Building redundancy into security teams
Here are some positive steps to ensure that at this critical time, your security teams are best organised to deal with the situation.
Avoid central points of failure or compromise
This fundamental tenet of information security applies not only to systems and networks, but to individuals during a time of pandemic. Key cybersecurity staff often possess singular knowledge of an organisation’s infrastructure, including credentials. What happens if Covid-19 incapacitates a critical member of the security team for an extended time – or worse?
While the odds of any given individual winding up in the intensive care unit because of Covid-19 is small, given a large enough employee pool a certain number will inevitably become severely ill. Ensuring that no individual’s absence grinds your business to a halt should be top of mind for every security leader right now.
“Robust pandemic planning is a little grim,” a business continuity planning (BCP) manager at a financial services company told CSO, “but you have to take stock of your current employee count in each position and determine what level you can safely operate at in contingency mode.” (The BCP manager requested not to be named, as they were not authorised to speak to the press.)
Redundancy of skills and access to information – including credentials, processes and project status updates – is essential for your security team to weather the coming storm.
Write down passwords
Security staff often hold the ‘keys to the kingdom’. Make sure more than one person has access to those keys, or can gain access to those keys quickly, if the primary key owner gets taken out of action.
In a mature organisation, this might be accomplished using pluggable authentication modules (PAMs), or for smaller organisations using a shared password vault such as LastPass or KeePass, or even using a master paper notebook stored in a safe.
Do not forget about multi-factor authentication (MFA) redundancy. Make sure multiple people possess soft authentication token or U2F keys. Those shared passwords will not be very useful if an incapacitated employee cannot unlock their phone or tell you where their Yubikeys are.
Document the status of projects
Make sure staff who are working in the trenches frequently document their current status and share that information with other team members. If a key employee goes down, you need others to be able to pick up the ball and run with it.
“It is also critical for staff to document projects and in-progress activities, ideally in a shared location (with appropriate privacy and sensitivity limitations),” David Longenecker, security operations manager at chipmaker AMD, advises. “Train staff to include key points of contact in this documentation. Not only does it help the staff member keep track of what they are working on, but it gives the person unexpectedly taking over a place to start.” (Longenecker emphasised that he was speaking on his own and not on behalf of AMD.)
Check your continuity of operations plan (COOP)
Redundancy, redundancy, redundancy.
For each critical job function, make sure more than one person can perform that role in a pinch. The US FEMA guidelines offer sound general advice in this regard, though not specifically to cyber security professionals.
“All COOP plans, per FEMA guidelines, should have succession plans,” Ben Yelin, programme director, public policy and external affairs, at the University of Maryland Centre for Health and Homeland Security (CHHS), told CSO. “For each essential function, there should be a primary person, and then up to three backups if the primary person is not available. As part of the COOP planning process, you should make sure that the backups have the same institutional knowledge as the person with primary responsibility for that function.”
“Of course,” Yelin added, “this is easier said than done. Many organisations run into situations where there is only one employee with the proper expertise and credentials. The whole point of continuity planning is to make sure there are those redundancies in place during an emergency.”
Job rotation and job shadowing
Take concrete steps now to put that redundancy in place. Job rotation and job shadowing – a good idea during the best of times – are concrete, specific steps you can put into place today, Longenecker told CSO.
“I’ll have hand-picked staff sit in on meetings and decision making so they become familiar with how critical processes are handled,” Longenecker said. “That way if they need to step in on short notice, they aren’t coming in cold.”
The COVID-19 situation is going to get worse, maybe a lot worse, before it gets better. Batten down the hatches and get your team working together closely – if not in actual physical proximity – as much as you can over the next couple weeks. Greater collaboration will be key to surviving the catastrophe on the horizon.
“I’m wrestling with this first-hand, so I’m giving you some perspective from the front line as it were,” Longenecker said.
IDG News Service