Several speakers at the GSX security conference in September described how, from the very beginning of the Covid-19 crisis, security and resilience professionals were instrumental to navigating its complexities and mitigating its impact. The looming question is: Will security leaders be able to successfully capitalize on the moment and newfound appreciation for their discipline?
“We have a finite window,” warned Steven Antoine, chief security officer for Yum! Brands, which includes being the senior security executive for KFC, Pizza Hut, Taco Bell, and Habit Burger. “There is an old adage in our space where you can’t let any crisis go to waste.”
Antoine acknowledged that the “wiring” was in place for his team to be an effective strategic advisor during the pandemic. “We basically have an extremely collaborative five-headed monster,” with each brand operating an internal crisis team that roll up into the parent crisis team. Meeting frequently during the initial stages of the pandemic helped, and so did the enterprise-wide calls that senior leaders hosted several times a week. “That was really effective for putting out authentic messages about what we were doing, and where we were going,” he said.
Not every business has managed the crisis so well, according to Matt Hinton and Jackie Day, partners at Control Risks who have been client-facing leads for all things COVID-19. “During the pandemic, the tone at the top has really mattered,” said Hinton in the GSX presentation, “COVID-19, Security and Resilience: Lessons Learned, Looking Forward.” He said the companies that he’s seen navigate the pandemic best—and the ones that stand to retain employees when the job market returns and employees have opportunities to go elsewhere—are the ones that have had engaged leadership that put employees well-being as their top priority.
In many organizations, top executives got into the weeds on issues they had never given much thought, said Day. They had to get comfortable with existing structures that they didn’t previously use. And they realized that some basic issues had never been covered. “A lot of companies still don’t have a common definition of exactly what a crisis is and that’s causing a problem,” said Hinton.
But whether they’ve fared well or poorly, the pandemic has been eye opening for all senior leaders, and that makes this an especially critical time for security teams, said Antoine. The normal pacing and sequencing of the business world has been disrupted, presenting security and resilience professionals with an opportunity they rarely get.
“Organizations have plenty of people who have information. but they don’t know who needs it, or they have people who need information but they don’t know who has it, and crisis issues—be it COVID, social unrest and protests, or [wildfires and hurricanes]—those are things that we deal with for extended periods of time, so those are learnings that we can pass on,” said Antione. “What that means is that [a crisis] is the time to illustrate your value, whether it’s expediting business intelligence, being proactive in spaces where you couldn’t before, and being bold enough to insert yourself where you have information. And you must be bold enough to tell someone, because they’re not necessarily going to come and ask for it.”
Some crisis experts note that the pandemic is a good reminder that executives who do crisis planning must be mindful of what the end game is—and that returning to pre-disaster operations isn’t always the goal. In the wake of a major event, company leaders may want to push investments toward specific operations, or change their business course in other, often dramatic ways. Disasters can cause entire markets to change, so a business may need to adapt to new market conditions. This reality is why experts often say it is more valuable in resilience planning to focus on how to support corporate objectives—such as maximizing profits—than to focus on how to do it, because a major event can cause this to change.
For Antoine’s team at Yum!, the pandemic is providing his team a chance to lead a series of tabletop exercises that weren’t previously prioritized in the same way because vulnerability was perceived differently. Even for leadership that is eager to listen to subject-matter experts, COVID presents an opportunity that doesn’t always exist or is often saved for cyber experts. “They don’t know how to make sense of the information, but we’ve always used KPIs based on intelligence reports. We’re uniquely positioned to make decisions in this space.” If they provide effective counsel, Antione thinks asset protection and resilience professionals may find the crisis acts a springboard. “They will come back to you, and ask what else do you think,” he said. “They see that we see things differently.”
But the time is now, he warned. “I think we have an execution window,” said Antione. “Now is the time to push into the risk and audit committee, to help them reprioritize and to address what’s possible—and not just what is probable.”
The pandemic has surfaced hidden financial costs from crisis events, amplified by the recent wildfires, hurricanes, political discord, and civil unrest. It is providing a catalyst to “what if” conversations that companies may have previously not seen much use for, and which are squarely in the wheelhouse of security and resilience leaders. “I think there has been a re-prioritization between urgent and important. There is now an urgency to having some preparedness. It’s always been important but now it is urgent,” said Yum!’s Antoine. “You should be involving yourself in meetings you are not invited to. Now is the time for that.”