With the benefit of 20/20 hindsight, San Francisco CISOs have come to the realization that they must quickly learn from their experiences during COVID-19 regarding communication, business continuity and resiliency. No one can say they were 100% prepared to function during a pandemic, but the ability to quickly pivot, take decisive action and support their teams has proved critical to keeping their business functional.

While a large portion of these businesses was already set up for remote work, CISOs have been faced with increasing that functionality for those that were not already equipped to work in this new paradigm. Most leaders would likely agree that flexibility is key and communication is paramount while leading a remote workforce that is facing unparalleled stress and uncertainty. 

In this virtual gathering, participants discussed the resilience of their organizations in managing the crisis. To set the stage, San Francisco CISOs responded to a survey prior to the town hall indicating the following:

36% are continuing standard business operations at a reduced level

73% expect to return to standard business operations in less than 3 months 

31% report a high impact on their organization’s revenue

38% predict a high impact on their organization’s budget

This virtual panel was moderated by Al Ghous, CSO and Head of Security at ServiceMax. Ghous was joined by Kevin Clark, Director of Security Operations at Slack and Gene Chen, CISO at Synaptics Incorporated. Their industries face different challenges, but the key components for operating during this crisis are nearly universal.

Immediate Pandemic Response

CISOs have dozens of scenarios they can prepare for, and the use of Red and Blue team exercises keep the team sharp and prepared for likely scenarios. That said, how detailed was the pandemic preparedness plan? Was there a specific pandemic preparedness plan? Answers vary, but a common theme is that even with a plan in place, there is a continual need to adapt to a rapidly evolving situation. This crisis certainly caught some off guard, and decisive action from executive leadership has become the benchmark for success during these times.

For many, transitioning to a remote workforce, for those that are able to work remotely, was adopted quickly. California was the first state to enact a shelter in place order, but some organizations had already taken action prior to the official order. These early actions were taken, in part, because of the global nature of the business and learning from their organization’s operations overseas. Securing a newly remote workforce, enhancing VPN capabilities and ensuring employees have proper technology at home offices were the top priorities for CISOs to address in the first few weeks of the pandemic.

Executive Leadership During Crisis

Successful leadership during a pandemic requires flexibility, communication and a “people first” mentality. For many organizations, this has been a galvanizing experience and a true test of executive leadership. Weekly all-hands meetings, virtual happy hours, flexible schedules and an understanding that pets, children and spouses might make the occasional guest appearance have become the new normal.

Trends in the threat landscape have shifted to prey upon the fears people now have. CISOs are regularly communicating about the influx of COVID-19 phishing emails, tips to secure your home router and reminders about personal cyber hygiene. Transparency and availability to the larger workforce through video conferencing and information exchange are keeping cybersecurity and cybersecurity policies at the forefront.

Future Planning

In the digital age, the need for cybersecurity will, at worst, remain constant and, at best, follow a growth trajectory. Some CISOs have described the current environment as “business as usual” because they have the inherent ability to work remotely and the need is ever-present, pandemic or not. However, a remote workforce does pose unique challenges to daily operations like patching and password resets and also introduces unknown variables when personal devices are given access to their networks.

The pandemic has brought a mixed bag of business impacts. Some are seeing a substantial increase in business and an existing infrastructure that supports their initiatives. Others have had to lay off or furlough the majority of their staff and severely reduce operations. With no end date in sight, communication and flexibility remain the top priorities of the executive leadership teams.

Organizations are going to suffer in resiliency at the human level, not the systems level. The biggest challenge will be how employees are coping. Mental health care, remaining virtually connected, flexible scheduling and a people-first approach give employees a lot of comfort and should continue to be prioritized.

Thoughts from the Community

Maintaining open lines of communication, continuing to innovate and remaining connected to employees and customers will contribute to future success. Given the current state, normal is a relative term; there appears to be general consensus that when the pandemic clears there is no “normal”; rather, there will be a “new normal.”

Educating staff and instilling cybersecurity values and policies across an enterprise organization is no easy feat under normal circumstances, and COVID-19 has added several variables that CISOs must work to address. Business continuity plans are being stress-tested, and organizations are being forced to look under the hood to see how prepared they were to handle this type of crisis. There was a spectrum of preparedness, but that also paved the way for innovation. How well did organizations respond to the pandemic is an excellent question, but a more relevant question is, how well will your organizations continue to respond?

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.