The pre-COVID-19 CISO. The global COVID-19 pandemic has been a tumultuous time for Chief information security officers (CISOs) who on any given day have a long and complicated list of responsibilities. CISOs are no strangers to disruption and challenges, but during the pandemic they have faced many disruptions it has caused and created a wealth of new challenges.
Securing a rapid transition to a remote workforce. COVID-19 accelerated the shift to remote working globally and, while the opportunity to work from anywhere has been welcomed by many globally, it has presented multiple security challenges. The most immediate challenge was as employees suddenly found themselves in a remote working model, CISOs had to adjust and determine how to establish secure connections for newly remote workforces who were suddenly working from home on devices that have never been part of the corporate domain before. In my organisation, we had the best-case scenario, to ensure business continuity, employees had been previously transitioned to company issued devices that were already managed by the security organisation.
An explosion of cyber risks and a complicated and constantly changing threat landscape. The initial challenge is that with a remote working model from the threat actor’s perspective, all of these employees working remotely, isolated in their homes, and working on potentially unsecure devices and networks present a perfect storm opportunity.
A collateral effect of the rapid expansion of remote working has been the related cyber risk of cyberattacks aimed at the remote workforce. Aside from the need to rely upon home Wi-Fi or other networks potentially lacking the protection available in a workplace setting, employees working remotely may forget or ignore the Security 101 basics, such as failing to use virtual private networks (VPN) or signing into work accounts using shared family devices.
Threat actors have reinvented their attack approaches during the ongoing pandemic and attacks are skyrocketing against organisations and often by compromising employees working remotely. These approaches included COVID-19 oriented phishing and online scams; disinformation and misinformation campaigns; disruptive malware, including ransomware; data-harvesting malware; malicious domains and weaponised websites; and social engineering have become challenges. While the types of attacks may not be new, their volume has made it difficult to monitor and address in a timely manner, especially across a security organisation workforce that is already stretched thin.
In an effort to prevent such attacks in my organisation, there are controls implemented to mitigate the risks when an employee receives an email from an external source that has a link. When employees click on the link, recipients are not immediately getting the page on their browser or in their device. It first is isolated and vetted in a “vetting zone.” However, technology by itself isn’t enough to solve the problem because all it takes is one employee who falls victim to a combination of social engineering and technical attacks to inadvertently expose the organisation.
Budget and resource constraints. While cyber challenges may not be addressed merely by throwing money or other resources at them, the severe retractions suffered by so many businesses have resulted and will likely continue to result in ongoing budget and resource And despite the recognition that cybersecurity is a priority, scarcities of funds and other resources may inevitably lead to fewer dollars and resources being committed to cybersecurity, aggravating the challenges faced by an already stretched workforce.
Focus on work-life balance, empathy, and emotional intelligence. The challenge was at the start of the pandemic, CISOs and the security organisation went into firefighting mode like we do all the time in security continuing this cadence for so long the CISO and the security organisation can feel the stress of being overworked with no possible no end in sight.
As a CISO, I found myself and the security organisation fortunate to have done a good job planning for the unexpected as part of cyber resiliency. One of my key successes during the pandemic to alleviate the increased workload on my security teams by offering perks and incentives to boost morale. Some of these perks and incentives was awarding a “you day” where an employee was given the day off with pay; allowing certain employees, naturally under COVID-19 safety precautions, to come back to the office for mental health reasons; engaging HR to coordinate sending employees a box full of goodies to show appreciation and for those with children at home got a box full of things for the kids to do; regulating the amount of hours any specific employee could work beyond the normal day; and thinking outside the box of how do we keep our people connected, healthy, and motivated when we’re such a connected company by nature.
Opportunities and positives on the security industry. As a member of ClubCISO, according to the latest Information Security Maturity Report, 88% of security executives said their existing security infrastructure has held up well during the pandemic which is very positive in the event of a global cyberattack which would have similar characteristics of the COVID-19 pandemic.
Despite the array of extraordinary challenges CISOs have dealt with during the pandemic, there are several positive impacts to the security and cyber industry such as elevating awareness of security and how cyber impacts many aspects of a business; security issues and the consequent spending on addressing those issues; improving the defending of systems from attacks; dealing with cyber incidents; and the shift to remote working had improved work-life balance.
Another key positive is the increases in innovation and development. COVID-19 continues to be a major market disruptor that has led to unprecedented levels of innovation. Due to the lockdown, many companies have had to undergo rapid digitalisation and reinvent themselves with a new ‘business as unusual’ strategy. Some companies are using this wave of innovation to reimagine their business model; change or grow their market by taking technologies or services to market in record time, with accelerated product development times encouraged by new working practices and processes.
A new era for cybersecurity. The pandemic has ushered in a new era of cybersecurity. IT security professionals who raise their game and protect their companies’ people, technology and data from new or heightened risks of more sophisticated cybercriminals will be crucial players in the economic turnaround.
This pandemic has given the CISO role and security industry an opportunity to redefine its role and value proposition. Security technology is no longer seen as devices that are solely used to keep people and property safe, but it is finally becoming a strategic tool to help improve business operations. AI-based security solutions and cameras are now able to go beyond security to capture valuable marketing and sales transaction data, analysing customer patterns and behaviour. By leveraging business and operational intelligence data that can pay for itself and directly affect the profitability of the organisation, the security industry is on the cusp of morphing from a tactical application to a truly strategic enterprise-shaping role.
Conclusion. The pandemic bestowed unprecedented challenges CISOs to the security industry. It also presented a wealth of new opportunities for the CISO role and security industry. Both trends are likely to continue as there remains a lot of speculation about what happens after the pandemic, as the pandemic takes from the security market with one hand while giving back with the other. Fortunately, the security industry continues to be in better shape than many others as the pandemic continues to evolve and play out.