I recently interviewed several CSOs and CISOs from the financial services, tech, healthcare, media and other industries to see how they were managing through these turbulent times. Below are the questions I asked them and a summary of their collective wisdom and best practices. While I would love to give these experts all the credit they deserve, all of them spoke on the condition that neither they nor their organizations be identified publicly.
What is your greatest security concern right now?
The collective response to this question is that security executives are most worried about the increase in phishing campaigns and fraud, especially with distracted employees who aren’t as diligent with security hygiene while working from home. As one executive stated, “My greatest concern right now is social engineering resulting from cyberattacks on people wherever they are. High stress means reduced cognitive functions, so attackers may find it easier to do social engineering, which opens the door to everything else.”
Other major concerns include mitigating the impact of an increased attack surface and the need to enhance remote access controls to make certain organizational security levels are met despite a large majority of employees working remotely. For example, one executive further explained that she was most focused on mitigating the impact of this increased attack surface, particularly enhancing remote access controls such that the organization would be secure even if 100% of the employees were now remote. Enhancements to firewall, NAC, DLP and other solutions were required. Vendor risk also was a much greater concern for this executive, with third parties potentially now more vulnerable.
What have you done differently since the outbreak began?
One CISO summed it up best, “We’ve been in execution mode. Crisis management and resiliency execution versus planning.”
It is clear that for these executives, the first necessary step in this tactical mode has been communication; in fact, many CISOs and security teams have communicated to their constituents more in the past one and a half months than they have perhaps ever done previously. One executive stated, “We have communicated best practices for securing EVERYTHING from corporate collaboration apps to Zoom for the kids’ schoolwork to securing home networks. My communications to help executives and Board members maintain confidence and employees adapt to new conditions has exceeded all my communications plans from last year. There is still much more to come.”
Beyond the ongoing critical communication process, enabling and securing a 100 percent remote workforce has been job one for these executives. This is a big difference from the way that most organizations were operating on March 1st. Now VPNs and remote desktops are required, along with a workflow change for employees more familiar with on-prem work at desktop workstations.
If you have furloughed employees, how are you managing their security access?
While most of the executives have not had to deal with furloughs yet, there was recognition that when confronted with these unfortunate situations, the employees would have to have both their physical and logical access terminated. A furloughed employee would be treated exactly like a terminated employee, until they returned to work.
As one CISO mentioned, “The patchwork approach to onboarding and offboarding employees across our company puts us at risk of lingering access for terminated employees or contractors. We’re actively at work on an automated solution. This is a concern that predates COVID.”
Are you coordinating with other security leaders in the industry?
Most of the executives had discussed the current situation with their peers, other executives, strategic vendors, government interfaces and other experts. However, a small number had only spoken to others in their own organization, without leveraging the insights of their external peers. Frankly, I’m surprised that less than one hundred percent of CISOs and CSOs have leveraged the insights of their external peers.
How will the pandemic change what you do moving forward?
Most organizations have realized that WFH can maintain an acceptable level of productivity and expect it will become more commonplace as we navigate past the initial COVID-19 crisis. However, there was disagreement on the level of productivity. While many claimed there was little to no impact, one executive stated, “the pandemic requires me to assume that people can do less because they are stressed, distracted or delivering unplanned work. We will not plan for resources to operate at 100 percent utilization as we all have families, personal health and other things to manage through during these times.”
Post-pandemic, there will be a continued focus on providing secure remote access to a large percentage of workers. One CISO commented that remote workers could be their largest employee population even after the virus threat is over. As part of this longer-term trend, executives will need to invest in new access and security platforms to allow their employees to be as productive and secure at home as in the office.
Once some employees do begin returning to the office, CSOs believe that there will need to be new technology-based solutions to monitor and manage social distancing, disinfection processes and elevator access. There may be opportunities for new companies to take advantage of this evolving market dynamic.
Do you have any advice or lessons learned that may not be obvious to your peer group at this time?
A couple of interesting bits of wisdom that were shared:
- No company should have their critical data stored in their own facility – it should not house the finance system, the email server, the corporate file system or the HR platform.
- Workers should be able to choose their work environment, whether the office or remote
- The office should be simply thought of as “a place with Internet access where people can gather in person.” And while many workers may choose the office as their work environment, going forward it should not be out of necessity.
- Find ways to take care of yourself so you can be a better help to others. This is more important than ever. As one executive elegantly stated, “Managing your energy to serve others has always been key, but now it is more important than ever.” These are words to live by.
Is there any product or service that given the new normal you wish you had bought or are in the process of purchasing?
Most of the CISOs felt that while they have the right tools in place, there is a need for enhanced or expanded secure edge products or solutions. As one CISOs stated, “Large numbers of our employees spend their day on tower machines in the office. Of the many options available for facilitating WFH for that crowd — working from their personal machines is not viable. It represents too much risk in terms of data loss and potential lateral attacks. Company-purchased, imaged, secured, configured, workstations (laptops) are vastly preferable. Having a ready supply and a reliable supplier is essential in a world where the supply chain is crumbling.”
Another consideration is MDM (mobile device management) needs, as well as better remote-control capabilities for on-prem solutions that have yet to migrate to the cloud. The executives who are already leveraging more cloud-based solutions felt they had less work to do going forward than their peers.
The world has changed considerably in the past two months, and the security landscape has shifted accordingly. CISOs recognize that many new solutions and processes need to be adopted to securely operate in this new environment. Fortunately, the conversations I had with these industry leaders makes me feel much more confident that our financial systems, tech industry, healthcare providers and other industries can meet the current challenges and adapt to those that are yet to come.