the business address them and move forward.
At the same time, instead of relying solely on a large, centralized security team — a model ill-suited for fully distributed environments — organizations should embed security skills within product and development teams. Security champions in these groups can be empowered to operate independently, using a deeper understanding of business context and development processes to help solve problems more quickly and creatively.
Perhaps most importantly, executive leadership must send a clear message that security matters. A great example of this mindset in action was Zoom, where a sudden rapid adoption beyond its traditional enterprise base unexpectedly exposed significant security issues such as "Zoombombing." In response, the company enacted a 90-day freeze on shipping new features while it focused on closing these gaps. To have taken this step just as the company was seeing unprecedented demand for its product is remarkable.
Most organizations won't need to take such a drastic measure, but effective security leaders make sure their executive team keeps security top-of-mind across the business.
Provide Tools Across the Organization That People Like to Use
The digital era is built on the idea of agility: being able to respond quickly to new situations. In ordinary times, that might mean an emerging market opportunity, a rising competitive threat, or an exciting new innovation. Today, the idea also applies in times of crisis. Technology isn't just a nice-to-have in modern life; it's woven through everything from the way we work and play to the systems that provide our healthcare, food, education, utilities, and other essentials. As digital transformation continues to deepen these interconnections, it's essential for the security infrastructure to keep pace to provide a sound foundation so that we're protected from risk.
Even during "routine" digital transformation, the transition to cloud and DevOps proved incompatible with legacy security approaches based on complex tools in the hands of siloed experts. The scale and speed of innovation demand a more agile approach, leading modern security teams to adopt security tools that can be used by people without security expertise on decentralized application and DevOps teams. Given the visibility to see for themselves when something goes wrong, these teams can better protect their own apps without depending on specialized skills or services. That's especially valuable when in-person communication is problematic.
Plan for Crisis Because It Will Happen
Business continuity planning is a cornerstone of risk reduction for the enterprise as a whole; security teams should take the same approach within their own organization. How will you ensure continuous security during various types of disruptions? Are there applications where you would expect to see higher demand? Will people be working from different locations via different access points? Will the business need to roll out new capabilities for employees or customers?
One of the hallmark technology challenges during the COVID-19 crisis is the sudden need for previously internal resources such as human resources applications and IT issue-tracking tools to be externally reachable as employees shift to remote work. This need is obvious in hindsight, but it took many chief information security officers (CISOs) by surprise. It's not the kind of thing that occurs to you in the course of day-to-day work — but when the unexpected happens, you're forced to think it through in real time.
If you haven't already seen changes like these in your organization, take a moment to consider how you would deal with them. Plan your response to this and similar scenarios and figure out what tools you'll need to enable the shift.
As the COVID-19 crisis made all too painfully clear, the best response to the unexpected begins long before it arises. By embedding security throughout your culture, empowering teams to make it part of their work, and anticipating the implications of potential disruptions, you can move with greater agility as the need arises and make security more sustainable for the long term.