COVID-19 – Out of Crisis Comes Opportunities for Digital TransformationAdd bookmark
Corona Virus - Silver Linings for Digital Transformation
While the Corona Virus (COVID-19) has brought unimaginable turmoil, human loss, and significant economic impacts to the world, there is a silver lining resulting from changes that will fundamentally transform how many people work, today and into the future. While a global pandemic is the cause today, it could be something else tomorrow that disrupts lives worldwide. Thus, lessons learned from this event can be extrapolated and reused.
In many organizations, the impacts of the Corona Virus on the workforce will accelerate technology, process and policy changes that will permanently enable a more mobile, secure and effective workforce. It is possibly the one positive that can come out of this global seminal event in our lives. Organizations must seize the opportunity to examine their processes and “no fail” missions and see how those can be better done using a remote and distributed workforce on secure, robust, reliable, and scaleable information technology (IT) and Operational Technology (OT) systems. The challenges in addressing this are both technical and human.
“No Fail” Missions
The starting point for all organizations across the spectrum (government, commercial, non-profit, academic etc.) is to first have an understanding of their “no fail” missions, those that must continue for the organization to survive and meet its obligations. That must be accompanied by a deliberate digital strategy that supports those missions in a new distributed workforce framework. This includes a mapping of systems, data, personnel and processes to those “no fail” missions, then an understanding of the cyber key terrain that supports them, what the organizations policies and funding are to maintain and operate that terrain, and what access to the terrain, specifically data and applications, employees need to contribute their portion of effort to sustaining the “no fail” missions even in times of crisis.
The Corona Virus has stress tested this for many organizations and those that were unprepared quickly discovered that their policies, infrastructure, personnel, and operations were not able to support their “no fail” mission by remote workers. The push to work from home created new challenges across organizations where it had not been in place or only used on a limited basis. There were many reasons for this lack of a means to execute – poorly funded or insufficiently scaled infrastructure, badly written or executed policies and processes, lack of training and preparation of the workforce, and in many cases the barriers were cultural: “I need to see you in the office doing the work”.
In some organizations this was exacerbated by employees uncomfortable as digital native themselves, being responsible for budget or policy to put a new digital workforce framework in place. Boundaries were not pushed and everyone fell into a comfort zone that became an unfortunate choice when quarantines and social distancing imposed unforeseen requirements on an unprepared workforce. Too late to play catch up and ensure resiliency and continuity of operations in the short term, leadership must consider several key aspects in for a deliberate and effective long-term digital strategy: Technology, People, Process and Policy, Resourcing, and Training.
Information Technology and Cybersecurity as Part of an Effective Digital Strategy
Technical considerations fall into two broad categories, Information Technology (IT) and Cybersecurity. On the IT side, employees must have the tools, bandwidth, and access to data and applications that they need. Proper scaling of the IT infrastructure to support a massive increase in volume of employees working remotely, ensuring sufficient network capacity for a surge is a pre-requisite (i.e., Remote Access Servers, Virtual Private Network servers, ability to authenticate remote users, collaboration tools and suites capacity to handle a surge).
In the short term, what barriers in policy should be eliminated until infrastructure can be upgraded or properly scaled (i.e., white listing streaming video or audio from certain sites, users accessing only specific sites, applications or data, removing administrative barriers and transitioning more data quickly and securely to commercial cloud providers who have a greater ability to rapidly scale data and collaborative services etc.). Organizations need to “wargame” these types of actions to challenge their assumptions, determine second and third order effects of their operational plans and if the risk is acceptable weighed against the risk of inaction. That message needs to be communicated, in layman language not “dolphin-IT-speak,” outside IT channels to Chief Operating Officers and others in leadership for corporate risk decision making.
In reconsideration of policy there are productivity and legal considerations. Do current policies and capabilities on the network ensure cybersecurity to a Bring Your Own Device (BYOD) End-Point if workers will be allowed to use those or will only organizationally provided devices be authorized? What are the legal implications of using an employee’s BOYD if there is a cybersecurity incident or merely from a performance standpoint if the device is not up to snuff or the local WiFi/broadband connection is insufficient? This becomes more important when processing Personally Identifiable Information or organizationally sensitive intellectual property. Is monitoring and scanning for viruses and malicious behavior scaleable and extendable to that remote edge? If not, what can be added quickly to the enterprise to help with that? How are incidents detected and responded to?
Process Excellence and Digital Strategy
Process considerations are up next. They primarily focus on the people aspect, including training and adherence to cybersecurity hygiene in the remote framework is key. As noted, having an agreed upon digital strategy and understanding of “no fail” missions that can be executed remotely is a critical component. This is supported by the means and policy to support access by remote workers to information/data sources and applications for those missions.
Workers must be trained on those processes for gaining and sustaining access, what happens when there is a network impact that limits remote work productivity and the cybersecurity processes they need to execute their work securely (use of Virtual Private Networks, encryption, Multi-Factor Authentication, biometrics, end point patching etc.). This includes a sustained and leadership endorsed cyber hygiene campaign that focuses on good behaviors like how to avoid phishing and other malicious activity they may be more susceptible to on their own internet connections using their BYOD.
Organizations must hold employees accountable for their cyber hygiene and reward those that perform well. Chief Information Security Officers should keep informed of cybersecurity standards and industry best practices set for capabilities used in remote work by recognized standards bodies like the National Institute for Standards and Technology (NIST). NIST has published guidance on telework (Special Publication 800-46 Revision 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security) and lessons learned from the Corona Virus will lead to more standards after the dust settles.
Finally for leadership, how will you measure success? What metrics will you use to judge if productivity and cybersecurity can be improved or at least done at the same level as brick-and-mortar operations? These will be in many cases subjective and qualitative particularly on actions that have traditionally been “in person” in the office environment like spontaneous collaboration but metrics and means should be established and implemented to help track what works well and what needs more creative solutions or processes applied.
There also needs to be a complete look at what policies are currently in place to determine if they make sense for this new virtual workforce or if the digital strategy and organizational policy and procedures need to be significantly changed. Perhaps a wave of transformation in a sea of bad news out of the Corona Virus (COVID-19) pandemic is that work as we know it today in many organizations is fundamentally transformed permanently, building a more agile, mobile, secure and effective workforce.