Business Continuity Planning: Six Things CISOs Must Do Now

The unprecedented events that have pushed organizations to evaluate their business continuity planning brings up memories of my time working for the federal government, and remind me of a story that I'd like to share.

The emails and statements started coming in from the U.S. Department of Health and Human Services (HHS), the Centers for Disease Control and Prevention (CDC), and the Federal Emergency Management Agency (FEMA): A contagious virus threatened to upend the functions of the federal government.

My staff and I would be expected to work remotely for an indeterminate amount of time. Our services wouldn't be impacted that much, I thought, since many of us had laptops, and we all had mobile phones. We supported hundreds of remote sites around the country. Surely, we could operate as a distributed team during this time of crisis. And besides, we serve a technologically advanced, first-world country. How bad could an Ebola outbreak be?

Turns out, bad. And no, we couldn't operate well as a distributed team during that time of crisis. It was 2014, and it was only a drill. The Ebola scenario was a coordinated exercise of civilian and government readiness for operational continuity during a hypothetical viral outbreak. It was a test that we failed.

Not everyone in our department had laptops, let alone "fast enough" access to the internet from home. Cell phones, though prevalent, weren't suitable analogs for office desktop computers. Worse, though half the department was able to log on remotely, traffic overloaded the bottlenecked VPN, causing lag, delaying (or blocking) connectivity, and impacting productivity. (This was especially an issue with outlying hospitals trying to practice telemedicine.) We rationed equipment, shuffled work hours, and prioritized access. And our VPN still couldn't handle the overload.

This is not a drill

It's six years later. The human toll of the coronavirus outbreak cannot be measured, and right now, enterprises must focus on protecting the health of employees and community members. The top priority for all organizations must be to mitigate the risks associated with the spread of COVID-19. With that in mind, organizations now must do what they can to preserve enterprise productivity in a “new normal” of work away from the office.

Business continuity planning (BCP) should be (and ideally, should have been) a key component of your corporate strategy. But even if that's not the case in your organization, you can still do something about it.

The operational challenge: Enabling remote work for everyone

Right now, BCP is (by necessity) about telework. And that seems straightforward. If you can't work in the office, just work from home. Many IT organizations plan corporate network capacity to accommodate remote access for 20 to 30 percent of the workforce. But what happens when that grows to 100 percent? Overnight? IT leaders around the globe are learning that getting everyone online from home isn't a trivial exercise:

• More employees -- many more employees -- will use VPN to access corporate resources. Will your infrastructure be able to handle it? (Spoiler alert: No.)
• For an entire workforce to get online, you'll need an entire workforce with devices to get online. You know this already, but not everyone gets a work laptop, and not everyone has a suitable home machine that will work as a substitute. How many functional outdated laptops does your team have collecting dust in the old server room?
• You no doubt have collaboration tools for conferencing and instant messaging. But do you have enough licenses when everyone needs them?

The dark side of remote access: New threat exposure and employees “going rogue” for speed

There’s another more serious issue than remote-connectivity limitations. If your organization relies on VPN to access internal resources and/or internet egress, extending that access to a broader percentage (say, 100 percent) of your workforce dramatically increases your organization’s potential attack surface. The further distance corporate data has to travel, the more opportunities for compromise.

Compounding that, end users who are accustomed to Netflix-like download speeds at home will be frustrated when they encounter latency introduced by VPN constraints and MPLS backhauling. The risk is that they “go rogue” and bypass security controls in the “interest of getting the job done” faster, further exposing internal systems to outside attack.
 

Keys to enabling remote work: Prioritization, triage, and local internet breakouts

It’s time to change the way you think about security. This current unprecedented event is accelerating changes in how we access applications and data securely. Remote work must be enabled without compromise to security. But this doesn't mean less security, it means different security.

As a CISO, what can you do to facilitate remote work in the face of such connectivity and security challenges? In this newest “new normal,” you will have to make triage decisions:

• Prioritize work. What tasks are most important? What resources will be needed? What assignments can be postponed (or even cut)?
• Prioritize access. How can you align access with work priorities? What work requires always-on connectivity? What work requires occasional connectivity? You may have to provide “tiered” connectivity for employees based on their work priorities.
• Prioritize devices. Similarly, who gets the laptop? Linda in accounting? Fred in sales? Who has a greater need for that last portable machine?
• Ration collaboration apps. You’re going to need more licenses. In the short term, work with finance to reallocate “on hold” spending (say, business travel or events marketing) to enable remote work operations.
• Stagger work hours. If it comes to it, you may have to switch mission-critical work to graveyard-shift hours to overcome connectivity limitations.
• Deploy local internet breakouts. The cloud (and specifically, secure access service edge computing) offers hope: With employees connecting directly (and securely via inline security proxy) to resources, you reduce your attack surface and alleviate VPN bottleneck contention.

We are going to get through this. But we have to learn. (Back in my government days, we said “never let a crisis go to waste.”) Right now, nothing is more important than ensuring the health of your colleagues and community. And the best thing you can do as a CISO is to facilitate remote work.

Forgive the dispassionate cynicism, but enterprises that weather this storm will have a competitive advantage when it passes. And when your organization comes out the other side, don’t stop planning for business continuity. You’ll be better prepared if—perish the thought—there’s a next time.

Stan Lowe is the Zscaler Global Chief Information Security Officer