Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Think 'next normal': 4 cyber-resilience lessons from the pandemic

John P. Mello Jr. Freelance writer

The COVID-19 pandemic has changed the way many businesses do business—for some, irrevocably. It's also made them more aware of the need for resiliency and the role cybersecurity must play in ensuring that an organization can continue operations in the face of disruptive events.

"We are at an inflection point globally. The pandemic has affected us in ways that we never expected," said Mark Fernandes, CTO of Micro Focus Security, at a recent digital "fireside chat" about cyber resiliency during, after, and beyond COVID-19. And, he added, cybersecurity teams have been here before.

In 2001, there was SOX—Sarbanes-Oxley—which ushered in the era of compliance. Then in 2008, after a series of major cyber attacks, there was the era of threat management, as organizations began to recognize the potential damage cyber attacks could inflict on infrastructure and supply chains. In 2014, digital transformation began to gain steam and cybersecurity became about industry alignment with it.

Now, in 2020, another one of those watershed moments has arrived. If you look at the use of digital assets before 2020, they weren't mainstays being used at scale, Fernandes explained. Now, with everyone from educators to healthcare workers using digital tools, that's not the case anymore.

"I'm working with a government in another part of the world where they've actually said that 60% of their government desks are going to move to digital desks using chatbots and other types of tools."
Mark Fernandes

Here are the key lessons from the expert chat on cyber resilience now and in the future

1. Broaden your approach to resilience

A recurring issue among organizations has been distinguishing between cybersecurity and cyber resiliency.

TMX Group CISO Bobby Singh, who joined Fernandes during the online event, explained that cyber resiliency is being able to deliver critical business services when a negative security event is taking place. It's the ability to be nimble and agile, while building modularity into your architecture.

Some organizations believe that their disaster recovery plans cover their resiliency needs. That's not the case.

"Resiliency goes way beyond just being a [disaster recovery plan]."
Bobby Singh

It goes beyond business continuity plans (BCP), too.

Singh explained that when businesses do a BCP, they assume that anywhere from 10% to 50% of their staff will still be onsite to perform operations. That wasn't the case when COVID-19 began to spread. "During the March pandemic," he continued, "it was just literally 99% of the people that were offsite."

2. It does not happen overnight

TMX provides services to the global financial community, which has weathered the pandemic better than a lot of other industries, such as retail and hospitality. "You were able to do your banking pretty well, paid your bills online, and did whatever transactions you wanted to do," Singh said.

That kind of resiliency, though, isn't accomplished overnight.

"That journey took a long time to get to March. It didn't happen in 2020."
—Bobby Singh

"We as a financial sector have been thinking about the use of the cloud. We've been thinking about multiple data centers," Singh said. "We've been thinking about spreading our resources and key staff across regions so if one region is down, the other one can come up. Those things were fundamentally ingrained into the financial sector."

He added that to achieve that kind of resiliency, a business needs to understand its full value chain. It has to know how its business services get to its clients or customers and what that entails, as well as how diversified its suppliers are.

And testing multiple scenarios is key. "It takes time," he said. "It consumes critical resources to test. But it's quite evident by what happened in March of 2020, for example, that testing is pretty critical."

Another participant in the online event, Christina Richmond, program vice president for security services at IDC, said that organizations should make sure they have a playbook and a plan and that the plan is practiced with stakeholders. "And make sure you include stakeholders across the entire business," she advised.

To be resilient, she continued, an organization needs to include a broad set of stakeholders from across the business. "It's a team sport."

3. Prepare for the 'next normal'

Richmond explained that during the first stage of the pandemic, many businesses were scrambling to enhance their network capacity to accommodate remote workers.

After dealing with initial capacity issues, they moved on to capacity optimization, she said. They continued enhancing their network capacity and remote working capabilities, as well as looking at how to secure people working from home. They also started to consider recovery.

Finally, they started to look at resiliency and how they could prepare for the future. That accelerated migration to the cloud and digital transformation. "Companies are changing rapidly to embrace cloud in a way that they never thought they would, even if they were on that path to embrace cloud," Richmond said.

"They're embracing digital business in ways that they never thought they would. Suddenly, it was an urgent necessity."
Christina Richmond

Now bitten by the digital bug, as organizations move toward the "next normal," they're going to spend more aggressively, she predicted. And they are going to start to innovate again, she said. "They'll focus on technologies that advance their digital capabilities in ways that they really didn't think about before. Or if they had thought about it before, they're accelerating those plans."

4. It takes the right team

As digital transformation takes hold in more and more companies, resiliency will play an important role in securing business operations. But resiliency will require manpower, which seems to be in short supply these days.

There are millions of jobs open in cyber security globally, said Singh.

"You're not going to fill them by hiring propeller heads or coders or developers or people in network security. We've got to broaden the horizon."
—Bobby Singh

The key to solving the cyber-security talent storage is looking for people beyond STEM, added Richmond.

"They think differently. They're asking different questions. They're coming from that out-of-the-box perspective."
—Christina Richmond

Keep learning

Read more articles about: SecurityInformation Security