The contradiction of post COVID-19 risk management
Risk management revisited
There isn’t one rule that fits all companies for risk management; it comes down to each specific organization and its priorities. But all enterprises can address key elements of a virtual workforce, especially when reflecting on what aspects of adjusting to COVID-19 were most difficult.
Access management is among the most important risk. Who has access to certain exchanges and transactions? Should steps be taken to establish levels of permissions? Does another layer of authentication need to be added?
The question of additional security controls is another. Do online channels, regardless if they are one-to-one communications or group sessions, have appropriate encryption and other protections (including access control)? Is the data being exchanged as well protected as it would be on a hardware- and software-encrypted drive or laptop?
As usual, businesses need to address the question of security vs. usability, depending on their own circumstances. Is ease of use or the necessity of a communications channel worth the risk inherent in sharing vital information? Or should security take priority?
Risk management generally leads to one of three outcomes: accept, transfer or mitigate. You can accept the risk on the basis that the process under consideration is worth the potential consequences. You can transfer the risk Security has always been a difficult balancing act between giving too much weight to either security or usability. Now that COVID-19 has challenged the security policies and boundaries of organizations, it is key to address risk management as an ongoing facet of a business that must mature over time — regardless of the crisis at hand.
About the author:
Jonathan Couch, senior VP of strategy at ThreatQuotient, uses his more than 25 years of experience in information security, information warfare and intelligence collection to focus on the development of people, process and technology to support the consumption, use and communication of cyberthreat intelligence. Prior to ThreatQuotient, Couch was a co-founder and VP of Threat Intelligence Services for iSIGHT Partners, where he created and managed a threat fusion center to help clients transition to intelligence-led security programs. Couch previously served in the Air Force at the NSA, Air Force Information Warfare Center, and in Saudi Arabia as the regional network engineer for the Joint Task Force (Southwest Asia).