4 steps to build redundancy into your security team

Avoid central points of failure or compromise.

This fundamental tenet of information security applies not only to systems and networks, but to individuals during a time of pandemic. Key cybersecurity staff, more often than not, possess singular knowledge of an organization’s infrastructure, including credentials. What happens if COVID-19 incapacitates a critical member of the security team for an extended time—or worse?

While the odds of any given individual winding up in the intensive care unit because of COVID-19 is small, given a large enough employee pool a certain number will inevitably become severely ill. Ensuring that no individual’s absence grinds your business to a halt should be top of mind for every security leader right now.

“Robust pandemic planning is a little grim,” a business continuity planning (BCP) manager at a financial services company tells CSO, “but you have to take stock of your current employee count in each position and determine what level you can safely operate at in contingency mode.” (The BCP manager requested not to be named, as they were not authorized to speak to the press.)

Redundancy of skills and access to information–including credentials, processes and project status updates–is essential for your security team to weather the coming storm.

Here are four steps you can take now to prepare.

Write down those passwords

Security staff often hold the “keys to the kingdom.” Make sure more than one person has access to those keys, or can gain access to those keys quickly, if the primary key owner gets taken out of action.

In a mature organization, this might be accomplished using pluggable authentication modules (PAMs), or for smaller organizations using a shared password vault such as LastPass or KeePass, or even using a master paper notebook stored in a safe.

Don’t forget about multi-factor authentication (MFA) redundancy. Make sure multiple people possess soft authentication token or U2F keys. Those shared passwords won’t be very useful if an incapacitated employee can’t unlock their phone or tell you where their Yubikeys are.

Document the status of current projects

Make sure staff who are working in the trenches frequently document their current status and share that information with other team members. If a key employee goes down, you need others to be able to pick up the ball and run with it.

“It is also critical for staff to document projects and in-progress activities, ideally in a shared location (with appropriate privacy and sensitivity limitations),” David Longenecker, security operations manager at chipmaker AMD, advises. “Train staff to include key points of contact in this documentation. Not only does it help the staff member keep track of what they are working on, but it gives the person unexpectedly taking over a place to start.” (Longenecker emphasized that he was speaking on his own and not on behalf of AMD.)

Check your continuity of operations plan (COOP)

Redundancy, redundancy, redundancy.

For each critical job function, make sure more than one person can perform that role in a pinch. FEMA guidelines offer sound general advice in this regard, though not specificly to cybersecurity professionals.

“All COOP plans, per FEMA guidelines, should have succession plans,” Ben Yelin, program director, Public Policy & External Affairs, at the University of Maryland Center for Health and Homeland Security (CHHS), tells CSO. “For each essential function, there should be a primary person, and then up to three backups if the primary person is not available. As part of the COOP planning process, you should make sure that the backups have the same institutional knowledge as the person with primary responsibility for that function.”

“Of course,” Yelin adds, “this is easier said than done. Many organizations run into situations where there is only one employee with the proper expertise and credentials. The whole point of continuity planning is to make sure there are those redundancies in place during an emergency.”

Job rotation and job shadowing

Take concrete steps now to put that redundancy in place. Job rotation and job shadowing–a good idea during the best of times–are concrete, specific steps you can put into place today, Longenecker tells CSO.

“I’ll have hand-picked staff sit in on meetings and decision making so they become familiar with how critical processes are handled,” Longenecker says. “That way if they need to step in on short notice, they aren’t coming in cold.”

The COVID-19 situation is going to get worse, maybe a lot worse, before it gets better. Batten down the hatches and get your team working together closely–if not in actual physical proximity–as much as you can over the next couple weeks. Greater collaboration will be key to surviving the catastrophe on the horizon.

“I’m wrestling with this first-hand, so I’m giving you some perspective from the front line as it were,” Longenecker says.

Do you have a story from the front lines to share? Reach out to this reporter at jm_porup@idg.com