Resiliency is critical as each agency’s mission rapidly evolves especially now as the United States continues to battle COVID-19. The pandemic has forced federal agencies to be more agile as remote work increases and more digital technologies, including cloud capabilities, are utilized.
However, while the move to remote work has been beneficial for physical safety and other reasons, it has also introduced the possibility of even more security vulnerabilities. The key is to prioritize resiliency, and agencies who do that will be better positioned for success. To understand what it means to be a resilient agency and how that can be achieved, we sat down with Dan Carayiannis, RSA Archer public sector director.
Government Technology Insider (GTI): Thanks for sitting down with us, Dan. What does it mean for an agency to be resilient? Why does this matter?
Dan Carayiannis (DC): Thanks for having me. Government agencies, all with varying missions, are responsible for providing services and capabilities to the publics they serve. For individual agencies, to be resilient means to be able to continue to provide the right services to the public and enable employees to work effectively and efficiently wherever they are, particularly during turbulent times and even if they are disrupted.
Resiliency is just one of several important elements in an agency’s enterprise risk management (ERM) program, and today’s pandemic has really influenced government organizations to think differently about resiliency and how it has become a more important pillar in their ERM programs. While resiliency hasn’t always been top of mind for federal IT leaders in the past, it most certainly is now.
GTI: How does the complexity of today’s digital environment impact an agency’s ability to foster resiliency?
DC: The traditional brick and mortar agency has really evolved in the last few years. We’ve seen that agencies have extended their capabilities to support their mission and made the shift toward a more dynamic workforce. This has been a resiliency strategy for many. As the world continues to evolve and the government continues to foster remote work, leveraging digital technologies, including cloud capabilities, are extremely important for resiliency. Many agency employees are no longer in the same building or even the same city. They’re using their home networks, across the United States, and mobile devices. With this in mind, it is critical to ramp up an agency’s risk management program, enhance and update its resiliency capabilities and leverage digital technologies to accommodate today’s government workforce.
GTI: What other factors compromise an agency’s ability to be resilient?
DC: One factor that has cropped up as a concern across the government is the need to adapt quickly. The need to be resilient and activate resiliency plans, or continuity of operation plans immediately – without disruption to workflow – is key. Another factor is an agency’s dependency on third party organizations. This can impact their ability to be resilient due to a number of factors, such as unavailability of the third party or a cyber threat introduced by them into their environment. If you think about a traditional organization, they have processes in place to secure their environments. However, the increase in outsourcing to third parties whose security might not be robust, as well as building security for remote workers, challenges those processes leaving room for cybersecurity complications. This means that agencies need to be prepared more now than ever before because they don’t have complete control over their environments like they once did.
GTI: What can agencies do to build a successful business resiliency program? Can you share a few best practices?
DC: It all starts at the top. A strong and supportive culture of resiliency and governance will help drive the right resiliency program. Second, you can’t make resilient what you don’t know about, so you have to understand your mission and the services you provide, what processes support them, what systems are used, what data is produced, and what third parties support you. It’s a ‘value chain’ that can be complex with many interdependencies but it’s critical to get this right. From here you can prioritize what’s most important to focus on and make resilient and you do that through a business impact analysis. Next, you must understand your tolerance to disruption. For example, how long can that most important service you provide be disrupted? Two hours, two days or not at all? The criticality of your services and tolerance to disruption will help you determine next steps on the road to making those functions and value chains resilient. One critical way to building resilience is having some type of continuity of operations plan. One of the things the pandemic has caused government organizations to look at and reflect upon are those plans and how frequently they’ve been updated. Another key consideration agencies need to “bake into” their resiliency plans are third party contractors and technologies whom they rely on to support their enterprise. In short, do their third parties have resiliency plans in place that match that of the agencies they serve? Combining those best practices, that focus on a continuity of operations plan, make for successful agency resiliency programs.
Ready to learn more? Click here.