The coronavirus pandemic changed the way businesses operate across the globe, seemingly overnight.
Were you prepared with a Business Continuity Plan (BCP), or did you find yourself scrambling for answers amidst the crisis?
What is it like to do business continuity planning during COVID-19?
Milinda Rambel Stone is Vice President and CISO for Provation Medical, a company that implements software in hospitals. Talk about ground zero during the pandemic.
She recently explained to us how she adapted the company's business continuity plan in the middle of the COVID-19 response. We spoke to her in our series of daily online briefings, called the SecureWorld Remote Sessions.
Fortunately for Rambel Stone, her team was already defining a BCP and had the structure in place. With Provation Medical based in Minnesota, most of the scenarios were weather related. For example, what happens if a big storm sweeps through and no one can come to the office?
However, when the team took notice of what was happening in China back in December, they decided "pandemic" should be added to the list of scenarios in their plan.
"We identified that there was a high level of risk around it, and identified it would be wise to add it in," Rambel Stone shared. "We had hoped it would never be called to implement, but we would at least have the structure in place so that if we ever needed to, it would be there. What we didn't anticipate is that it would get called to be implemented so quickly."
The very afternoon her team added "Pandemic Planning" to their business continuity plan, the team was asked to implement it immediately.
What are challenges of implementing a business continuity plan?
Although her team had a foundation in place, Rambel Stone explains that it was still a huge endeavor to move forward. New technologies had to be added, an HR perspective had to be added, and her team had to identify the gaps and quickly prioritize them.
Since Provation Medical provides and implements software inside hospitals, the company was forced to shift gears drastically to keep operations going amid coronavirus concerns.
With social distancing requirements, the company had to begin implementing software remotely in a digital fashion.
Simultaneously, Provation Medical's employees transitioned from the office environment to a remote workforce.
Finally, Provation Medical acquired another company at the beginning of the year, so Rambel Stone's team had to get all of the acquired company's documentation and incorporate it into their entire response plan within a week.
Those are a lot of moving parts!
What are key components of a business continuity plan?
During the SecureWorld interview, Milinda Rambel Stone identified four essential elements to consider in your business continuity plan:
- Identify your cybersecurity controls
- Understand your core business operations (processes)
- Identify your stakeholders (who are the key decision makers?)
- Understand your risks
"It's also devising a playbook, so that if you ever need to implement any portion of your Incident Plan or your BCP, you can call it and work it through the steps," she said.
She also explained that her team had been performing monthly tests against their BCP that helped them identify gaps and tweak items from the results.
Rambel Stone recommends creating a cross-functional business continuity team made up of cybersecurity, HR, communications, customer service, and others which make sense for your organization. It is important to have someone involved from each department across the organization so everyone can be represented.
What are the steps for testing a business continuity plan?
- While the plan is being implemented, during the pandemic, her team met as a task force every single day of the week (including the weekends), updating and refining documentation continually.
- They look at the plan holistically, and in terms of who are the partners and identifying who to work with to get the pieces filled out.
- Since Provation Medical is an employee-driven company, internal communication is important.
- They go beyond communicating with the cybersecurity team. Reporting to executives and the rest of the company is equally important.
What about the people implementing a business continuity plan?
If the BCP is being implemented because of a crisis even, it is possible the people implementing it are also in crisis mode.
Understanding how to manage people during a crisis by maintaining a sensitivity around what people may be going through was key for her team.
"Thinking about COVID-19, we had to ask ourselves, 'How do we run the business at the same time we protect our employees?'"
Provation Medical's Human Resources President chairs the business continuity task force, helping to ensure the staff is engaged and keeping a pulse on how they are doing.
The company also holds regular virtual meetings and get-togethers to check in with each other.
BCP planning: key concepts
According to Rambel Stone, their BCP changed significantly following the onset of COVID-19 because they had to add in the Full Business Impact Analysis, and more importantly, gain cadence to working on business continuity.
She also reminds us that it's not just security's responsibility to own business continuity. She explains it is important to have the company understand "What happens if we can't run our business? Having that story, having that conversation, in a non-scary security way is key."
"You just don't realize how significant it's going to be until you are actually in the event. I worked at Target during and after the breach, and I learned so many things that I'm grateful for.… That particular event pales in comparison to what we are going through now.
I just think it’s so important that we, as a security community, share information and work with each other to get us through this COVID-19, because there will be other things like this, and it would be wonderful if we collectively come together."
Web conference: Business Continuity Planning During the Coronavirus Pandemic
Whether your organization already has a BCP or is planning one now, we highly suggest you take a few minutes to watch the SecureWorld Remote Sessions episode where Milinda Rambel Stone shares much more of her experience with a BCP amid the Covid-19 outbreak.
Thank you, Milinda, for helping your peers and sharing in SecureWorld's mission of connecting, informing, and developing leaders in cybersecurity.