Software Engineering Institute

June 16, 2020—The COVID-19 pandemic has stretched organizations into unprecedented shapes, with shutdowns, furloughed employees, and remote workforces warping normal operations. As states begin to reopen parts of their economies, organizations face the equally unprecedented process of returning to normal, or perhaps a new normal. Matt Butkovic, technical director of the CERT Division's risk and resilience directorate, says there is a path forward, guided by what we already know about organizational resilience.

The first step is identifying an organization’s critical assets and the missions they support. The SEI's foundational process improvement approach to operational resilience management, the CERT Resilience Management Model (CERT-RMM), defines four asset types: people, facilities, technology, and information. "The COVID-19 crisis has impaired our people and our facilities, so it’s akin to a natural disaster," said Butkovic. However, most disaster plans did not anticipate that the event would affect everyone, everywhere. "Typically, you don’t have fires at all of your facilities at the same time, with little notion of when they’ll be put out. In that way, there are lessons to be learned from cyber events, which can affect all locations simultaneously."

During a cyber attack, an organization might keep its technology assets out of harm's way by modifying firewall rules. During the COVID-19 pandemic, most human assets are keeping out of harm’s way by staying away from the workplace. But not all safeguards can remain in place forever. "At some point, you've got to readdress that balance between protecting assets and sustaining operations," said Butkovic, though he stressed that people and technology are fundamentally different. "With human life, we can’t afford to make the mistakes we can in the digital world. This makes it imperative that you make the right decisions about protection."

Even after people are cleared to return to the workplace, many may continue to work remotely. Some big tech companies, such as Google and Facebook, have extended work-from-home for most of its employees through the end of the year, and Twitter plans to make the option permanent. "If businesses are like springs pulled out of shape, we may see the springs now bend and pivot in new ways," said Butkovic. "We’ve gone from bring your own device to, essentially, bring your own infrastructure."

"I think organizations are going to be challenged to do two things," Butkovic said. "One is to deploy and operate office-equivalent safeguards for the mobile workforce, and the other is to account for new types of attacks and threats on home networking devices that weren’t as prevalent before."

"The pandemic has made us fail open," Butkovic said, recalling the cybersecurity idea of a system's failure mode. "As we look to go back to work or to better secure this mobile, permanent remote workforce, we have to go from fail-open to fail-secure. We need to get back to some specific baseline of security we expect from all devices and all users."

“This is where the approach of the CERT-RMM is of great benefit,” said Butkovic. “We specifically designed it to address not just information and technology assets, but rather the interplay between those and the people and facility assets.”

CERT-RMM helps organizations identify the assets that support their critical services. “Now more than ever, organizations need to understand what their critical functions are: what is it you do, and what things do you use to do them?” As some workers return to the office and others stay home, the map of an organization’s assets, including its IT network, will grow in complexity. CERT-RMM and its related assessments can provide organizations with a roadmap to pandemic resilience, including business continuity and crisis personnel management. “CERT-RMM will help you understand the processes that are most important to ensure you’re identifying all the right pieces and applying security and resilience to them to ensure you can still meet your mission.”

Standards and guidance such as the NIST Cybersecurity Framework (CSF) can point organizations in the right direction. Butkovic also recommends the Department of Homeland Security’s Service Continuity Management, a supplemental resource guide to the department’s Cyber Resilience Review (CRR). The CRR is a no-cost, voluntary, non-technical assessment of an organization’s operational resilience and cybersecurity practices, co-developed by the SEI. “The service continuity resource guide is a really good starting point,” Butkovic said. “It walks you through step-by-step how to identify those key assets and how to determine what your recovery requirements are.”

Butkovic, who formerly developed disaster recovery plans for private industry, thinks many are awakening to the importance of developing business continuity strategies. “Arguably it’s more important than other technical strategies you might be developing,” said Butkovic. “I think COVID-19 is going to reframe where IT and cybersecurity investment go in the future.”

Butkovic points out that recovery from the COVID-19 pandemic may not look like recovery from other operational disruptions, and that organizations need to reconsider their process maturity. “Most likely, your organization is doing things in a different way now,” he said. “The question is, can you sustain those things? Doing things in an ad hoc manner is different from doing them in a mature, sustainable way.”

“We all got in the lifeboat,” Butkovic continued. “And in the lifeboat, you’re willing to make some tradeoffs about seaworthiness. But after you’re in the lifeboat for a few months, you start questioning, How reliable is this lifeboat? Could we actually capsize and lose everything? As we go from crisis mode to recovery mode, we have to think about setting a new baseline for our expectations and our capabilities.”

Learn more about the SEI’s work in enterprise risk and resilience at https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_datapageid_4050=20128.

Tune into a webcast on cyber resilience in the COVID-19 pandemic, by Butkovic and CERT Division Director Bobbie Stempfley, 11 a.m. to noon (EDT) on June 24 at https://www.eventbrite.com/e/organizational-resilience-in-a-time-of-crisis-tickets-109837470832.

Find hundreds of related publications, videos, and podcasts by searching for “cyber risk and resilience” in the SEI’s Digital Library at https://resources.sei.cmu.edu/library/.