Resuming effective business operations post Covid-19: What role changes for security and business continuity management (if any)?
Chair: Martin Gill
Rinske Geerlings, 2019 OSPA Finalist, Founder and Principal Consultant at Business as Usual (Australia)
Stephen Ssendikaddiwa, whose roles have included Head of Strategy, Head of Risk and Director of IT Business Automation, Central Bank of Uganda
Shannon Sedgwick, Senior Managing Director, Ankura (Australia)
Glenn Schoen, CEO at Boardroom@Crisis BV (Netherlands)
Shannon Sedgwick notes that the sector’s response is highlighting old issues that are finding a new expression in this very different type of crisis. For certain security is at the forefront in tackling business critical operations, and where the business focus is about optimising costs. This is an opportunity for security but it has dangers too and you will hear him place an emphasis on the need to communicate effectively. Effective communication is necessary about how the good ways the response is being managed, but also more broadly how what is being done aligns with the strategy of the business. His view is that security professionals are up to the task, but warns that security, including cyber, is often amongst the first to suffer in organisational cutbacks. He notes that there is often a lack of awareness of what is achieved by security on the ground at the highest levels in organisations. He warns of dangers, and gives as an example, the mass transition to working from home. He notes that people can get lazy, they are using systems not configured for the contexts they are being used for; this is new and it needs to be managed.
You will likely enjoy Glenn Schoen’s scene setting. He warns of more trouble to come, and notes that Covid-19 is a physical threat and it needs a matched response. He outlines what he sees as the strategic role of security and this includes facilitating business operations and the strategic monitoring of risk. He says security needs to be better at management and underlines the importance of remote technology. Crisis management is a board level concern and therein rests the opportunity for security to influence horizontally, not just to the top but also vertically across the organisation helping them – amongst other things – to risk assess effectively.
Stephen Ssendikaddiwa notes that an organisation’s biggest risks are the one that are unknown and Covid-19 fits that description. Many crisis plans have not been prepared for this one, and the skills for responding effectively have not been developed. He highlights one of the biggest dangers and challenges, that the nature of risks is changing as technology takes over the running of systems. To illustrate you will hear him talking about organisations initially feared cloud services, whereas now they can’t operate without them although there are dangers he says in popularising one specific provider. Organisations hadn’t counted on people working from home in such numbers and this represents a loss of control over the end user and companies need to manage that. He argues there is now added importance of the security of back end systems and the weaknesses in security between the different ones that companies are operating.
Rinske Geerlings has a key message, she emphasises at both the beginning and the end of this webinar, the need to keep things simple. She highlights the risks of this crisis breeding other ones, what happens now if the internet goes down? It begs the question whether organisations are prepared for this in the context of so many people working from home; whether the skillsets are there to resume operations. She notes that the security sector has been developing skills in business continuity, and security professionals bring distinct perspectives: on the ability to identify unknown risks; on what offenders are planning and doing; and in raising awareness to different audiences from the top of the organisation to the bottom. She advocates a need for an interesting organizational shift in culture; one to enable people to make mistakes so there is an honest understanding of what is truly risky.
The role of security in the move ‘back to business as usual’, or rather the ‘new usual’, is in process. The panel present both optimism and a warning about the dangers. The quality of the type of security we get in the future will depend in no small measure on our ability to learn as we go, on this only some think security is excelling although there is much optimism it can.