Security leaders have learned a number of lessons during the global pandemic that will help with future incident response and operational continuity.

COVID-19 Lessons Learned

As several waves of the COVID-19 pandemic have hit all areas of the world, many cities, countries and regions have gone into different forms of lockdown multiple times to contain further spread of the virus and reduce strain on hospitals. More than 5.7 million people worldwide have died from COVID-19, and those numbers continue to rise. The effects of the pandemic beyond deaths are staggering too, with statistics pointing to a rise in mental health issues, alcoholism, domestic violence and workplace violence. Overall, 25% of U.S. adults said they or someone in their household was laid off or lost their job in the first year of the pandemic, according to Pew Research Center. Beyond that number, millions of other workers report being forced to reduce their hours or take pay cuts due to continued economic fallout from the pandemic.

“The COVID-19 pandemic delivered on what nearly every public health expert predicted was imminent — a global public health crisis. Yet, we all have paid a price for being unprepared or unorganized in our collective response to this completely foreseeable event. While the exact causes for our global brittleness to the COVID-19 pandemic may continue to be subject of debate for years to come, what is clear is we must think differently — and more broadly — about risk and risk management,” says Cory Simpson, Executive Vice President at Resolute Strategic Services and Senior Director at the U.S. Cyberspace Solarium Commission.

According to a Harvard University-based project called The Economic Tracker, 37.5% fewer small businesses were open in June 2021 compared with January 2020, which was two months before the pandemic hit. While some of those closures may be temporary, the impact is significant.

Lou Marciani, Ed.D., Director and Co-Founder at the Innovation Institute for Fan Experience, says that the sports industry alone lost a reported $15 billion during early COVID-19 shutdowns and festivals, cultural events and other entertainment events lost around $8 billion as shows closed. According to the Bureau of Transportation Statistics, U.S.-scheduled passenger airlines reported a fourth-quarter 2020 after-tax net loss of $7.0 billion and a pre-tax operating loss of $9.7 billion.

There’s no denying that the COVID-19 pandemic has been a business disruptor, but on the security side, many security leaders and teams reported positive outcomes, including collaboration and teamwork across departments and key stakeholders traditionally siloed, increased communication across the enterprise, and an elevated business stature. At the very least, many organizations ended up with more robust, revised operational and business continuity plans, procedures and responses based on lessons learned. And those are the lessons that can unlock a key to future resiliency.

Organizations had to plan for and respond to not only a global health pandemic, but also social unrest, looting, widespread riots and natural disasters such as flooding, hurricanes and wildfires, to name a few. In other words, enterprise security leaders and risk professionals point to the past two years as demonstrating the importance of planning, but even more importantly, planning for multiple emergency scenarios at one time.

“One of the major lessons from the pandemic is to never focus on only one crisis at a time. The all-encompassing nature of COVID-19 has made this clear. The virus simultaneously triggered multiple related crises — a medical crisis, a mental health crisis, a political crisis, a supply chain crisis and so on. Organizations that had a narrow focus on only one of these issues often found themselves unprepared to manage the other crises,” shares Mick Sharp, Group Director Security Services at International SOS.

But while no one could have predicted the exact scale of effects over the past few years, many organizations, business leaders, emergency management and risk professionals did several things right — and the intelligence they used, the decisions they made and the planning they incorporated kept employees and facilities safe and operations afloat. Security magazine profiled a number of enterprises and their security teams in our COVID-19 Heroes profiles throughout 2021 to bring readers insight into different response approaches, pain points and focuses as organizations across all sectors struggled, adapted, continued and thrived throughout the past couple of years.

From our coverage of enterprise security professionals and their organization’s COVID-19 response, we saw several themes emerge across sectors that aided or helped businesses with operational continuity and overall resilience since the original worldwide lockdowns in response to the COVID-19 pandemic began in early 2020.

1. Flexibility

The pandemic has highlighted the importance of flexibility as a security leader, particularly as many security teams, leaders and departments shifted to lead, manage or support COVID-19 response efforts, civil unrest response and more. Teams that were once focused on access control and physical presence were tasked with managing health screenings, temperature checks, mask enforcement and social distancing. The ability to pivot and remain flexible has never been more important.

Security professionals saw, perhaps more than any other profession, how the threat landscape expanded and evolved in a number of ways since the COVID-19 pandemic began: increased cyberattacks and network vulnerabilities, disinformation campaign surges, an increase in workplace violence and physical confrontations, an increase in people leaving the workforce or changing jobs, industry or professions, and much more. And in many cases, taking on additional or different responsibilities fell to security teams.

According to The 2021 Security Benchmark Report, 96% of security leaders report leading, managing or supporting COVID-19 response. Forty-eight percent of The Security Benchmark Report respondents report supporting cybersecurity efforts (and another 18% report leading or managing the efforts). Seventy-seven percent of security leader respondents report leading, managing or supporting travel protection and security, while 72% of respondents report leading mitigation for protests, unrest and hate crimes.

“One of the biggest lessons learned was the extreme shift toward remote access during the pandemic that created an unprecedented risk for sensitive data,” says Richard Schoeberl, Ph.D., Program Chair and Director of Graduate Studies, Criminology and Homeland Security at The University of Tennessee Southern. “This pandemic has generated a surge of security threats in a variety of industries — there will be no return to normalcy. Security and risk professionals alike must be prepared with a plan, but also be prepared to adapt it for the current situation.”

2. Collaboration

Many organizations found that with a global pandemic that affected operations and employees in all corners of the world, collaboration as part of emergency response and business continuity became inherently critical.

“More importantly than what risk professionals learned, the leadership of organizations learned that their security and safety professionals were the steady hands on the tiller when COVID-19 hit its peak. There is now new respect (and more demands) for companies’ risk teams, which will probably help separate the wheat from the chaff if the risk personnel were initially not up to the tasks that this pandemic demanded,” says Mike Susong, Senior Vice President of Global Intelligence at Crisis24.

Collaboration and inclusivity can foster creativity, differing approaches to problems and ensure different employees, stakeholders and departments are heard. Many enterprises took a collaborative approach to pandemic response, bringing together key stakeholders and thought leaders. For example, an important element of Boeing’s pandemic response was the partnership between Chief Security Officer Dave Komendat’s S&FP team and Health Services, led by Dr. Laura Cain. By leading efforts together, the company was able to take a unified approach to the pandemic and employ coordinated responses as an organization.

At Georgetown University, Marc Barbiere, Director of the Office of Emergency Management, has been conducting pandemic-related tabletop exercises with important stakeholders brought in to be a part of the process, including representatives from the various campuses and schools, as well as public health subject matter experts (SMEs) and global experts. Involving stakeholders across the organization lends itself to idea sharing and more informed decision-making.

Karen Hardy, Ed.D, RIMS-CRMP-FED, Enterprise Risk Management Expert and Advisor at Strategic Leadership Advisors LLC, as well as the host of the Flip This Risk podcast, agrees that of critical importance to scenario planning and analysis is including multiple risks and multiple points of view. “They may not be on the same page, but all those teams must be in the same room when these discussions take place,” she says.

3. Intelligence

While intelligence continues to be critical for enterprises navigating the pandemic and other risks, data itself will not help. Organizations need well-informed analysts and experts to garner necessary insight on why the intelligence is important to the organization, as well as how the organization needs to respond to such intelligence.

Hardy says that risk management professionals can’t just stop at data collection. “We’ve learned that having access to data alone is not sufficient when managing uncertainty. The use of data and information to respond to the current risk and opportunity landscape must be followed by behavioral changes. There must be alignment with what leaders know and what they do. This involves assessing the organizational culture and making the appropriate adjustments to reflect that change,” she says.

One critical way that diversified healthcare company Sanofi responded to the pandemic was with a number of in-house dashboards and intelligence created and implemented by the company’s North American Security Operations & Technology team. During the height of the pandemic, the security team’s Global Security Operations Center produced and distributed hundreds of briefings related to COVID-19 to senior management and functional partners within North America for intelligence and decision-making.

However, a key component to intelligence, say many security leaders, is ensuring that the intelligence is relevant to your organization. “While we are keeping watch on global developments 24/7/365, we’re not in the business of reporting on items that don’t have an actual or potential concern for Baker Hughes,” Marie Schmidt, manager of Baker Hughes’s Global Intelligence & Travel Security Operations Center, told Security. “One of our primary goals is to filter through the noise to highlight the items that the company, our employees and travelers should be aware of. Sometimes the items getting the most media coverage do impact us, but many times they don’t. We let decision-makers and employees know when they should pay attention and put it in the perspective of ‘what it means for Baker Hughes,’” she says.

4. Focus

In addition to flexibility, collaboration and intelligence, an unrelenting focus has become increasingly important for organizations. With a shifting and heightened threat landscape and ever-changing geopolitical and social unrest issues, climate and natural disaster events, coupled with the ongoing pandemic, it’s never been more important for organizational leaders to keep their eyes on what is most important to the organization, particularly when it comes to action and response. And, it’s fair to say that organizational needs and focuses vary widely across sectors and individual agencies.

For the Pojoaque Valley School District in New Mexico, for example, the security team and administrators needed to focus on coordinating food and school supplies out to families that needed it at the beginning of the pandemic during shutdowns. In addition, they, just like so many other school leaders, needed to be there for students and staff for mental health, welfare checks and emotional support.  

Many global enterprises were focused on returning traveling employees and their families home safely, ensuring quarantined staff were taken care of and implementing safe travel practices, testing methods and more.

Higher education settings and other campus environments had to focus on shifting from traditionally open campuses to restricting and tracking access.

Many manufacturing enterprises, particularly those involved in medical or healthcare, along with critical supply distributors and retailers such as grocery stores, needed to focus on contract tracing, quarantining and tightening up shutdown and other response plan procedures to continue critical operations.

Regardless of the sector, one factor that remains critical to response across physical and cybersecurity risk management is preparation, say experts. “Today’s risks are more interconnected, unpredictable and lethal. As the pandemic laid bare, risk quickly spreads across geographies, populations and sectors, leaving few unscathed. This makes us all stakeholders in how risk is managed,” says Simpson of Resolute Strategic Services. “The message is clear to today’s government and business leaders that to effectively manage risk and build the resilient systems and networks of tomorrow, we must do so in a more cohesive and predictable manner. Indeed, we must develop strategies, policies, processes and capabilities — and then exercise all outside of crises.”

If you missed our coverage of Security’s COVID-19 Heroes, read about them here and dive deeper into how these organizations have navigated the COVID-19 pandemic, along with their lessons learned:

Boeing – National Football League (NFL) – Georgetown University – Pojoaque Valley School District – Associated Grocers of New England – Yale University – Broad Institute of MIT and Harvard – State Street Corporation – Sanofi – Armour College – ADM – El Centro Regional Medical Center – Boston Scientific – Cognizant – Dell Technologies