Kevin Brown
Vice President & Chief Information Security Officer
Boston Scientific
MODERATOR
Ravi Thatavarthy
VP & CISO
BJ's
PANELIST
Esmond Kane
CISO
Steward Health Care
PANELIST
APRIL 2020
CISOs representing a portion of Boston’s largest companies met virtually to discuss business continuity amidst the unprecedented challenges of COVID-19. While Boston residents have been working from home for weeks, at the time of the town hall on April 1, Boston was not considered a coronavirus hotspot. Massachusetts state authorities predict a surge in cases in mid-April, inevitably creating stress for the health care system.
In this virtual gathering, participants discussed the resilience of their organizations in managing the crisis. To set the stage, Boston CISOs responded to a survey prior to the town hall indicating the following:
36% are continuing standard business operations at a reduced level, while 27% report little disruption and 23% are continuing business operations as normal.
60% expect to return to standard business operations in less than 3 months and another 27% said within 3-6 months.
60% report a high or extremely high impact on their organization’s revenue.
67% predict a high or extremely high impact on their organization’s budget.
The discussion was led by Kevin Brown from Boston Scientific, Ravi Thatavarthy from BJ’s Wholesale, and Esmond Kane from Steward Health Care. They represent different sectors and discuss the implications for their respective manufacturing, retail and healthcare industries. They shared some similar experiences and reflections on how their organizations are responding to the coronavirus crisis.
Securing the remote workforce
Most CISOs’ organizations had some ability to work remotely in place already, but none had a 100% remote workforce, much less one that had to be implemented on short notice. All reported that they had to immediately and broadly scale up their remote workforces. Challenges included how to source equipment and licenses, acquiring or prioritizing communication and collaboration tools, ensuring security for cloud applications, and enabling virtual desktop solutions.
A lot of digital transformation initiatives had moved company solutions to the cloud already. But the usage of VPN was becoming less important until the coronavirus situation forced them to scale up on it. Workers that hadn’t previously needed laptops before, now needed equipment. Executives also hadn’t predicted which employees might have personal devices they could use at home in an emergency versus those who would not.
Each industry faces unique challenges, as well. In health care, they have additional requirements for maintaining patient confidentiality with a remote workforce and in transitioning to telehealth options. In retail, they are managing an extraordinary surge in demand and traffic during consumer “stockpiling,” along with new requirements around cleanliness and social distancing. For manufacturers, they are answering the question – what if all employees can’t be remote? How can we shift work to keep employees safe and productive?
Don’t waste the crisis when it comes to accelerating digital transformation.
Communicating and staying connected
Executive communications have become extremely important over the past few weeks – both within the executive team and with teams and employees. For executive teams, many have an emergency response team set up along with daily standup meetings. Tools like Zoom and Microsoft Teams have been invaluable for communicating and collaborating. Some organizations have ramped up employee communications around remote work and cyber security, using education as one of their best defenses against phishing and other cyber threats.
Across the board, executives are thinking about how being 100% remote creates a new organizational culture requiring leaders to:
- Be flexible and adaptable, especially around families, kids, and pets that now populate the home workspace
- Boost morale and create team-building exercises and happy hours over virtual meetings
- Conduct more frequent, company-wide virtual town halls
- Check in with teams informally and regularly
- Share kudos and acknowledge the hard work and extra hours that have gone into their teams’ response to the crisis
Planning for next steps
It’s hard to see a return to normal business operations when the health crisis hasn’t peaked in the region. Unless an initiative is related to the coronavirus emergency response, it has to be placed on the backburner. Some businesses were anticipating a recession in 2020 already; now, CISOs are all thinking about the budget impacts of the measures that business continuity required. The COVID-19 responses have basically wreaked havoc on the plans that were in place for 2020.
In addition, cyber threats have not taken a break; in fact, they have escalated during a perfect storm for cyber criminals. However, CISOs also view this as an opportunity to show their organizations the value and importance of security.
As leaders in their organizations, they are also thinking about the long-term effects of remote work on recruiting and culture, what their approach is to a zero trust security posture, and how they will manage business continuity planning now that they have seen a bigger disruption than could have been imagined.
Thoughts from the community
The discussion about business continuity planning included a question about whether anyone had a pandemic on their radar. CISOs and their teams had planned for Boston snowstorms, a recession, or a manufacturing plant going down – but nobody expected something on this scale.
Several executives noted that continuity planning often involves a scenario in which one factory or one location is out of commission, not all locations and all employees globally. The extreme snowstorms of a few years ago in Boston created a somewhat similar situation in which people couldn’t get to work, but continuity planning can rarely account for all the pieces of the puzzle that are occurring with COVID-19.
In terms of how the CISOs are rating their organizations' responses, the consensus was they are doing okay, learning which areas need improvement, and adapting to a huge cultural shift taking place under their feet.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.