Well, yesterday I had a great podcast, believe it or not, with 4 people on as guests.  This is the first time that this has ever happened to me for a podcast show.  It was a great experience to be a moderator for the first time. 

Although the show did focus upon the COVID 19, the nature of the topic was different.  It was hardly Cyber related; rather the theme of the show focused upon physical security, in other words, those places that still have the traditional brick and mortar presence.

There was a lot of discussion around how these facilities are actually impacted right now, and what it will be like when they start to gradually open up.  The basic consensus was it is still hard to determine what the response will be like, as people will still be apprehensive about the COVID 19. 

But it was agreed that one thing is certain:  Both the IT Departments and the IT Security teams will be even stretched further to their breaking points than they are now.

Even before COVID 19 hit, both of these teams were already stretched thin.  For example, given the severe workforce shortage in Cybersecurity, many businesses have been scrambling to fill much needed spots, and now that need is growing exponentially, with all of the WFH issues that are taking place. 

It is probably safe to bet that that they are now working well beyond their 40-hour weeks; because now they have to keep up with Cyber Hygiene practices with employees that are now remote.

A perfect example of this is in making sure that the devices that remote employees use are in compliance with the businesses’ Security Policies, and also deploying critical software patches and upgrades across networks that are not even known to the IT Security staff.  To use the Star Trek jargon, we are now in times “ . . . to go boldly where no man has gone before”.

The issue of overworked IT workers has been further substantiated by a recent survey that was conducted by Kaspersky.  It is entitled:  “Taking Care of Corporate Security and Employee Privacy: Why Cyber-Protection Is Vital For Both Businesses and Their Staff”.  This report can be downloaded at this link:

Here are some of the key findings of this report:

*30% of IT employees missed a personal event because they were too busy putting out fires;

*32% of them had to work overnight for both long and extended hours which thus put a strain on their family lives;

*33% suffered some sort of mental breakdown;

*27% of them had to cancel personal vacations because of a security breach and the ongoing investigations that ensued;

*76% of the respondents ended their marriages or relationships because their work too much time from them;

*16% of them have already quit their current positions, and are even considering of getting away from IT altogether;

*33% of them felt so stressed out at their work that they resorted to self-medication techniques;

*Over 27% of them reported that other mission critical projects that were pending had to get pushed off to a future point in time, with no delivery date yet scheduled.

These findings and others can be seen in the illustration below:

(SOURCE:  https://www.securitymagazine.com/articles/92228-kaspersky-finds-30-of-it-security-managers-missed-important-personal-events-due-to-data-breaches)

Given these findings, the report even highlights that the following steps should be taken to help alleviate some of this stress:

*Always maintain an open line of communications with all of your employees, especially during this time when just about everybody is WFH.  The CIO and/or CISO needs to be totally transparent, but above, all, now is not the time to reprimand or “chew out” employees.  Everybody is under a lot of stress with now, and rather than putting your employees down, it serves no purpose whatsoever.  If anything, this could even start the potential of an Insider Attack from starting to precipitate.  Be very encouraging and supportive as much as possible to your employees so that they remain as productive as possible.  Even consider giving out virtual gift cards from places like Amazon, Starbuck’s, Panera Bread, etc. to reward employees from time to time during this crisis.

*Once things start to get back to a more normal level, start to initiate the development of Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans.  Try to do these ASAP, but above all, rehearse them at least on a semi-annual basis, and update your respective documents as to the lessons learned, and further refine them from there.  Thus, a very important part here is to maintain the contact database so that you can notify employees quickly as events unfold.

*Whenever a security breach or Cyberattack does occur, the first knee jerk response is to find blame and fire that person who is thought to be responsible.  In many cases, this is the CIO and/or the CISO, because the proverbial buck stops with them.  In fact, this is a question I often ask my podcast guests:  What should come first, the investigation, and the hold the person responsible, or is it vice-versa?  As with me, many of them feel that what is needed first is to conduct a thorough investigation first, then cast blame.  By doing so, not only do you have the evidence that you need to find that person accountable, but you also build up a more solid reputation with your external stakeholders by proving to them that you did not fall for the knee jerk reaction first.  What is needed in the aftermath in a security breach are cool, calm heads that can think rationally with an unbiased mind in order to further evaluate the situation.

*On a regular basis, employees (whether they are on site or working remotely) need to be always encouraged and motivated not only to do their jobs to the best levels that they can, but also to feel that they are part of the corporate team, and that their input is always highly valued, no matter what the circumstance might be.  By doing the latter, your employees will only be that much more motivated to help out when a security breach if and when occurs.

*OK, everybody today (even the Cyber people themselves) are totally overwhelmed with all of the COVID 19 stuff that is out there, especially when it comes to Phishing, spoofed websites, and the Zoombombing.  In order to quell the fears that your employees have about all this, you should seriously consider maintaining a 24 X 7 X 365 hotline in order to answer any fears and questions that relate to Cybersecurity.  True, this might be a pain to do, but during these unprecedented times, it will be employees that will keep your company afloat.  By showing that you care, it will pay huge dividends in the end.  You do not have to get anything elaborate; you can get a rather affordable VoIP based service from any ISP.

*The last thing you need is a tarnished public image after you have been impacted by a security breach, especially by the media and the press.  Therefore, if your business is large enough, you need to figure out how your media team will handle this, or if you are an SMB, how your PR firm will handle it and contain the rumors and innuendos that will persist for a long time.

Well, there you have it.  You know now have a glimpse as to what the stress levels are like amongst your IT and IT Security teams, and some pointers as to what you can do to help fix them.  Remember, as the CIO and/or CISO of your company, these tips can even be implemented remotely.

So, the time to act is NOW.