Cybersecurity leadership principles: Lessons learnt during the COVID-19 pandemic to prepare for the new normal

Introduction

The world is experiencing an unprecedented crisis that is causing chaos in the global economy, disrupting supply chains and transforming society. The new reality is accelerating business model transformation at a faster pace than ever before to ensure existential survival in a crisis for which no one was prepared.

The COVID-19 pandemic is having a dramatic impact on society and has forced everyone to become heavily reliant on the internet and its digital economy – what would normally have taken years has now occurred in months. The situation has highlighted the intrinsic systemic issues at the juncture of digital infrastructure, economy, geopolitics and privacy that mainly relate to the unprecedented pressure on
the digital architecture and supply chain dependencies. If these are not addressed in a holistic manner, the escalating risks may have a domino effect that is likely to impact critical functions and industry ecosystems globally.

The large-scale adoption of remote-access technologies to enable work-from-home practices, with greater reliance on cloud services, enables companies to continue operations and reduce costs in conditions of social distancing and “stay-at-home” orders from government and/or employer. It is also reshaping the digital landscape and architecture while straining supply chain resiliency and cybersecurity operations with the escalating risk.

This confluence of forces is likely to impact critical functions and the broader industry ecosystems globally:
– Working from home or remotely has increased the attack surface exponentially and multiple vectors for cyberattacks through the heightened dependency on personal devices and residential networks
– Social engineering tactics remain very effective on a workforce that is distracted and vulnerable
– Maintaining the cyber resilience of a highly interconnected supply chain becomes even more challenging
– Rapid deployment of new services, mostly cloud-based, and changes to the network architecture may bypass important riskassurance steps and expose the broader ecosystem
– Critical business assets and functions are significantly more exposed to opportunistic and targeted cyberattacks by criminal organizations and nation states seeking to take advantage of rising vulnerabilities
– Essential critical infrastructure services, such as hospitals, are under acute pressure and have been hit particularly hard by new forms of ransomware aimed at disrupting vital services

It is imperative that leaders strategically manage information risks, work towards a culture of shared cyber-risk ownership across organizations and take a strategic approach to cyber resilience. Effective cyber resilience requires a combined and aligned multi-disciplinary effort to move beyond compliance to cohesive business and digital enablement.

Businesses need to consider cyber resilience from a business perspective, looking at the cyber element of operational risks to their business as they become increasingly dependent on the internet and digital channels. They also need to adopt a resilience mindset of how they would respond to and recover from any major cyber event.

The following principles will help organizations to shape a responsible course of action that balances short-term goals against medium- to longer-term imperatives:

1. Foster a culture of cyber resilience
   
   Resilience is first and foremost a leadership issue and is more a matter of strategy and culture than tactics. Being resilient requires those at the highest leadership levels to acknowledge the importance of proactive risk management and focus more on the ability of the organization to absorb and recover from a cyberattack that would disrupt essential services.
   
2. Focus on protecting your critical assets and services
   
   Businesses will have to prioritize resources and investments to the most essential areas to maintain operational continuity, protect the critical digital assets and ensure compliance.
   
3. Balance risk-informed decisions during the crisis and beyond
   
   Businesses are making changes to their operating model and technology landscape at an unprecedented scale and pace, which will require some risk trade-offs as they adapt and respond urgently to the crisis. However, as they enter the new normal, they will need to reassess the digital dependencies and risks accrued to restore their risk profile to an acceptable level.
   
4. Update and practice your response and business continuity plans as your business transitions to the new normal
   
   This crisis has reminded business leaders of the importance to adapt and test regularly their response and resilience plans against different disaster scenarios (including pandemics) with their key suppliers and business partners. This includes using these tests to challenge assumptions (such as recovery times) and to develop means to measure resilience, response, recovery and other key capabilities needed to anticipate, withstand and recover from, and adapt to, adverse conditions, attacks or compromises on systems that are enabled by cyber resources.
   
5. Strengthen ecosystem-wide collaboration
   
   Partnerships and collaborations on cyber resilience between public and private sector peers across the ecosystem are essential in facilitating the transparent sharing of information and go beyond subscription towards a more active engagement.
   
   The principles in this document are a preliminary response to the unfolding crisis. They are intended to guide leaders specifically responsible for cyber resilience, and other business leaders. While businesses may have to regulate measures according to different policy environments, these concepts can provide a framework for a responsible course of action at this pivotal period.