Security plays an additional role in a crisis like COVID-19 in protecting an organization’s ability to respond effectively, which sometimes means accepting more risk. Security has to be laser-focused on ensuring a physical or cyber crisis does not impede the organization’s response efforts. It also needs to be a part of the ongoing risk decision-making as the crisis unfolds. Given this, below are my recommendations for additional considerations to your current security and incident response efforts.
Revisit some risks now. A crisis can take you into uncomfortable territory from a controls and process perspective, so we need to spend time now reassessing some risks and anticipating others as part of crisis management. Revisit threats, likelihoods, and impacts in the context of the bigger picture and help the organization steer clear of the inability to respond effectively to the current crisis and return to the new normal.
Sharpen response to risks. Speed/adaptability and the other aspects of an effective response requires a good command-and-control framework that relies on roles rather than specific people. The right people will always eventually rise to the occasion in a crisis. If not, you’re toast. There are plenty of history lessons where failed command-and-control results in chaos during stress and crisis, which is why it is one of the first things to be attacked by adversaries. Communication strategy is also essential, leveraging technology and agreed-upon protocols for cadence and messaging inside and outside the organization. Lastly, anticipate working outside the norms of your business during a crisis. Helping customers or those who could become your customers with their response usually turns out net positive through a crisis. Generosity and sacrifice often gets rewarded.