A surprise office pest problem forced Joe Topinka's company to dry-run an extended work-from-home situation before COVID-19 did the same for everyone else.
It is human nature to put off until tomorrow the things that should be done today. COVID-19 and working from home has contributed to our procrastination habit. (Have you finished binge-watching Tiger King and Ozark?)
Procrastination happens in both our personal and professional lives. It often takes a crisis to move us to action at the office. Too many companies spend too little time and attention on risk management programs and cybersecurity programs until BAM!- they are hit with their first bitcoin-based, ransomware attack. Sometimes the catalyst for action comes in strange ways. I recently had a surprising problem that inadvertently helped the company I worked for prepare for COVID-19.
As a cloud-first CIO, I had already transitioned many of the company’s critical business systems to cloud platforms. The promise is that you then have a head start on establishing resilient operating environments, enabling continuous operations, even in the face of crisis. Testing this theory in real time has never been my preference but that’s exactly what happened. I never anticipated this specific scenario, but nonetheless it set us into action.
Our company occupied several floors of a multi-tenant building. It started out slowly – first they discovered one bed bug, then there were more. An exterminator was called in. They attempted to treat the localized area but, to make a long story short, we ended up having to evacuate the building. The company took the extra step to test every employee’s home too, at considerable expense.
We instituted a mandatory, work-from-home arrangement that lasted for several months while the bed bugs were eradicated. This office housed our sales and marketing teams, finance, IT, product teams, and more. Coincidentally, we had also made a decision years before the bed bug problem to buy only laptops for employees. When we were forced to vacate the office, employees simply grabbed their laptops and personal items, and headed for home.
From an IT operations standpoint, I was a little nervous given that we’d never tested our VPNs or cloud solutions with every employee operating remotely at the same time. We had to tweak our VPN environment, but all the other systems worked well with no real issues at all. And just like today in Covid times, people felt more productive working from home. Back then, unlike today, we did have the benefit of being able to meet face to face at local coffee shops and restaurants, if needed.
This bed bug crisis forced us to execute our business continuity plan in a heartbeat. Most of our executives hadn’t thought about the incident that way until we pointed it out to them. Once it dawned on them that our efforts to create a resilient environment weren’t for naught, a newfound appreciation for our capabilities surfaced.
I was fortunate that this executive team willingly gave us the runway and funding to create a cloud-first, resilient environment. I left the company a few months prior to Covid to pursue my CIO executive coaching endeavors full-time, but I heard from former colleagues that the transition to work-from-home was easy and familiar. They were grateful. And I’m grateful the bedbugs validated our proactive, cloud-first strategy.
When I think about putting off until tomorrow what should be done today, I am reminded that far too many companies are still procrastinating when it comes to cybersecurity, cloud strategy, and digital transformation. Yes, companies were forced into action with work-from-home orders, but still, much remains to be done on these critical fronts.
I still see far too many companies continuing to invest in on-premise solutions and giving very little attention to cybersecurity and risk. In a recently study of the American Institute of CPAs (AICPA), more than 500 organizations weighed in on the state of enterprise risk management (ERM). Here are a few highlights from their research:
- Only 30% of companies indicated they have ERM programs in place.
- 80% of companies reported that risk management processes don’t provide strategic value for their companies.
- 70% of companies do not include a risk component as part of their compensation plans.
Disruptive technologies, geopolitical events, the pandemic, and the upcoming U.S. elections make risk harder and ever more complex to manage. Still, adoption of ERM programs remains stagnant. It hasn’t grown materially since 2016. What has changed is that COVID-19 and disruptive business models are pressuring companies to take a fresh look at how they view risk.
Executives reported that they are feeling more pressure to focus on risk:
- 66% of boards are asking for more risk oversight.
- 58% of executives are feeling pressure from outside parties to provide more risk insight to the business.
by Bob DeRodes
Enable Digital Transformation
As technology leaders, we have all had to grow in recent years. Our experience dealing with digital transformation and cybersecurity challenges has been all too real. For many non-IT executives though, digital transformation is still something looming out in the future.
Now is the perfect time to leverage your experience and help your colleagues on their digital transformation journey. You can do this by reinforcing and strengthening your relationships with peer executives. Make sure you are spending one-on-one time with them. Consider sharing a few stories with them, ripped from the headlines, about companies that gambled on ignoring risk and cybersecurity and had to pay the price in real dollars and brand reputation.
Most importantly, make it safe for them to ask questions. Many of them have told me they are embarrassed by their lack of technical knowledge. As a result, they are reluctant to speak up or ask questions in team settings. By being their ally, you’ll be helping them understand the criticality of risk management and, hopefully, avoid the detrimental effects of inaction.
Who knows? You may find that you have a new champion the next time you bring a cybersecurity investment to the decision table.