Priority 2: Refocus IT Risk Planning
Where IT risk management and business continuity planning are concerned, most businesses were playing catch-up in 2020. Even the most creative of risk forecasts at the start of the year could never have foreseen the extent of the disruption that was to come.
The start of 2021 is a time to refocus and redouble IT risk management and business continuity planning (BCP) to bring it up to the standards of our “new normal.” Indeed, if last year taught us anything it’s that no “black swan” should be off the table in terms of scenarios or possibilities for business disruption.
Now is the time to make Business Continuity and Disaster Recovery (BCDR) the priorities they should have been at the start of 2020! Get a grip on the risk landscape to help ensure IT readiness and drive business participation in continuity planning.
Signals of Change
- Seventy-five percent of companies reported supply chain disruptions in some capacity in 2020 (ISM).
- Fifty-seven percent reported longer lead times for China-sourced components from Tier-1 suppliers, with average lead times more than doubling compared to the end of 2019 (ISM).
- Ninety-three percent of survey respondents are undertaking contingency planning efforts to prepare for future disruptions to supply chains (Foley & Lardner).
- In October 2020, manufacturers’ and trade inventories were down 4% compared to the same period in 2019 (USCB).
- Reported cybercrimes have increased 300% during the pandemic (IMC Grupo).
- In IBM’s 2020 “Cost of a Data Breach” report, 70% of respondents said the move to remote work had increased the cost of data breaches, and they estimated the cost of the average data breach was $137,000 (IBM).
- While IT budgets are expected to decline overall, 55% of executives plan to increase cybersecurity spending this year, with 51% planning to add full-time cybersecurity staff (Forbes).
Drivers of the Priority
- The high cost of poor security and business continuity planning. As suggested earlier, it is believed the cost of the average data breach in 2020 was US$137,000, with cybercrime increasing 300% as a knock-on effect of the global health crisis. During a year when the spotlight will be on responsible and constricted spending, investments in security strategy, data privacy, disaster recovery planning, and risk and compliance should be seen as sound upfront investments, fortifying the organization against far greater costs.
- Security risks are more in the spotlight than ever. The recent SolarWinds cyberattack should have alerted us all to the fact that the health crisis is not the only very real global threat at the moment. As Klaus Schwab warned at the World Economic Forum’s Cyber Polygon event in July 2020, COVID-19 would be seen like a “small disturbance in comparison to a major cyberattack” (Lanceur-Alerte TV). With the level of discourse around cybersecurity heightened, and the threat of cyber terrorism a very real and palpable one, CIOs should get their security infrastructure in order.
- Continued supply chain disruptions. For global supply chains, 2020 was the most challenging year in living memory. Even before the health crisis began, events such as trade wars, Brexit uncertainty, and climate change disruptions presented major challenges. By the spring, many supply chains worldwide had been ground to a halt by the pandemic. According to global supply chain specialist Bob Ferrari, “COVID-19 laid bare many of the cracks and fissures of existing industry supply chain business processes […] The ‘next normal’ [requires] a set of supply chain process […] for sensing and responding to continuous disruption or unplanned events.” (Supply Chain Matters)
- The points of technological vulnerability are multiple. From a security perspective, building up resilience to risks will require multiple points of vigilance. From increases in phishing scams and ransomware attacks, to a growing number of cloud breaches and attacks on IoT devices, to threats targeting workers’ personal devices that aren’t patched, managed, or secured centrally by IT, 2021 will see no shortage of cybersecurity threats.
- A lack of qualified cybersecurity staff. While enterprise executives are seeking to add cybersecurity personnel for 2021, the skills supply to meet this demand is lacking. It is estimated that there will be 3.5 million unfulfilled cybersecurity positions globally in 2021 due to a lack of qualified skills, with the World Economic Forum recently declaring that “Nowhere is the workforce-skills gap more pronounced than in cybersecurity.” In the face of what some are already calling a cybercrime endemic and others a cyber pandemic, IT departments will need to fight to attract a limited pool of qualified resources or build up the skills internally.
- Location and facilities uncertainty. The ability to build resiliency through risk and continuity planning is hampered by the fact that many organizations don’t know where we will be working in 2021. For instance, where supply chain risks are concerned, we still don’t know if we’re building up inventories to address the needs of work-from-home (WFH) or a return to the office. Likely it will be a mix of both for most organizations, but at this point what ratio of the year will be WFH as opposed to return to office is unclear.
Like the business benefits discussed in Part 2 of this series (“Appropriate Sufficient Budget Reserves”), prioritizing risk management and business continuity planning is an act that will likely go unnoticed and unsung within the organization. However, creating a secure technology environment and having replacement hardware and other supplies for your employees when needed will help better ensure business continuity when disruptions occur.
Call to Action
- Stay Ahead of the Cyberthreat Landscape. A weak or non-existent information security strategy will cause organizations to fall behind the curve in the evolving threat landscape. Developing a strategic approach to IT security for the year ahead will allow CIOs to avoid reactive postures to attacks as they present themselves, building an approach that will allow security teams to understand and overcome current gaps.
- Build an IT Risk Management Program. With an appropriate risk management program in place, you can ensure that security decisions are made strategically instead of based on frameworks and gut feelings. This will optimize any security planning and budgeting.
- Update or Develop a Business Continuity Plan. It is ISM Grid’s view that you don’t need to get caught up in an extensive risk analysis to get started with a business continuity plan. Rather than trying to predict everything that could cause a disruption, focus on how to recover, and keep BCP documentation concise and flexible.
- Create a Game Plan to Optimize Supply Chain Management (SCM). In the immediate future, formalize current inventories for technology supplies and predict future needs based on demand from previous years and assumptions about where the organization will be working in 2021. Longer term, develop a strategy for SCM that will strategically support the whole business. Formalize an approach that balances SCM across processes, people, and suppliers in alignment with organizational priorities and technical maturity.
ISM Grid develops a program of repeatable, data-driven IT engagements – demonstrating commitment to our client’s continuous improvement and success. Email firstname.lastname@example.org for assistance in implementing recommendations observed within this CIO Priorities series or for general assistance with enhancing your organization’s IT Management program.