As I write this, two things are happening simultaneously: The RSA Security Conference is in full swing and so is COVID-19 (coronavirus). It’s a strange juxtaposition. There is geographic proximity in that the conference is going on undeterred just a few blocks from where the mayor declared a state of emergency (during the event) due to the ongoing spread of the virus.
There’s also topical alignment since the RSA Conference, itself a pillar in an industry intimately concerned with risk management, makes starkly clear the risk management decisions made by the attendees at the event (as well as notable non-attendees like IBM, AT&T and Verizon.) In short, it’s an interesting split screen moment.
At first blush, it may seem morbid — or akin to fear mongering — to discuss these two things simultaneously. However, I think unpacking and examining it has practical value for security practitioners, in particular for those concerned with the broader topic of risk.
Specifically, it provides us with a rare window into the risk management decisions of both large and small firms, and it’s a reminder for security and risk practitioners about foundational but often overlooked elements of security planning.
Considering both of these aspects can help us hone our risk management efforts and improve our overall security posture.
Assessing Your Risk Appetite
Let’s start with the first one: what we can learn about the risk management calculations made by the firms that decided to attend (or pass up) the RSA Conference this year, specifically with reference to what it says about their risk appetite and ours.
It is beyond obvious to say that the decision to withdraw from the event could not have been easy for the organizations that did so. IBM, for example, is one of the larger players in the security products space: For the eleventh straight year Gartner named IBM’s QRadar in the leaders segment of its SIEM magic quadrant; IBM was slotted to be a platinum sponsor of the event (the second-highest sponsorship tier); and IBM owns subsidiaries that are relevant to the security community (notably Red Hat.)
While only IBM itself knows for sure the full business impact of its decision to withdraw from RSA, its calculation must have factored in significant direct and indirect financial loss. There is not only the direct loss of investments already made and resources already committed (e.g. costs incurred for printed materials, employee travel, shipping of materials, and employee time spent planning for the event), but also opportunity cost in the form of business not conducted, deals not closed, and customer interactions missed.
Given the fact that, at the time the decision was made, only a handful of COVID-19 infections were confirmed in the U.S., this tells us something significant about the risk management calculations these firms made.
Note that I’m not suggesting they were right or wrong in making the decisions they did. The same decisions may have been right for them but wrong for another firm. This is what makes it so interesting from a pure risk management point of view.
In particular, it’s interesting because many organizations don’t stop to consider their own risk appetite, either holistically or systematically. This leaves them scrambling when the time comes to make a hard call like this one. On one hand, there is the direct financial cost and the long tail of the opportunity cost; on the other, there are the potential liability ramifications if one or more employees become infected.
The point? Whether you’re a large, multinational firm employing a formalized risk management process or whether you’re a small startup figuring it out as you go, a thorough and workmanlike analysis around your own risk appetite is time well spent.
Cultivating the Preparedness Habit
The second area where I think we can learn is around the idea of ongoing preparedness. This one might be self-evident, but a moment like this can serve as a reminder and a call to action if preparedness documentation has sat on the shelf gathering dust for quite some time.
Specifically, it’s possible that we’re on the cusp of major disruption to business as usual. Depending on whom you ask, “possible” falls anywhere on a spectrum of very remote to an almost certainty — but it is inarguable to say that a pandemic could come to pass over a fairly short planning horizon.
Preplanning and preparation can mean the difference between calm, rational decision-making and last-minute scrambling or, worse yet, trying to wing it in the face of some crisis. Therefore, now might be a good time to take stock of what exactly your plan is if there is a large-scale outage or disruption to business.
This true whether or not you personally believe it is likely to come to pass. If it turns out that you have invested some time thinking through a scenario that doesn’t occur, you’ll be better off for the future.
This applies to business continuity planning generally, as well as pandemic planning specifically. It can include continuity considerations in the abstract: addressing questions like, “How will employees perform their duties if they cannot get to a physical location?”
It also can address more specific questions like, “What are the liability implications of requiring employees to come to a facility where they may become sick?”
Either way, by thinking these things through ahead of time we’ll be ready if we should we find ourselves in the worst-case timeline.
Note here that I’m not suggesting every firm needs a pandemic plan. I’m also not suggesting that you drop everything and try to cram in a major BCP exercise right now. Anyone who’s done one knows that a soup-to-nuts exercise takes months, and trying to conduct one in a systematic, adrenalin-free way before COVID-19 resolves, one way or the other, likely isn’t possible.
Instead, my broader message is twofold: 1) Any planning is good planning; and 2) What’s going on in the headlines is a good reminder why.