[Posted on behalf of Gary Hayslip CISO Softbank Investment advisor] (Source)
I recently published on LinkedIn an article about the foundational elements of the CISO role that will not change as it rises to meet the challenges of COVID-19 on businesses today. Currently, many CISOs are working remotely and leading security programs as they assist IT teams who are caring for employees that have transitioned from an office environment to one at their home kitchen table. Couple that work with videoconference meetings, chat discussions, and full email boxes, and CISOs can see their careers evolving before their eyes as they talk with peers about an uncertain future.
Much of the debate has been on the impact of COVID-19 on their teams, their companies, and the cybersecurity community. It's these discussions that inspired me to write this article. I believe the following changes will not affect security executives in some post-COVID-19 future but instead are already here and impacting them in their current positions today. We, as a community, must embrace change now.
1. Working from Anywhere (WFA)
With companies leveraging employees working remotely, this has caused many CISOs to rethink planned projects, update current policies, and reassess their current security architectures. As one of those CISOs, I needed to accelerate several of my projects to integrate new technologies so I would have better visibility into how remote workers were accessing data. Going forward, many of us CISOs don't expect all of those remote workers to return, so are we ready for a more significant extended remote workforce? Are our security controls, policies, and incident response procedures prepared for incidents that may be outside a traditional network perimeter? Are we ready for blended security teams where team members could be anywhere in the world, and do we have the infrastructure to support that access securely?
2. Zero Trust as the Norm
With employees working from anywhere, zero trust becomes the standard businesses use to identify and authenticate employees, devices, roles, and access to services/data. It may not have felt as necessary when you had most of the employees on-premise. Still, now with almost all of your staff off-site, I think this is one of the best sets of security methodologies and supporting technologies CISOs should implement. I foresee it being a standard in the aftermath of COVID-19, with businesses taking advantage of hybrid remote work opportunities.
3. Bring Your Own Device (BYOD) . . . Maybe
With most of your employees working from anywhere, managing that corporate laptop poses some challenges. Even with the best remote access tools, if an organization is looking at remote employees for the long-term, expect BYOD to be raised in staff meetings. There is a cost-saving to not having to manage hardware and software; however, the costs shift to other requirements, such as access management being controlled by ensuring personal owned assets meet a specific level of security. Changing to BYOD will require changes to the IT and security infrastructures to keep data separate and will alter current policies and processes. Remember, savings in one area equals costs in another, so CISOs need to truly understand the value to the business and be able to tell that value story.
4. Tighter Partnership with the CIO And IT teams
Many CISOs right now find themselves working closely with their CIOs, and both IT and Security teams are working together to manage their business's remote work efforts. They are not only tasked to develop an integrated plan that allows their companies to operate with remote workers and social distancing. They also are tasked to look at technologies that provide many of the same services their employees had when they were on-premise. I expect this close integration will continue as security and IT stacks become even more aligned to support business operations, and yes, CISOs will continue to work closely with CIOs.
5. VPN By Default
Virtual private network (VPN) connections weren't always seen as the standard except to access critical infrastructure, sensitive servers, or business applications remotely. Now with employees and security teams spread all over the planet working in less-than-secure environments, many of us expect VPN to be the norm for all remote working connections. It would not surprise many of us to see it as a service that SaaS providers offer for services used by remote workers and employees who no longer work in their organizations' offices. Of course, if the VPN service is provided, I sincerely hope it has a split tunneling or BYOK option so I can manage my employees' encryption to ensure they are working securely and that it is offered on a variety of platforms.
6. Corporate Perimeters And Home Networks
The perimeter CISOs were tasked to help manage pre-COVID is now in employees' living rooms. Are the corporate security strategy and supporting technology stack ready for these types of disparate network connections? If it's a BYOD environment, new tools and processes may be required. If it's a corporate-managed endpoint, a different response may be necessary. What if it's now a hybrid environment as in a mix of corporate endpoints and BYOD devices? As the CISO, are you ready for this challenge? Is your incident response team? Are you doing breach and attack simulation to test your assumptions, your controls, and your new norm?
7. Shifting Picture Of Technical Business Risk
As technology and security teams embrace more cloud services to manage their business requirements during COVID, the decisions made by CISOs and CIOs have risks that corporations need to review, understand, and maintain. Data may now reside in different countries and data centers than it did just six months ago. There may be new reporting laws for incidents that may not be included in the current business continuity plans. Both the business, CIOs, and CISOs need to understand what new risks have been assumed during this pandemic, and budget needs to be allocated to manage these risks accordingly.
8. The Importance Of Third-Party Cyber Hygiene
This last change companies are facing is the result of trusted suppliers going out of business during this pandemic or scaling back their capacity to support customers. These disruptions have affected business operations across the globe and have resulted in many CISOs being tasked to help their organizations assess new vendors, technologies, and services. This upheaval is not diminishing any time soon, and it drives home the importance of having a mature process that involves the CISO in quickly evaluating vendors and their possible risk exposures to the business.
Comments