IT Risk Management During a Pandemic

Adjunct Professor Tina Hauri teaches students in Northwestern Engineering's Master of Science in Information Technology (MSIT) program about IT Risk Management, so the ongoing COVID-19 pandemic and its impact on the IT field has been a powerful and evolving case study her students can learn from in real time.

"The students have had an incredible front row seat to one of the most extensive and lengthy business continuity plan (BCP) exercises I’ve ever seen," Hauri said. "In many ways this has been a case study in resilience, both of systems and the human spirit."

Hauri, who is president of Bradford Garrett Group and served as Chief Information Security Officer (CISO) for Aon Corporation and the City of Chicago, previously shared why risk management is an important leadership skill. With the pandemic fundamentally altering how people work, Hauri took time to talk about how COVID-19 has impacted the IT field, how CISOs have had to shift their responsibilities during the pandemic, and what steps companies can take to improve their risk management.

"The radical changes to the business climate have shifted how services are delivered, forcing security teams to evaluate and make recommendations for mitigating controls under incredibly short timelines." — Adjunct Professor Tina Hauri

What are the three biggest ways the pandemic has altered the IT industry? 

The most obvious shift is the remote worker. This has:  

• redefined the needs for secure access, bandwidth and networks.
• shifted the delivery and availability of applications that is driving a record pace of migration to Cloud based services of all types.
• expanded the uses of personally-owned computing devices and highlighted the importance of endpoint security plus the 24-7-365 monitoring of the devices.

The second less apparent shift is that normal operating risks have changed as COVID-19 has introduced health/safety risks and business risks. In early 2020, many businesses found it necessary to dust off and implement their business continuity plans. Companies without a solid BCP that included a pandemic scenario with extended work-from-home (WFH) arrangements may have been caught flat footed. At the same time, global risk levels to supply chain, revenue streams, core product and service availability, and delivery were elevated seemingly overnight.

A straightforward example is human resources departments that had to shift recruiting, hiring, summer internships, training, and even termination processes online. For HR, these are reflected in numerous changes to business processes, websites, training materials, employee handbooks, orientation, retooling applications to provide remote access versus on campus only, and changes to onboarding package delivery, completion, verification, and systems updates. 

The third major aspect is the scope, scale, longevity and global impact of this pandemic. COVID-19 has touched every aspect of people's lives around the world. Given the wholesale changes to work/life balance, travel restrictions, remote learning for students of all ages, WFH and the numerous challenges to returning to “normal,” many companies are contemplating permanent WFH situations. This signals a major shift in societal, cultural and familial norms — all facilitated via technology platforms both in homes and connecting out into the Cloud.

What are the biggest challenges a CISO faced prior to the pandemic?

Each CISO role is unique — driven by the industry, its regulatory and operating environment, and the reach and scope of the business. The maturity of the CISO organization is always an interesting barometer as well. A company with a first-time CISO has a steep ramp-up to effect cultural change, staffing, technical improvements, policy, and oversight, whereas a company seating a second or third generation CISO will be retooling skills, revising strategy, and improving communications, but is starting with some structure, governance, and organizational alignment.

As the pandemic wears on, how have CISOs had to evolve? 

The radical changes to the business climate have shifted how services are delivered, forcing security teams to evaluate and make recommendations for mitigating controls under incredibly short timelines. In these instances, CISOs have had to determine whether to upgrade or adopt and then manage new technologies to adequately secure end points, expand Secure Virtual Private Network (S-VPN) connectivity capabilities, review and test controls for applications being shifted to the various Cloud based service platforms, and carry on “normal operations.”

The use of collaboration software has skyrocketed. This, coupled with allowing hundreds if not thousands of user-owned devices to connect to corporate networks, has made security teams find ways to permit and monitor them securely. Add to this the training to make sure users are securely running and attending thousands of Zoom and WebEx sessions, providing guidance to employees on how to assure confidentiality, privacy of their work products in homes, and increasing education and awareness sessions to users regarding the prevention of ransomware. It’s been an incredibly busy time for the security teams. 

Why do businesses need to have a CISO, particularly given the current challenges facing society today?

In August 2020, Security Magazine reported that 61% of organizations have a CISO and that the pandemic has highlighted the need for securing the remote work sessions and being ready to implement effective BCP programs. The move to digital platforms and connectivity has highlighted the need for businesses to clearly understand their risks and partner with their CISO and risk management functions to apply mitigating controls commensurate with the changing risks being introduced in each aspect of the business.

Near the beginning of the COVID-19 pandemic, in April 2020, the World Health Organization reported a fivefold increase in cyberattacks. COVID-19-centered attacks have now been reported by Microsoft in every country of the world. These attacks have had multiple goals, for example: 

• to harvest proprietary research around vaccine development
• to compromise credentials to gain access to personally identifiable information
• to get a user to open an email to click on an infected file and launch a Ransomware attack program such as Ryuk.

What are the most common mistakes you see companies making when it comes to IT risk management?

The most common area of misconception is that IT risk management is an insular issue. With the business leadership understanding and setting the tone from the top, risk management can become inculcated into the culture, the projects, programs, and processes. Since managing IT risk is an enterprise-wide endeavor, each person plays a role in understanding the core business, the operating environment, the inherent and residual risks to the business, how business processes either introduce risk or are designed to minimize risk, and finally, how each employee mindfully executing their specific duties and responsibilities can help keep risk at manageable levels.

What are simple steps a company could take to improve its risk management?

Since we’ve talked about the heightened number of cyberattacks globally and increases in Ransomware attacks specifically, following are several ways a company can improve their security posture. These are synthesized from my experiences, plus suggestions from the Cybersecurity and Infrastructure Security Agency and KPMG: 

• Review the current Ransomware Response Playbook. If necessary, revise and run a tabletop exercise around a Ransomware attack occurring in this current WFH environment. Also, update all team members on the contact lists for 24-7-365 phone numbers.
  
  
• Make sure to understand the company policy, preparedness, and capability to pay a ransom? Who are the legal department contacts and how can they be contacted 24-7-365?
  
  
• Test and run system backup for all core business processes at every stage. In the event of a Ransomware attack, if it is necessary to restore from back-up, it is critical to have current, timely and accurate restoration.
  
  
• Verify that the patching processes being used are reaching your endpoints routinely, fully and in a timely manner. If certain endpoints are not being updated, how will this be handled? 
  
  
• Make sure your incident response teams are equipped, trained, prepared and ready to travel if necessary, given COVID-19 restrictions. They may need letters confirming that they are “essential workers.” Make certain they will have the building and premises access needed to remediate the situation.
  
  

• Consider staffing levels and necessary cross training in the event that key individuals are unavailable due to illness or quarantine. Many times core skills are held by only one person.
  
  
• Determine how a “war room” will be established absent access to the Network Center or if usual conferencing capabilities are disrupted or inaccessible.
  
  
• How will the company supply replacement hardware if company-owned devices are encrypted during a Ransomware attack? If not already using "bring-your-own-device," is the company equipped to securely enable this capability?
  
  
• If corporate-owned devices have to be rebuilt and restored, how does the company plan to accomplish this, and what health and safety precautions need to be established?

What can MSIT students learn about risk management from how companies have reacted to the challenges brought on by COVID-19?

As IT professionals, the students have been fully engaged in the many projects that I've referred to, so they have gained insight into how prepared companies were for a pandemic scenario via their BCP program. From a repeatability and sustainability perspective, they have learned how well documented, understood and clear business processes and supply chains were because with COVID-19, many had to be revised, rewritten and redirected in very short order. They have learned how to effectively work across virtual teams and conduct impactful meetings, sharing documents and plans across time zones and the hastily introduced collaboration platforms.