Coronavirus Exposing your Cybersecurity, Cloud, Digital Transformation, and Zero Trust Strategy?

Holding off on that cybersecurity, cloud, digital transformation, and zero trust projects doesn’t seem like such a good idea right now. If you’re part of the board, executive staff or line of business leader that didn’t want to approve or allocate that extra budget that the CISO, IT Leader or that InfoSec agitator that kept preaching about getting these projects and now you’re scrambling…then I don’t feel sorry for you (OK maybe a little)…but you can still save face.

The coronavirus is wreaking havoc on industry events and business travel on a level I have not seen in a long time if ever. I’ve never seen so many business conferences being cancelled, and workers being told to work from home. This is little like déjà vu.  I remember writing about this in a blog seven years when I worked for Citrix about the need for a flu season strategy.  And it still seems as if many organizations have not addressed how a bad flu season can affect business continuity.  Below is a snippet I wrote in that blog seven years ago:

“What’s amazing is that most organizations do not have a plan in place for how to address a bad flu season (or any flu season for that matter). Every organization should have a mobile workstyle strategy that improves productivity, reduces employer costs, and increases employee satisfaction during the flu season. The best way to address this is to have a flexible work policy that keeps sick employees at home and away from the office yet provides them with the access to work remote but effectively.”

Looks like much hasn’t changed.  Maybe I need to develop a formula for business continuity that the budget holders can understand so here goes. I have a couple version depends on where you sit inside the org. No disrespect meant.

This is my equation for IT Decision Makers (ITDMs). They get this.  They also understand you can plus a lot more variables into this equation.

This is a more simplified equation for my Business Decision Makers (BDMs).

The is an even simpler equation for the Board and Executive Staff.  Feel free to replace business productivity with a dollar sign if that helps.

A couple years ago I spoke to a CIO for a major healthcare organization and he told me something interesting about security budgets and spending. He said the board and executive staff pretty much gave them a specific budget for digital transformation, mobility, networking, and the cloud projects. On the other hand, security had an unlimited budget, but the problem was they didn’t know how to truly spend it.

In fact, one of the biggest roadblocks to implementing a true end-to-end security strategy was how decentralized and siloed IT organizations have become.  Stitching together all these different silos of innovation from a next-gen user experience to access management to IoT to networking to data security, networking, databases, you name it, and then now having to wrap security and compliance around it can be daunting. The decentralization of IT is not necessarily a bad thing but when the networking guy (just an example folks I’m not picking on you Cisco guys) can derail a comprehensive cybersecurity solution that integrates across the technology stack that’s a problem.

The world has fundamentally changed. In this new age of digital transformation, the perimeter has been blown off your IT infrastructure.  No one sits in an office connected to a PC connected to an ethernet cable connected to a server inside those four walls and this is why we have to be even more strategic with a top down approach on how we execute on these technology priorities.

Here is why I think most organizations stumble. They look at this new perimeter and see security as a hinderance, a challenge and not as an opportunity. Addressing your cybersecurity challenge can drive the innovation required to deliver a modern, scalable and automated infrastructure that can deliver workforce productivity, business continuity and disaster recovery. In fact, a comprehensive security strategy can drive the way you adopt cloud, digital transformation and zero trust technology and services.

Let’s take the NIST Cybersecurity framework for example. If an organization implemented even just some these cybersecurity standards, they would have already had a process in place that would address business continuity around the coronavirus.

For example, if they would have implemented governance, access control, security monitoring, response planning and recovery planning they would have already had some of the key elements in place during this coronavirus crisis. To keep your workforce productive, maintain business operations and address customer needs during the coronavirus crisis or any kind of disruption – including natural disasters, storms, utility outages or even the seasonal flu to name a few – is essential to not only business continuity but critical to helping customers get the essentials required for an economy to function during a crisis.

With that said here are my top 10 recommendations that your business continuity strategy should include, and this ties back to my equation:

Top 10 Recommendations

  • Business productivity – Have a plan. I am still amazed when I talk to organization that don’t officially have a plan in place. Duh!Cybersecurity – Implement a comprehensive cybersecurity strategy and align it to some compliance framework.  
  • Zero trust – A zero trust strategy is a good way to address work form home and remote access security concerns.
  • Data privacy – In the end it’s all about securing your data.  Think about how users are interacting with data and ensure its secure whether in use, at rest or in transit.
  • Compliance – Without good governance nothing matters.  You just wasted all your time deploying that really cool cloud, digital transformation, cybersecurity and/or zero trust project.
  • Digital Transformation – Your infrastructure needs to support what you want to do. It needs to be modern, can scale in or out as needs change, and automated as much as possible. What good is an error message if its not tied to a compliance action?
  • Mobility – Endpoint and IoT security. Every endpoint is a threat vector – need I say more.
  • Cloud – Yes, I know some of you require on-premise infrastructure and that’s all good but a good disaster recover or business continuity strategy request the ability to extend or move your data and resources to cloud services and resources as needed. What happens if the data center burns down or gets overrun by the zombie horde?
  • Networking – This touches everything bro. Anything with an IP address is an access point into your digital infrastructure. This may be one of your most critical pieces as I mentioned in a previous blog.
  • Business disruption – Identify the forces that can affect your business products and determine the cost of recovery vs IT budget to allocate. Think outside the box about the things that can affect your business productivity. Those stock buybacks may not be looking so good right now.

In the end define a strategy that works best for your organization. Ben Franklin said it best, “By failing to prepare, you are preparing to fail”.

Sidenote:  I want to shout out a few organizations that have really stepped up during this crisis.

Kudos to these organizations for addressing some of the urgent technology needs during this crisis.  It’s also a brilliant way to market your offerings. People remember how they were treated during a crisis and the companies that were there for them.

Companies offering free software during the coronavirus crisis:

If I missed some of the major tech companies post me a comment and I’ll add it to the list.

Stay secure my friends

@ChrisLCampbell