7

The COO and Their Critical Role in Cyber Resilience

In the previous chapters, we discussed various C-level executive (CxO) roles and responsibilities. This chapter discusses yet another critical executive in your team—the Chief Operating Officer (COO). The COO is the senior executive responsible for managing day-to-day administrative and operational activities. Typically, the COO reports directly to the Chief Executive Officer (CEO) and is often second in command to the CEO.

It is not uncommon for the COO to manage a company’s internal operations while the CEO serves as its public face, handling all outward-facing communications. As a result, the COO needs to be analytical and possess strong management, communication, and leadership skills. And as the second in command, the COO naturally plays a similar role to the CEO when it comes to their cybersecurity responsibilities.

The COO should proactively engage employees throughout the organization in tackling cybersecurity concerns, playing the role of an enabler and supporter of the Chief Information Security Officer (CISO). Part of an effective cybersecurity strategy is detection, response, and recovery. Regular testing enables the COO and CISO to discover and correct problems, alter procedures, and retrain people as required to assure preparedness for when a cyberattack occurs. This preparedness is critical to avoid significant business interruptions, activity paralysis, and even physical damage.

Therefore, in this chapter, we will cover the following topics:

• Understanding the role of the COO
• Why the COO should care about cybersecurity
• Where the line is between the COO and the CISO in terms of responsibility for business continuity
• Operational technology and cybersecurity—a necessity in today’s world
• Business continuity plan management—the dos and don’ts
• Questions to ask your COO

Understanding the role of the COO

In a modern organization, COOs are at the heart of consumer interaction, innovative technologies, corporate development, leadership, and strategy. Often, they take an active role in the engine room of the organization, while the CEO manages the organization’s external image and brand.

The COO’s use of technology with automation and monitoring in support of their priorities has greatly optimized their organizational awareness. This optimization has allowed them to refocus their attention on the value of data, and how companies use it to assist in decision-making and drive continuous improvement.

The use of data science techniques and artificial intelligence has provided significant results in fraud detection, consumer trend forecasting, marketing, and data transmission and analysis. For example, he adoption of a well-designed chatbot that can answer customer queries, direct consumers to the appropriate products and services, and even assist with placing orders will reduce an organization’s expenditure on its call center. This is a great example of how technology can uncover extraordinary advantages for COOs by allowing them to cut expenses while enhancing customer service.

As a result, COOs can refocus their priorities, with more emphasis on safeguarding the company while increasing its resilience to better survive and maybe even profit from market shocks and variations in business demand as part of its business strategy.

The immediate concern here is the massive expansion of technological adoption. As stated throughout this handbook, while the adoption of new technology is a significant advantage, technology also increases an organization’s cyber exposure, which might lead to changes in business activities, priorities, or even operational interruptions due to a crisis-level cyber incident. This must be a priority of the COO.

The COO must have a role in developing solid business continuity and disaster recovery plans with detailed cyber incident response plans. This includes supporting the CISO in the detection, response, and recovery phases. The COO needs to treat cyber risks as business risks, just as every CxO in the organization must. As a result, this may require them to take a step back to consider a holistic view of all operational areas to ensure that the adoption of new technologies does not push an organization’s business risk beyond its risk appetite. An experienced COO should be able to distinguish between operational resilience as an offensive strategy and business continuity planning and disaster response as a defensive strategy, as well as why it’s critical to switch from one to the other quickly.

Consideration of cyber risks and operational resilience requires the COO to remain up-to-date on threats and communicate these issues with other CxOs or the board or directors. Effective communication needs to balance between the organization’s risk appetite for cyber threats and strategic cybersecurity initiatives.

The following section describes the importance of cybersecurity for the COO and how it fits with their priorities.

Why the COO should care about cybersecurity

The COO is accountable for a company’s continuous operations in the face of various challenges, including economic downturns, process and technological changes, and natural catastrophes, among others. When it comes to corporate risk concerns, seasoned COOs are masters at dealing with both planned and unplanned risks. This must include cyber risk as a business risk.

Given the COO’s responsibilities—vendor management, human resources, operations development, design, and production, among other things—cybersecurity literacy, particularly as it concerns business continuity, disaster recovery, and incident response planning and execution, is critical. Engaging with the CISO to better understand and define the cyber scenarios that might interrupt business operations is necessary so the COO is prepared to face them head-on in the event an incident occurs.

To accomplish this, the COO must collaborate and communicate with the company’s cybersecurity leadership to ensure cyber risk scenarios are incorporated in the overall operational strategy. While your organization’s CISO is ultimately responsible for designing cyber incident response plans, their plans are incorporated into its Business Continuity Plan (BCP), which will be discussed later in this chapter.

Lastly, a good COO should be aware of current events in the area of cybersecurity and be mindful of the most recent threats that might impact a company’s operations. Cyber response and recovery requires the COO to ask tough questions, such as, “Have I prepared myself and my business for a cyber incident, and for the recovery afterward?”

It may appear the lines of responsibility between the COO and CISO are blurred as both must focus on business continuity. To that end, we must identify the line between the COO and CISO’s responsibilities.

Where the line is between the COO and the CISO in terms of responsibility for business continuity

The primary responsibility of the COO is to ensure that a company operates smoothly and that operational expenses are kept under control. According to a 2019 Fortinet report, 78% of COOs say they are in charge of protecting operating procedures (see page 3 of https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-coo-and-cybersecurity.pdf). This requires the COO to reconcile growing security obligations with conventional operational tasks. As such, COOs must collaborate with the CISO and other security executives to protect all operations and business activities from cyber threats.

Understanding cyber risk as an enterprise risk, developing response strategies, and responding fast when an event happens are all things a COO can do to safeguard a firm. A breach is unavoidable, regardless of how well prepared an organization is.

Companies rarely update their business continuity plans for years, allowing them to become obsolete and irrelevant to current and emerging cyber risks. A clear area of collaboration between the COO and the CISO is the integration of cyber incident response into business continuity plans. It is not uncommon for BCPs to present considerations of physical damage and IT disasters, but this is not the same as including cyberattack scenarios. The former is reactive and the latter is proactive. The COO and CISO must take a proactive approach to cybersecurity and resilience. Yet, the ultimate responsibility falls on the COO.

Often, cybersecurity addresses traditional information technology and does not focus on Operational Technology (OT). OT remains critical and requires a dedicated security approach, as its priorities and challenges are different. We discuss that next.

Operational technology and cybersecurity—a necessity in today’s world

OT is a category of computing and communication systems that manages, monitors, and controls industrial operations, with a focus on the physical devices and processes they use. Manufacturing plants, electricity grids, water utilities, oil and gas extraction, transportation, and other facilities use OT to monitor and manage operations and production activities.

While the integration of cybersecurity in business operations might seem straightforward for most industries, OT COOs have higher stakes in play, with the risk of major disruptions and safety issues caused if there are silos between different operations and cybersecurity.

COOs are dealing with unprecedented levels of change, due to OT/IT convergence and the expansion of their roles to manage cyber risk; such risk management concerns challenge COOs significantly more than any other risk component. At the same time CISOs are expanding their participation in OT cybersecurity.

OT has long depended on hardware and software designed expressly for industrial applications. Consequently, OT and IT infrastructures have traditionally been treated as different entities, both physically and in terms of administration. Many OT networks are unsegmented, with a combination of production protocols, unidentified assets, and older devices. Some have insecure links to corporate/IT networks, while others are completely disconnected from the internet.

More and more OT environments are opening up to the outside world. The use of technology to improve productivity and offer remote support to OT sites is a game changer for the mining, manufacturing, shipping, and logistics sectors, among others. However, providing such access introduces new cyber risks to the OT infrastructure and exposes them to countless well-defined and legacy cyber threats. The impact on a factory or a power grid from a cyberattack can range from a simple interruption to a catastrophic event that might lead to a loss of lives. Magda (co-author of this book) notes that major ransomware events that have impacted manufacturing plants in Asia over the last two years have caused major disruptions, leading to financial losses of millions of dollars.

Given that many firms’ OT and IT departments are still separated, it is logical for the COO to collaborate with the CISO and integrate their cyber risk strategies into the business operational plan, as well as the BCP.

Strong business continuity plans are vital to an organization in the event of a cyber incident. The following section describes the dos and don’ts when creating and managing BCPs.

Business continuity plan management—the dos and don’ts

The path to recovery for organizations following a catastrophic cyber event is usually lengthy and challenging. When unexpected circumstances arise, they put good leaders to the test. Any organization’s executives, led by the CEO and COO and in collaboration with the CISO, must be able to adapt to the rapid changes in cybersecurity today.

Safe workplace initiatives, employee well-being programs, and business continuity procedures are all examples of plans that must be prepared for when the inevitable happens. COOs must find solutions to maintain business resilience, or risk the consequences of not being able to recover from it. Even a relatively simple ransomware attack has cost organizations millions of dollars, which some organizations can never recover from.

The COO must, however, first educate themselves as a leader. Fear or uncertainty may lead to emotional choices, leading to bad decisions.

Business continuity and disaster recovery must not fail!

We have all heard of the saying “Nothing is certain in life except for death and taxes,” but in the digital age, being the target of cyber crime is fast becoming a certainty. No matter what security vendors may promise, preventative and detective security controls to mitigate cyberattacks are never 100 percent effective. To minimize the impact an attack may have on the business, business continuity and disaster recovery practices must be tested continuously and updated regularly to remain resilient.

Over the last few years, many organizations have had prolonged disruptions to their systems and business operations from cyber incidents involving encryption of critical systems or ransomware demands. These organizations found that their business continuity practices were not set up to deal with large-scale technology disruptions that, in most cases, required in the reconstruction of their entire technology ecosystem.

Shipping giant Maersk is one such example. They had to reinstall their entire infrastructure due to the NotPetya infection. They were without any IT for ten days and ships carrying 10,000 to 20,000 containers were entering ports every 15 minutes. During these ten days, they had to install 4,000 new servers, 45,000 new PCs, and 2,500 software applications, which was a heroic effort within that time frame (see https://www.itnews.com.au/news/maersk-had-to-reinstall-all-it-systems-after-notpetya-infection-481815).

Faced with the unavailability of all technology systems simultaneously requires organizations to plan for resource, logistics, communication, containment, and rebuilding requirements before the event. Ten days of disruption might seem unfathomable; imagine the impact on business operations if system disruptions last for months because the organization hasn’t planned for such an event.

Having a plan is only half the battle. It must be tested, and retested. Organizations should run simulations and tabletop exercises to ensure that when (not if) the time comes, everyone knows their role and the processes that need to be followed. Business continuity and disaster recovery plans cannot be allowed to fail, and being prepared is key in this.

What does a good BCP look like?

In the military, the ethos of training and execution is built into their continuity-of-operation plans. There is a famous military saying that goes, You don’t exchange business cards during a crisis. This is especially relevant for an organization’s BCP, as the organization always should plan ahead to know what needs to be done. Planning itself is not enough; there must be clearly defined accountabilities for each role, which are then practiced to instill familiarity.

Building a complete BCP takes time, especially when it comes to identifying the appropriate resources needed, along with the involvement of third-party partners. A very good starting point is to think of the most likely and relevant possible scenarios and then build a plan of action around them.

Another attribute of a good BCP is for it to be benchmarked against similar organizations in the same industry. There is a common misconception that speaking to a competitor about business continuity poses a conflict of interest. This is unfounded as these benchmarks and discussions cover noncompetitive aspects of a business. Organizations that proactively communicate and learn from each other will be much better prepared.

The methodology

Business continuity and disaster recovery planning around physical hazards such as fire, natural disasters, and theft are core to business operations in many organizations. Very few organizations question the value of creating emergency evacuation plans and rehearsing those plans annually (or more often), yet most organizations seldom suffer a physical disaster. In contrast, the likelihood of an organization being a target of a cyberattack is very high (when, not if), but many organizations still do not have updated Information and Communication Technology (ICT) business continuity and disaster recovery plans to address these threats, let alone plans that have been tested and rehearsed properly.

There is no doubt that an organization that can continue business operations while under cyberattack, enact its recovery plan, and reduce the overall impact of the attack is in a much better position than an organization with security policies and cybersecurity tools in place but without an effective business continuity and disaster recovery plan.

Andy Chauhan, former CISO at Ausgrid, the largest electricity distributor on Australia’s east coast, highlighted some key points that organizations should consider in assessing their business continuity preparedness:

1. Before a BCP event: Planning for a BCP event is key. Organizations should be planning ahead of time to know what needs to be done. The key to a good plan is understanding the following aspects:
   1. Which systems are important/critical for the business to operate? Given the time, resource, and logistical constraints, the recovery of systems must be prioritized. Organizations typically do this through a Business Impact Assessment (BIA), which assesses the priority of business functionalities, such as the effect of reduced operations on the global economy (international trading functions), country (telecommunication services), cross-sector (electricity supply and distribution systems), industry, organization-wide (collaboration systems, financial systems), and divisional levels.
   2. What is required to protect and recover the critical systems? This includes preventative controls such as anti-ransomware controls, backup segregation, isolation controls, or a whole range of cyber controls that protect vital systems from being breached and compromised. While prevention controls are important, they may not, however, be fully effective. Hence, a strong set of monitoring/detection and recovery controls must be designed and implemented.
   3. What resources, both internally and from the supply chain, are required to execute the plan? These include people, equipment (especially if rebuilding systems becomes the only option), access to specialist partners for recovering and rebuilding systems, and negotiating ransom demands. State and federal law enforcement agencies must also be engaged, depending on the nature of the event.
   4. What insurance cover is available? Does the insurance cover the recovery of systems costs and the financial losses of the impact on business operations? Typically, cyber insurance providers also now have a panel of specialist providers who can be engaged to assist with recovery activities.
   5. Have detailed recovery and response plans (called playbooks) been created? A detailed step-by-step recovery playbook typically covers who does what in the first hour of an incident, the first day, the first week, and so on.
   6. Have recovery and response plans been tested? There is a saying from Vince Lombardi that “practice does not make perfect. Only perfect practice makes perfect.” The perfect practice of your BCP requires your executives and board of directors to rehearse the BCP periodically.
   7. How will communications with the organization’s stakeholders, customers, and partners be managed? In a BCP event, effective communication with the media and stakeholders can significantly impact the share price of an organization. What to communicate, when to communicate it, and with whom need to be planned beforehand. Communication needs to be led by the organization during the event so that the narrative can be effectively managed.
   8. What is the governance structure of a BCP event or a crisis event? Most organizations that have been impacted by weather-related incidents (such as bush fires, storms, or floods) have a well-organized and tested governance structure in place. The board must be involved in critical decisions, such as whether to pay a ransom demand and the implications of doing so.
2. During a BCP event: Once your business continuity plan has been created, it must be tested and rehearsed regularly. A common mistake that many organizations make when creating a BCP is making assumptions that the business can revert to manual processes without testing whether the human resources or skills can do so. It could be argued that if the business does not survive because it was not able to maintain business continuity, disaster recovery is pointless. The Heritage Company, a telemarketing firm based in the US, was one such example; after more than 60 years in business, the firm had to shut down its operations for good following a crippling ransomware attack.

There can still be unknowns that come up during a BCP event, despite sound planning and regular testing. All aspects of the plan should be thoroughly tested for sustainability during a cyber event. If the incident is a ransomware event, then the organization needs to consider how to cater to staff fatigue and create a sustainable staff roster, keeping staff well-being in mind. Sometimes, certain equipment may be unavailable or may have lead times, or it may be discovered that assumptions around resources, systems, and the time required for recovery were incorrect. The organization then needs a governance/escalation structure to manage such issues.

3. After the event: Chances are that getting back to business-as-usual mode could take months. What, then, are the interim arrangements, roles, and responsibilities in the meantime? Another critical exercise that needs to be carried out is a Post-Incident Review (PIR). A PIR enables feedback and refinement of the processes, playbooks, plans, and impact statements for future events.

When discussing business continuity, it is imperative to understand disaster recovery as well. In the following section, we address the difference between business continuity and disaster recovery, and the COO’s role in each.

Disaster recovery planning

Once an effective business continuity plan has been created, tested, and rehearsed, it must now be maintained. This then allows for the focus to shift to disaster recovery planning. Where a BCP focuses on continuing business operations, disaster recovery planning focuses on restoring ICT systems and information assets to how they were before the disaster. If business continuity planning is likened to the plan to evacuate staff to another location and keep working while the fire department puts out the fire, then disaster recovery planning is like rebuilding the building and its contents as close to the original state as possible.

Most organizations have a reasonably well-established data backup process. However, many organizations fail in disaster recovery planning because of the lack of regular testing to ensure that it actually works when data needs to be restored. A financial technology company that suffered a ransomware attack in South Australia during COVID-19 had their data backed up but found out during the crisis that their custom in-house software was not backed up. This meant they lost their software and could not use the backup data to restore business operations. They ended up rewriting their software over many months, while processing millions of financial transactions by hand in the interim. Test, retest, refine and update, and test again.

Another failure in disaster recovery planning is keeping copies of your business continuity and disaster recovery plans (which might include procedures and configurations) on the same ICT systems that are at risk of a cyberattack. If cyber criminals gain access to your disaster recovery plans, they can find ways to disrupt them, too.

Test, test, test. Did we mention your plan must be tested?

There is a common saying that “practice makes perfect.” Once the BCP is completed, the next step is to rehearse and test it. A walkthrough tabletop exercise involving everyone with a role in the execution of the plan is critical. The best practice of your BCP requires your executives and the board of directors to take part in the actual exercise. When your board is invested in the process, there will be less doubt about their roles should the business be breached or appear in media headlines after an incident. Their participation in testing builds their confidence about the plan, and the actual execution of the plan in the event of a cyberattack. As a result, this strengthens the organization’s ability to recover quickly. The most forward-looking companies invest time in running these exercises and provide training on what’s expected from the top down, and are committed to improving their BCPs with continual drills.

Questions to ask your COO

The following is a list of questions to ask your COO about how they incorporate cybersecurity into their business operations planning:

• How do you consider cybersecurity in your operations?
• Do you cover OT (applicable to only specific industries)?
• Who are your main stakeholders?
• Do you hold recurring meetings with the CISO?
• Have you integrated a cyber incident response plan in your BCP and Disaster Recovery (DR)?

Summary

This chapter provided visibility on common practices that might hinder an organization’s cyber resilience. We listed the overall responsibilities of the COO and addressed the challenges for them around business continuity and incident response. We identified operational priorities that are implemented for more traditional major crisis events, and showed the need for priorities to shift toward cyberattacks and major disruptions due to threats or attacks such as ransomware.

The COO drives business sustainability and resilience by adapting to new and emerging risks and making the changes required in their traditional practices. These changes will increase over time due to widespread adoption of the technology and the shift to working remotely. This highlights the need to change and evolve while building a transparent and strong collaboration with the CISO and other stakeholders.

In the next chapter, we look at the Chief Technology Officer and what is required from them as a result of the current technological tsunami.