As the weather warms up across Australia, summer starts to remind us of simpler time in a pre-COVID era when we were only worried about the massive bushfires. Although some are still looking forward to life getting back to normal, within the technology industry we are keenly aware and familiar with the “new normal”. Most medical experts are agreed that the great hope of an effective COVID-19 vaccine is a multi-year process and that prudence and logistics mean it will be distributed slowly. While we hope a vaccine will provide a significant reduction in the risks posed by the virus, it will not be a panacea that eliminates COVID-19 from our lives overnight. So the many work place changes that have been facilitated by digital transformations and technologies will remain part of our world and people will not be falling straight back into old habits and practices.
As we focus on revising our technology strategies and roadmaps, it is useful to understand the lessons from the crisis and adjust our approach to support the future.
An Unplanned Environment
Most organisations had only considered the local implications of the “Pandemic Response” heading in their DR template and typically assumed they needed to cover only a short period. Although it seems obvious today, the idea that a pandemic by definition is global, and would last for an extended period was difficult to fully appreciate. Mandatory nationwide stay at home lockdowns, enforced quarantine, state boarder closures, international supply chain problems, curfews and even the concept of stopping international travel were difficult to consider in scenario planning prior to 2020 but will obviously feature heavily in the future.
Many carefully developed security plans and policies were not ready for the CEO to say “just open it up, we have no option other than make it work”. It is no real secret that tens of thousands of businesses all around Australia threw the rule book out the window to make things work during lockdown. The major concern is how few have effectively remediated those security holes since then. It often seems that the past lessons, such as from NAB have not been internalised well enough across all levels of IT departments. The Board and CEO “need to know” about cybersecurity issues and risks must be explicitly catalogued and reported. IT leaders also need to make sure that they are actively identifying and raising risks even when they don’t have a solution or the resources to comprehensively deal with them.
Information Security is rapidly becoming the number one avoidable cause of business ending events. Cyber-criminal syndicates have proved again how digitally agile they are with some very effective Ransomware as a Service with Profit Share (RWaaS-PS) campaigns targeting disgruntled and financially distressed workers with elevated security privileges given to avoid difficulties during work-from-home (WFH). This, along with the traditional “executive (CEO/CFO) authorised funds transfers” scam now using a combined forged email and deep-fake voice mail has been devastatingly effective in some areas during lockdown.
As the weather warms up across Australia, summer starts to remind us of simpler time in a pre-COVID era when we were only worried about the massive bushfires. Although some are still looking forward to life getting back to normal, within the technology industry we are keenly aware and familiar with the “new normal”. Most medical experts are agreed that the great hope of an effective COVID-19 vaccine is a multi-year process and that prudence and logistics mean it will be distributed slowly. While we hope a vaccine will provide a significant reduction in the risks posed by the virus, it will not be a panacea that eliminates COVID-19 from our lives overnight. So the many work place changes that have been facilitated by digital transformations and technologies will remain part of our world and people will not be falling straight back into old habits and practices.
As we focus on revising our technology strategies and roadmaps, it is useful to understand the lessons from the crisis and adjust our approach to support the future.
An Unplanned Environment
Most organisations had only considered the local implications of the “Pandemic Response” heading in their DR template and typically assumed they needed to cover only a short period. Although it seems obvious today, the idea that a pandemic by definition is global, and would last for an extended period was difficult to fully appreciate. Mandatory nationwide stay at home lockdowns, enforced quarantine, state boarder closures, international supply chain problems, curfews and even the concept of stopping international travel were difficult to consider in scenario planning prior to 2020 but will obviously feature heavily in the future.
Many carefully developed security plans and policies were not ready for the CEO to say “just open it up, we have no option other than make it work”. It is no real secret that tens of thousands of businesses all around Australia threw the rule book out the window to make things work during lockdown. The major concern is how few have effectively remediated those security holes since then. It often seems that the past lessons, such as from NAB have not been internalised well enough across all levels of IT departments. The Board and CEO “need to know” about cybersecurity issues and risks must be explicitly catalogued and reported. IT leaders also need to make sure that they are actively identifying and raising risks even when they don’t have a solution or the resources to comprehensively deal with them.
Information Security is rapidly becoming the number one avoidable cause of business ending events. Cyber-criminal syndicates have proved again how digitally agile they are with some very effective Ransomware as a Service with Profit Share (RWaaS-PS) campaigns targeting disgruntled and financially distressed workers with elevated security privileges given to avoid difficulties during work-from-home (WFH). This, along with the traditional “executive (CEO/CFO) authorised funds transfers” scam now using a combined forged email and deep-fake voice mail has been devastatingly effective in some areas during lockdown.
Sustainable Workplaces
We have also surprisingly noticed that users are much more adaptable that we previously gave them credit, whether it was the Queen having her first Zoom call, or Grandma having a telehealth consult with her GP and having a digital prescription filled. Technology has been an enabler across the community and our users have never been more receptive to digital change. Legal departments that had provided nothing but problems with digital signature projects waved them through with encouraging comments, and “do nothing different Mary” from accounts became a digital champion explaining to others how to change video meeting virtual backgrounds. Often the IT crew have developed a level of goodwill in the business for enablement that can be exploited to deliver permanent productivity gain. This unfortunately has often been in stark contrast to the lack of credibility that IT leadership has enjoyed within the broader executive team, as planning and capability failures have been multiplied by large expectation gaps. The crisis often proved how well IT can be reactive, but similarly proved in many cases how they lack effective pro-active management discipline and planning skills.
Some organization are formalizing a “work from anywhere” future, with others focused on returning to the office (RTO). We expect that especially for CBD-based knowledge workers, mandated office-based work will face strong headwinds, with workers demanding to maintain much of the flexibility afforded to them during the crisis. Our recommendation is that IT anticipate hybrid environments, with between 40 and 60% of hours worked from home becoming the norm in many organizations.
Although the move from office to WFH was hard, the move from WFH to the new normal hybrid WFH&O is more complex, as it need to deal with both environments in a permanent manner. While an incremental improvement in capability post-migration to WFH was acceptable, RTO needs to be fully functional on day 1. Similarly, where we cut corners to rapidly build capability for WFH due to everything being temporary and mandatory, these compromises are not acceptable when they are more permanent and not being externally forced. Where we may have got away with taking our office monitor home and balancing it on the ironing board as a temporary WFH solution, we cannot expect workers to carry equipment back and forward in a hybrid scenario. OH&S concerns might have been largely ignored during the health crisis due to the required rapid response but ironing board based workplace design won’t cut it any longer. During work from home, rostering or time and attendance systems were often not a focus but moving forward requires permanent solutions.
Anecdotal evidence on worker productivity during lockdown is very mixed; some reported significant gains driven by the use of commute hours for additional work, while others saw burnout issues caused by perceived 7*24 availability. Some organisations found that online meetings were more focussed while others reported that more detailed analysis was lost. IT leaders need to be cognisant that technology is the enabler of productivity and not the driver, partnering with the rest of the business to find out what is the priority and delivering that that should be the focus.
There is no doubt in my mind that the “free pass” afforded by users with regards to performance, functionality and reliability issues during the early stage of the crisis will evaporate completely, and we will be left with a permanent requirement to deliver appropriate service levels in a non-deterministic environment.
The Network is Everything
The undoubted hero of the crisis has been the Internet, fortuitously in the year that the NBN build “completed” and delivered an effective and usable broadband speed to the vast majority of metropolitan Australians, we have relied on home internet connections like never before. However, network engineering teams across the country are likely to exit the year with much less hair than they started it with, and with a number of learnings and adjusted priorities for the years ahead.
Carrier choice matters: While the rapid lock down and WFH transition was occurring, carriers saw network traffic patterns change enormously with peak evening demand and business hours peaks hitting record levels on a daily basis. One of the top four carriers decided that the appropriate response to the massive traffic growth was a network change embargo, cementing congestion and packet loss for the duration of the lockdown! Whether it is the internet into head office, mobile 4G/5G internet hotspots from your phone, or the NBN connection to the users home – the ability to compare bandwidth quality of a best-efforts service such as the internet is incredibly difficult but vitally important, and unfortunately price is often not a good measure of quality.
Consumer-grade is not business-grade; NBN upgrades and outages that were timed to avoid the Netflix peaks hit WFH users during their business day. Unplanned outages on consumer services can last 3 days, and consumer routers that fail over to 4G modems are not seamless, often causing an ongoing string of 5 minute outages as they fade in and out of service based around a very simplistic view of network availability. A deliberate effort by IT to design solutions for these issues proved highly effective for organisations that had the capability.
Traditional network SLA’s focused on MPLS grade networks are meaningless when staff are working from home. Many organisations were already transitioning towards SD-WAN or SASE architectures, however the crisis has prioritised and expedited the requirements for significant network transformation projects. Rather than relying on the crutch of supposably “reliable network links” we must architect solutions that provide the performance and reliability needed using best effort grade network links. This is possible, however it requires a diligent and informed planning approach to a significant network transformation program.
Resilient People
Organisations were often able to identify the critical IT resources during the early crisis response. When they saw that one or two IT staff seemed to be the centre of everything, they celebrated their dedication and heroics when 18-hour days were stacked end to end. However, we should examine our teams’ operational balance and knowledge distribution to identify resource choke points and single points of failure to plan for more sustainable and resilient operations in the future.
Training has never been so important – new processes and new technology requires new skills – and while team-based self-support models have often worked well through the crisis period, they have worked better when IT has effectively communicated and deliberately cascaded knowledge. We should be ensuring that we look at what worked, and what can be improved so that support models in the future can improve and embed new skills across the organisation. IT deskside support (physical presence) has been a reducing trend over recent years, however organisations that retained this capability to a limited degree were much better placed during the transition to WFH. The logistics of supporting an extensive work from home capability in a permanent form will require further consideration for many organisations. We recommend that HR be involved in these discussions to ensure technical and human requirements are balanced and expectations managed.
Future Vision
Some IT leaders and CIOs are taking the view that their “IT strategy is so well thought through that it doesn’t need to change” as its already focused on the flexibility and future architecture principles required. However this appears in most instances to be naïve; we believe it is fanciful to ignore the significant changes that have occurred in the business environment. Although it’s possible that the technology vision is still appropriate, the priority and velocity of the initiatives to get there will almost certainly have to be adjusted to support the business. Assumptions should be reviewed and priorities and velocity recast to deliver within the revised resource and capital envelope available. Whether due to the governments depreciation stimulus or simple business imperative, this may be an increased velocity of delivery for initiatives supporting cost savings or revenue generation.
Conclusion
2020 is the inflection year for many technology departments. Everyone should revisit strategy plans and many will need to rapidly review security risk and network transformation programs. Technology departments will be entering 2021 with a broader appreciation of the critical role they play. IT successfully rising to the challenge of unexpected business requirements and changed expectations with considered strategic plans and deliberate responses will be a determining factor in their organisations’ overall success. It is simply not an option to wait and see what happens and unfortunately some technology leaders will not be able to meet this challenge. Technology disruption next year is unlikely to be any less than in 2020, however we can all work toward ensuring that it is more planned and deliberate.