Avoid central points of failure or compromise. This fundamental tenet of information security applies not only to systems and networks, but to individuals during a time of pandemic.
Key cyber security staff, more often than not, possess singular knowledge of an organisation's infrastructure, including credentials. What happens if Covid-19 incapacitates a critical member of the security team for an extended time or worse?
While the odds of any given individual winding up in the intensive care unit because of Covid-19 is small, given a large enough employee pool a certain number will inevitably become severely ill. Ensuring that no individual's absence grinds a business to a halt should be top of mind for every security leader right now.
"Robust pandemic planning is a little grim," a business continuity planning (BCP) manager at a financial services company tells CSO, "but you have to take stock of your current employee count in each position and determine what level you can safely operate at in contingency mode." The BCP manager requested not to be named, as they were not authorised to speak to the press.
Redundancy of skills and access to information--including credentials, processes and project status updates--is essential for your security team to weather the coming storm.
Here are four steps business leaders can take now to prepare.
Write down those passwords
Security staff often hold the "keys to the kingdom." Make sure more than one person has access to those keys, or can gain access to those keys quickly, if the primary key owner gets taken out of action.
In a mature organisation, this might be accomplished using pluggable authentication modules (PAMs), or for smaller organisations using a shared password vault such as LastPass or KeePass, or even using a master paper notebook stored in a safe.
Don't forget about multi-factor authentication (MFA) redundancy. Make sure multiple people possess soft authentication token or U2F keys. Those shared passwords won't be very useful if an incapacitated employee can't unlock their phone or inform where their Yubikeys are.
Document the status of current projects
Ensure staff who are working in the trenches frequently document their current status and share that information with other team members. If a key employee goes down, a business need others to be able to pick up the ball and run with it.
"It is also critical for staff to document projects and in-progress activities, ideally in a shared location (with appropriate privacy and sensitivity limitations)," David Longenecker, security operations manager at chipmaker AMD, advises.
"Train staff to include key points of contact in this documentation. Not only does it help the staff member keep track of what they are working on, but it gives the person unexpectedly taking over a place to start." Longenecker emphasised that he was speaking on his own and not on behalf of AMD.
Check continuity of operations plan (COOP)
Redundancy, redundancy, redundancy.
For each critical job function, ensure more than one person can perform that role in a pinch. FEMA guidelines offer sound general advice in this regard, though not specifically to cyber security professionals.
"For each essential function, there should be a primary person, and then up to three back-ups if the primary person is not available," Ben Yelin, program director, Public Policy & External Affairs, at the University of Maryland Center for Health and Homeland Security (CHHS), tells CSO. "As part of the COOP planning process, you should make sure that the back-ups have the same institutional knowledge as the person with primary responsibility for that function.
"Of course," Yelin adds, "this is easier said than done. Many organisations run into situations where there is only one employee with the proper expertise and credentials. The whole point of continuity planning is to make sure there are those redundancies in place during an emergency."
Job rotation and job shadowing
Take concrete steps now to put that redundancy in place. Job rotation and job shadowing--a good idea during the best of times--are concrete, specific steps that can be put into place today, Longenecker tells CSO.
"I'll have hand-picked staff sit in on meetings and decision making so they become familiar with how critical processes are handled," Longenecker says. "That way if they need to step in on short notice, they aren't coming in cold."
The Covid-19 situation is going to get worse, maybe a lot worse, before it gets better. Batten down the hatches and get teams working together closely--if not in actual physical proximity--as much as possible over the next couple weeks. Greater collaboration will be key to surviving the catastrophe on the horizon.
"I'm wrestling with this first-hand, so I'm giving you some perspective from the front line as it were," Longenecker says.
Do you have a story from the frontlines to share? Reach out to this reporter at firstname.lastname@example.org