Its hard to imagine a worse time for an essential enterprise application to go down than during the height of the COVID Omicron variant surge in December 2021 when we were already experiencing critical staffing shortages that threatened our city’s ability to maintain our mission essential functions. Yet, that’s exactly what happened. Kronos, one of the most utilized time and attendance tracking applications nationwide, went down and the City and County of Denver, like many other governments, scrambled to implement alternative time and attendance tracking processes to keep our 12,000+ city employees paid.
Fast forward six months. While we are still managing through the fallout of the nationwide Kronos outage, a light has been shown on one of the side-effects of the COVID induced move toward virtual operations and remote work over the past two years. We are putting all of our essential business process eggs into a single, cloud-based, cyber basket. We’re creating a single point of failure.
Even with increased emphasis on cybersecurity, risk assessments, and IT disaster recovery plans in government, the reality is that very few state or local governments have the resources and capabilities necessary to protect their systems from a truly capable and determined cyber predator. They can get to us if they are really determined, and we know it. We just do what we can to prevent cybercrimes of opportunity and minimize risk.
By investing in a robust continuity program, we ensure that we focus not just on the technology that supports our critical business processes, but on performing the essential functions and services of government itself
Now, with more critical applications and data storage moving to cloud-based service providers, we don’t even directly control our ability to fully protect our data and business processes. We are at the mercy of the many vendors we entrust to manage these applications and store this critical data for us. Making matters more difficult, cyber insurance is becoming cost prohibitive and difficult to obtain for many government organizations, particularly the small ones. And, even if we do have the resources to procure cyber insurance, that won’t help much when third party applications are taken down. In short, we can’t build a wall big enough to keep them out and need a more complimentary approach.
That approach is to go back to the future with continuity planning.
Continuity planning has evolved over the past several decades from something that was rather unique to the private sector looking to protect profit streams to the days of Y2K planning to today’s cyber-centric operating environment. But the purpose remains the same – maintain our mission essential functions and services so we can continue to serve our communities.
By complementing our IT cybersecurity, network hardening, and disaster recovery efforts with old fashioned continuity planning, we build resiliency and redundancy through manual backup processes, paper forms, spreadsheets, and other 20th century methods for performing our essential functions and services as governments.
Should we go back to using pen and paper for our regular day-to-day operations? Of course not. But to not recognize that the pipeline to those cloud-based services may not always be intact or the applications available when we need them is to lose sight of the mission of government. By investing in a robust continuity program, we ensure that we focus not just on the technology that supports our critical business processes, but on performing the essential functions and services of government itself. Even if that means doing it temporarily in a decidedly last century, back-to-basics manner.
