COVID-19: What the CIO and CISO can do to help COVID-19: What the CIO and CISO can do to help COVID-19: What the CIO and CISO can do to help

Concern over the scale and impact of the COVID-19 pandemic is growing, leading organizations to consider their response, and the actions they need to take now to maintain theirbusiness.The CIO and CISO have vital roles in making sure the organization can function as pandemic containment measures are implemented.

Can your business function effectively through remote working?

You need to ensure your business can work remotely and flexibly, and that employees are confident inbeing able to do so. This may require you to revisit decisions on access rights, entitlements and risk posture.
Questions to consider:

• Have you scaled your VPN concentrators, portals and gateways to handle a large number of colleagues who will need to workremotely?
• Have you considered the potential key suppliers, contractors and vendors, who will have toaccess and the additional scale that willbring?
• Have you tested the infrastructure to findout whether it can handle the expectedloading?
• Are there single points of failure in the infrastructure, and can you provideadditional resilience?
• Do you need to relax access controls orprovide additional remote login accounts orcredentials?
• Is there sufficient help desk capacity to handle any queries from users who are unable tologin, or unfamiliar with remoteworking?
• Where employees require access to laptops for remote working, is there a pool of laptops available or can more be procured and installedto meet demand, and how should allocation be prioritized?
• In cases where the pool of equipment islimited, have you considered essential services and splitting access to them via alternative access solutions (e.g., O365 and One Drive vs.in-house applications)?
• Have you considered the ability to whitelist only specific applications during this period and block all non-essential services?
• Do you have limitations on video andaudio teleconferencing bridges, and can you do anything to scale thatinfrastructure?
• Do you need to consider alternatecloud-based conferencing and teleworkingsolutions?
• Do all members of staff have the necessary access numbers/links to allow them to access the bridges, is training material readilyavailable and should you establish ahelpline?
• Can you remote your help desk operations ifthe help desk staff have to work fromhome?
• Have you prepared simple guides to be distributed to staff on key help deskrelated queries:
  • How do I login?
  • How do I change my password?
  • How do I access key services?
  • How can I get assistance from thehelp desk?
  • Who are my key contacts if I havea crisis?

Are you able to scale digital channels to dealwith demand?

Restrictions on travel and the spread of the virus may lead to new patterns of demand, and higher traffic on digital channels.

• More customers and clients may expect totransact with you through digital channels, can you scale those systems and services to deal with changing demand?
• How would you monitor loading and performance, and who can make the decisions to scale capacity, or create dynamic choices on prioritization if capacity is anissue?
• Are you clear which services you may need toshed, or how customer journeys may need to alter if systems areoverloaded?
• Are you dependent on key call centers, and ifthose call centers are closed or inaccessible, can customers and clients interact with you through otherchannels?
• Is there the option to allow call center staff towork remotely, or to transfer their loads to another call centerlocation?
• Have you considered the interactions betweencall centers and service/help desks and the impact of any outsourcingarrangements?
• Have you discussed the arrangements with key suppliers of those services, and how will they prioritize your needs against those of otherclients?

Are you dependent on key IT personnel?

Sadly employees may be infected or may findthemselves unable to travel or to have to meet family caring commitments; you should plan for a significant level of absenteeism.

• What would happen if key IT personnel (including contractors) are unable to travel, or are ill with the virus… are you dependent on a small number ofkey individuals?
• How could you reduce that dependency, for example, ensuring that there are “break glass” procedures in place to allow other administrators access to critical systems?
• What about the Security team? Who are the key individuals, and if the CISO is not available, thenwho will make the calls on the security posture and the acceptable risks to thebusiness?

What would happen if disruption to adatacenter occurs?

• Data centers may be impacted by the virustoo. A positive test may result in an evacuation and deep clean of the building; transport infrastructure disruption may prevent access, and data center staff may be unable towork.
• In the event that one of your data centers is evacuated, do you have disaster recoveryplans in place to deal with the disruption, and have you tested thoseplans?
• How quickly can you failover to analternate site, and who manages thatprocess?
• Are you dependent on key individuals(including contractor support) for the operation of the data center, and how can you manage that dependency?

Are you able to scale your cloudcapabilities?

There may be additional demands on cloud-based services, requiring you to scale the available computing power, which may incur additionalcosts. Other services may show reduceddemand.

• Are you able to monitor the demand for cloud computing services, and manage the allocation of resourceseffectively?
• Have you made arrangements to meet any additional costs which may be incurred from scaling or provisioning other cloud services?

Are you dependent on specific suppliers?

Your suppliers and partners will also be underpressure, and their operations disrupted too.

• Who are your critical suppliers, and how wouldyou manage if they are unable to operate, including disruption to your key managed serviceproviders?
• Are there steps you could take now to reduce that dependency, including using your teamresources?
• Are you discussing the implications with yourkey suppliers, and do you have the right points of contact with those suppliers?
• Have you identified which IT suppliers may come under financial pressure, and what would be your alternate sourcing strategy if they did fail?

What would happen if there 's a cyberincident?

Organized crime groups are using the fear ofCOVID-19to carry out highly targeted spear-phishing campaigns and set up fake websites, leading to an increased risk of a cybersecurityincident.

• Have you made it clear to employees whereto get access to definitive information on the COVID-19 pandemic and your organization's response toCOVID-19?
• Have you warned staff of the increased risk of phishing attacks using COVID-19 as a coverstory?
• If you're dependent on alternative systemsor solutions, including those procured as cloud services, who would you handle a security incident involving thosesystems?
• Do you need to change your approach tosecurity operations during the pandemic, including arrangements for monitoring of security events?

What would happen if there 's an IT incident?

WhileCOVID-19 dominates the news, you should still be aware of the possibility of an IT failure given the changing demands on your infrastructure, or an opportunistic cyber-attack.

• Would you be able to co-ordinate theincident remotely, and do you have the necessary conferencing facilities and access to incident management sites/processes andguides?
• Do you have a virtual war room setup, incase physical access is limited orrestricted?
• Are you dependent on key individuals for the incident response, and if so, what can you doto reduce that dependency?
• How does the emergency/incident response crisis management structure change if key incident managers/recovery leads areunavailable?
• Are you confident that your backups arecurrent, and that in the worst case you can restore vital corporate data andsystems?
• How would you deal with a widespread ransomware incident, when large parts ofyour workforce are homeworking?

Are you making the best use of yourresources?

You'll need to be able to function with limited employee numbers and be clear on the prioritytasks your team needs to be able tocomplete.

• Have you prioritized your team’s activities, are there tasks which you can defer and releasestaff for contingency planning and priority preparation tasks?
• Do you have the ability to access emergency funds if you need to source equipment, or additional contractor/specialist supportrapidly?
• If you are placed under pressure to reduce discretionary spend to preserve cash, areyou clear on which spend must be protected and where to make thosesavings?

Are you setting an example?

Amongst all of these organizational considerations,you are still a senior manager, and your team will look to you for leadership andsupport.

• Have you made sure your team isimplementing sensible hygiene practices, including offering flexible and remote working to meet changing needs?
• Doyouhaveup-to-datepointsofcontactdetailsforallofyourteam?Is your  team aware of who to contact in an emergency?
• Do you model the behaviors you expect ofyour team, and what would happen if you were incapacitated? Who would step in foryou?

If you have any questions or wouldlikeadditional advice, please contactus.