Christian Aboujaoude, CTO of Keck Medicine at USC, shares why many organizations are not yet achieving the ultimate level of governance and controls needed for remote work — and offers recommendations on the technologies and behaviors that security leaders must embrace to improve protection. Credit: Shutterstock By Christian Aboujaoude, chief technology officer at Keck Medicine, USC In the pre-pandemic days, security solutions could be more basic. Securing the perimeter could be likened to locking the door of your house. But with remote workers taking devices off premises and sometimes using their own, securing the workplace requires a new approach. Sophisticated threats come from every angle, and preparing a complete defense is vital. We are in an environment of constant change and unexpected events. Just when many people began welcoming a post-pandemic world, cases started rising again, and the need to apply proper controls, governance, education, and tools for remote workers once more became top of mind for many cybersecurity leaders. For CISOs and their teams, the challenge is to build a culture that facilitates the ability to adapt to change on an ongoing, continuous basis. This requires a new mindset in securing all users — remote users, in particular. It also means evolving your approach so that cybersecurity is no longer viewed by business management as a cost center, but rather as a means of competitive differentiation and innovation for the organization. In my view, there are three critical aspects to changing the culture and mindset to adapt to current and future cybersecurity challenges, particularly as remote work becomes more deeply ingrained as a business requirement: 1. Education: Develop a deep understanding of every aspect of your organization and spend a lot of time and attention on education – for everyone, whether they are on your security teams, in your executive suite, front-line workers on-premises, remote workers, or anywhere else in your ecosystem. 2. Technology: Even in some larger organizations, basic technologies – such as multi-factor authentication or secure VPN – are not given the priority necessary to allow remote workers to operate in a more controlled environment. It is important to have the basics under control before adding innovations, such as Zero Trust. 3. Procedures and practices: It is vital to maintain a philosophy of ongoing education along with continuous evaluation of the technology your organization is using or, in some cases, not using. From a procedural perspective, you must understand everything in your environment. Once you understand it, you can assess and address its impact on your current risk and overall risk profile. 1. Leveraging education to secure remote workers The reason education tops my list is that over 80% of cybersecurity events relate to people. Everyone needs to truly understand what cybersecurity is — and that it’s not just a password or two-factor authentication. Cybersecurity is an approach — a mechanism. It’s how you go about conducting work. Achieving a strong cybersecurity posture takes cultural change, behavioral change, and constant learning. When users were largely on premises, most organizations could compensate for potentially dangerous behavior by having multiple controls to help protect them. However, when those same people go remote, there’s a bit of a loss of control and governance. There are technologies to help cover user behavior, but it is better when the behavior doesn’t exist in the first place. This means that we must educate folks on cyber hygiene, making sure they understand that the steps they take at work may not be the steps they take when they are working remotely or from home. This is especially critical in this very open-ended environment, where a user’s device may be used by other people in the home. 2. Leveraging technology to secure remote workers Strong foundations are also important from a technological perspective. You must make sure you have controls, processes, and governance for multi-factor authentication and secure VPN. It’s those things that pave the way for Zero Trust. My best advice is to approach everything from the bottom up, understanding not just your inventory but every single behavior that takes place from a public-facing standpoint. This is especially important for remote workers. I good place to start is by asking yourself and your team key questions: Do we know what our environment actually contains?Are we aware of all the devices and services running in our environment?Do we have an inventory of all of our IoT devices?Do we understand the needs and potential risks of all of our users?Do we know the needs of each application and user based on key criteria such as performance, availability, resilience, data usage, and, of course, security? Fundamentally, you need technology tools that can exist on your network and identify all connected devices. I’m talking about tools that are able to actually interrogate the network, understand packets, and capture specific metadata for each device to determine how it lives on the network. 3. Leveraging procedures and practices to secure remote workers If you haven’t figured it out by now, I’m a huge stickler for inventory. From a process standpoint, you must understand your inventory: what it is, what it means, and why it matters — as well as its impact on your business and your security posture. So, from a procedure standpoint, you need something in place that is able to identify what you have in your environment. Then you must relate and correlate that information to any situation, to the point where you can say about any device: “This device is connected to this application that lives here and does that.” From there, you can build a configuration management database (CMDB) approach to really understand your environment and have processes in place to integrate with your ITSM tool so you can execute the specific actions you need to take. Maintaining ongoing processes also relates back to my first point: education. CISOs need to ensure training and education are continuing when people work from home or remote locations, and they need to have tests, controls, processes, and governance to continuously identify and correct non-malicious but potentially dangerous behavior. Quick-hit training without repetition rarely are effective. My advice for CISOs and other cyber leaders If I could leave CISOs and other cybersecurity leaders with a key takeaway from this article, it would be this: Every CISO should figure out how to balance the business operations of their organization with a security mindset that is not destructive to the business but is, in fact, built into the fabric of the business. In order to do that, I urge all security professionals to take the time to understand as much as they can about the business in which they work. Note the emphasis on the business, not cybersecurity. Most security professionals know security exceptionally well. But if they don’t have an equally exceptional understanding of their business or organizational needs, they are potentially setting themselves — and their organizations — up for failure. Whether you are the CISO or anyone on the security team, you need to be able to go to the people in any department and have detailed conversations with them related to their protection and their business needs. It may start with something simple: “We saw that you have these devices. They are not in compliance with our security posture, and we need to take this action or we will be forced to put it offline.” Of course, the immediate reaction will be: “You can’t do that!” And the response is: “Yes, we know. That’s why we have to fix the problem.” A solution-focused and service-focused mindset is key. The opportunity ahead Remote work is here to stay. To make it successful, you have to make it secure. Cybersecurity leaders and their teams have an opportunity to make huge contributions to their organizations over the next few years by developing cyber-aware cultures that are both agile and responsive to the changing needs of their organizations. By focusing on the fundamentals, CISOs can prepare themselves, their teams, and their organizations to be ready for whatever comes next. As we’ve learned all too well over the past few years, change is the only constant in cybersecurity. Be ready. For more perspectives on cybersecurity, visit us online. About the author: Security Roundtable author, Christian Aboujaoude, is the chief technology officer at Keck Medicine, USC. Related content BrandPost Cybersecurity Automation: Leveling the Playing Field A new article on how automation can level the playing field in an increasingly risky, post-pandemic environment. By Leonard Kleinman, Field Chief Technology Officer (CTO) ) Cortex for Palo Alto Networks JAPAC Mar 10, 2023 7 mins Machine Learning Artificial Intelligence IT Leadership BrandPost What Executives Should Know About Shift-Left Security Next in our Beyond the Cyber Buzzwords series, this article focuses on shift-left security. Protect your next great idea by establishing a strong security posture—from code to cloud. By Zachary Malone, SE Academy Manager at Palo Alto Networks Feb 24, 2023 5 mins Data and Information Security IT Leadership BrandPost Securing 5G for 2023 and beyond 5G is designed to go places. Security needs to keep up. Insights and predictions on securing 5G for your enterprise. By Anand Oswal, Senior Vice President and GM at cyber security leader Palo Alto Networks Feb 24, 2023 7 mins Data and Information Security IT Leadership BrandPost Aligning security and business strategies As cyber threats intensify, security and finance professionals need to align on strategies now more than ever. By Sean Duca, vice president and regional chief security officer for Asia Pacific and Japan at Palo Alto Networks Feb 24, 2023 5 mins Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe