Lessons in IT resiliency for the COVID-19 era

IT organizations, especially those that were a bit too lax about resiliency and business continuity, had a rude awakening in the face of COVID-19 as they scrambled to deliver a rapid-response remote work plan.

Traditional enterprise IT resiliency and business continuity plans aren’t set up to respond effectively to 100-year-type events like a global pandemic, which touched every employee and every corner of organizations. Business continuity and IT resiliency roadmaps that focus on the creation of “level 4” recovery options in different regions, or are limited to bringing specific teams or geographic locales back online, were not really designed to ensure secure, work-from-home capabilities for every employee.

Despite these extreme circumstances, many enterprises fared surprisingly well during the COVID-19 transition, a recent #IDGTECHtalk Twitter discussion revealed. There were cultural hurdles and a fresh batch of security challenges to tackle, including a rise in insider threats, problems surrounding shadow IT, as well as disruption to standard security best practices. However, the exercise also refocused IT organizations on the importance of business continuity and disaster recovery (BC/DR), with most shoring up and refining plans as they exit crisis mode and launch into continuous improvement.

“If you didn’t have plans, you now realize you need them,” said Arsalan Khan, a speaker and blogger on business and digital transformation. “If you had plans, you now realize you need to test them. If you tested plans, you now realize you have to update them. And by the way, the business should be on board to provide the budget.”

Preparing for a global pandemic

Asked what they could have done better, participants in the Twitter chat had a wide range of suggestions. Taking a proactive and long-term stance to BC/DR planning was a key takeaway, along with the need to design IT infrastructure for flexibility and adaptability. Another important point: Don’t bake business continuity and resiliency into specific assets; instead, make it a framework of decisions and criteria that is regularly tested and that can lead the business.

“Few companies had a binder marked `global pandemic,’ but many had policies that called for annual DR testing that they didn’t enact,” said Kayne McGladrey, CISSP and cybersecurity expert. “Teams play how they train, but not having table-topped crisis communication, DR/IR hurt response.”

AI and automation have a role to play, but they’re not quite there yet

While much has been made about the role of AI and automation in bolstering security and helping enterprises remediate vulnerabilities and interruptions to digital business operations, most #IDGTECHtalk participants said it is still early days for those technologies.

“I think [AI and automation] are about five years away from overall use for most companies,” said Ben Rothke, an information security manager at Tapad. “It has a lot of potential within infosec, but many solutions are hype and they do take time to implement.”

Best practices for a more resilient future

Moving forward, chat participants advocated for evolving DevOps and agile practices to aid in more responsive IT resiliency. They also emphasized the need to build out a robust bench of security and operations talent and to make sure the culture promotes security and resiliency as everyone’s problem—not just IT.

Most of all, experts said the COVID-19 experience should be a lesson that companies need to make IT resiliency and business continuity a continuous process and not wait for perfect. “IT resiliency isn’t an all-or-nothing game,” said Wayne Anderson, a security and compliance architect with Microsoft’s M365 Center of Excellence. “Make incremental improvements and build a business case for the `big whack’ at the systemic problems.”

This Twitter chat was sponsored by ServiceNow. Please join the #IDGTECHtalk Twitter chat that occurs every other Thursday on Twitter at 12pm ET.