We live amazing times today. Not being enough in recent times dealing with how to grow exponentially in digital transformation (even without having a clear idea what the hell it means) keeping it secure, reliable, and efficient; we woke up a few weeks ago having to solve a global pandemic scenario that even the most fine conspiracy theories could imagine.
The perimeter of digital services blows away years ago when the customer, the user, the individual became massively aware of what, when and which technology they use for what specific services they need or desire to use. Companies and organization, saving few very reluctant ones, were and still are at least a few steps back.
In this new situation, we all, individuals, organizations, companies, and even organizations, are forced to go forward very fast and bring back over the table the rusty digitalization plans we thought of time ago. This means increasing risks of doing things in a hurry, in a very complex scenario that is here to stay.
Cybersecurity issues are the same but increased in the massive remote use of services and communications. Operational continuity and business operations become critical when the rising curve of digital adoption start to point to the sky at rates never seen before. People need awareness and training, fraudsters are all around, and they are already digital yet (they have a very clear business case, and funding is not a problem). Vendors and providers are offering solutions ready-to-go and free or increased services while they are also affected. And privacy all around, requiring a high level of compliance perspective and customer interaction.
So, It’s time to grab a coffee and sit, take time to figure out where we are and where it is expected us to be in the next future, next is next, next month, quarter, year in terms of assuring digital capabilities, risk management and incident response.
Let us start on reviewing what really matters in any organization. What processes and services are relevant for the numbers, for the reputation, and for the compliance perspective? We are facing today a health problem, so people remain at the top. Employees, customers, and contractors’ wellness and health it is a priority. Nevertheless, at the same time, we must focus on what processes are key for developing the organization’s mission and which ones have more impact on the financial and strategic planning. In addition, of course, those relevant pieces that support them: people, infrastructure, supply chain, and data. Taking a detailed approach, those pieces are the essentials of an Information System, which is the core, including those processes, of a Digital Organization.
"Operational continuity and business operations become critical when the rising curve of digital adoption start to point to the sky at rates never seen before."
Developing a Resilience Program for a Digital Organization includes evaluating critical processes from different perspectives (financial, reputational, technological, security, continuity…), the systems and services that support them (technology infrastructure, applications, communications…), the third parties and providers involved in keeping it up and running (suppliers, vendors, providers, outsourcing…) and of course the people involved (critical teams).
Only by having that detailed information we can assess the risks those processes are facing, and therefore, managed it: accept, mitigate or transfer them.
At his point, the control frameworks gain more relevance, the traditional approach to the controls for security, privacy, continuity, and other relevant technological risks must be reviewed in order to be more effective and, specially, more agile. Implementing controls in different layers: technology, processes, and people keeping the coherence and the right efficiency is not easy. Moreover, considering that not everything could be prevented and not all the processes and their pieces have the same priority and relevance, improving all the capabilities of early detection and response is key.
The concept of “IT Hygienization” appears suddenly remembering the Information Technology departments and managers, starting by the CIO and CTO, the homework not faced before. Just a reminder of what they already knew, but today is emerging very fast. That homework includes obsolescence, patching, and hardening, vulnerability management, secure design and development, and monitor, monitor, and monitor.
In addition, following that concept, close to the operational level but at the same time keeping an eye on the business must be the control units: CISO, Data Protection Officer, Business Continuity, IT Risk… Paying attention to their capabilities of accurate, comprehensive, and fast reporting of risks to the organization, and the best options to manage them reacting with the adequate levels of control.
Summarizing, the New Normal requires an agile approach. And it brings the opportunity to review our organizations and check our digital strategy and plans focusing on what is really valuable for the company, specially in terms of resilience. It means structuring that review answering three difficult questions. What’s is important for the organization to keep stable, working, and monitored? (Core business processes). What technology and services are supporting it? (Information systems) and which risks and threats are clearly identified and which control we must reinforce? (cyber and continuity).