Organizations are rethinking their business continuity plans to get ahead of the coronavirus COVID-19 pandemic– an opportunity for IT risk analysts to bring to the table the critical thinking skills of Factor Analysis of Information Risk (FAIR™) and quantitative cyber risk analysis.
Jack Freund, PhD--FAIR Institute Fellow, co-author of the FAIR book with Jack Jones and Risk Science Director at RiskLens—has some solid suggestions for analysts and CISOs in this brief podcast.
Jack says it starts with
- Understanding which are the critical business processes (and which are nice to have)
- Understanding the tech stack and controls supporting those processes
- Understanding quantitatively the value of controls—and probable effect of removing controls to meet budget or staffing limitations
- Understanding the organization’s risk appetite and risk tolerance for losses.
Hear more from Jack in the podcast below or keep scrolling to read the transcript.
Q: Jack, many businesses are beginning to react in a serious way to the Coronavirus pandemic. What do you think in particular that cyber risk analysts can do to help their organizations prepare?
A: Well, the role of the risk analyst in any scenario is to be calm and levelheaded. So, the first thing we have to do is really analyze what are the impacts to our organization of this virus and other things like it that may cause the business to be interrupted for short to extended periods of time.
If you think about the organization and its risk models as statements of loss and impact or outcomes, there is probably a number of what are sometimes called in operational risk, “risk triggers” that could bring about such a scenario.
It could be natural disasters such as hurricanes and tornados, it could be flooding, it could be massive snowstorms, it could also be virus outbreaks.
With that in mind, try to understand and think about what would extended employee outages look like for an organization, larger mandated work from home, and think about the technical infrastructure from the base level all the way up.
Number one, can your VPN concentrator handle all those people logging in remotely? Do you have to think about staffing people in waves and having different start times and stop times?
So, there’s a number of things you can do as part of your business continuity planning, to think about how to adapt to this type of world where there’s less face-to-face, on premise types of operations.
But the number one thing you need to do and especially in the case of a more long term, extended business interruption scenario, is understand what is critical and what is a nice to have. And these types of decisions have to be made with dedicated analysis and thoughtful consideration.
So, understanding the quantitative nature of what different types of controls cost, what IT and cybersecurity services cost the organization in terms of headcount and financial outlay but also what’s the risk associated with not doing those things.
Regardless of the outcome of the business outage, there’s going to be a time on the other side of this where you have to come to terms and rationalize the cuts that you have made, if they brought about opportunistic infections, opportunistic hacks and breaches in your organization because you were cutting back on things.
So, being able to have a very detailed analysis that backs up your points and why you made the decisions you did is a critical path item.
Q: So, for cyber risk analysts looking at these truly complex IT systems that the large companies run, where would you recommend that they make a start? 3:30
A: The most important place to start is to think about business process maps: What are the critical products and services that the business offers, what are the business processes that support those, and then what’s the tech stack underneath it that supports that.
And that gives you the opportunity to understand which controls need to be in place to make those things happen, and what is the potential loss associated with removing staff support for those business processes from an IT and cybersecurity side.
Q: Are there any challenges that you see arising from cybersecurity that, as you say, might be opportunistic?
A: Yes, we are already seeing these types of phishing emails that are purported to offer information and testing about COVID-19 -- any sort of news item that is in the zeitgeist is an opportunity for phishers to try to catch people. I think for companies that are actively cutting back on the services that they are offering and the IT infrastructure that they are supporting at this time, it’s really important to make sure that monitoring and alerting is still in place to try to catch things that may be missed if people aren’t staffing or watching things the way that they do normally.
And also, just understanding and prioritizing how much additional loss you are willing to take during these times as a result of cutbacks in the critical services from the IT team that are supporting critical products and services for the organization.
Q: Good advice for difficult times. Thank you, Jack.
A: Thank you, Jeff.