CISO Stories: Part One

Written by

Part one of Nadine Michaelides’ CISO Stories series tells the tale of a CISO working in the chemical industry

Katherine previously worked in financial services for the UK’s leading specialist warranty provider but has recently moved to the chemical industry as Chief Information Security Officer (CISO).

This is her perspective on how it has been as a senior IT professional throughout perhaps one of the biggest technology drives the world has ever seen. All of a sudden, technology became top priority, had the biggest budget and turned up on the executive agenda.

As many organizations all around the world shifted their entire workforce into mini satellites (their homes) near and far, this gigantic operation was happening behind the scenes. While the world analyzed COVID-19 statistics, manufacturers were building laptops and PCs on fast-forward, and delivery drivers were working overtime, especially considering the extra complexity of additional border controls. All so that employee could start work at 9am from their kitchen table.

So, what was it like to be a CISO while this ‘new world’ was kicking off?

This is Katherine’s story…

Katherine is currently working from home on her work laptop, sharing her office with the family living room. The current plan is to return to work in April 2021 on a 50/50 basis where employees alternate on a bi-weekly basis.

She explains how the initial challenge was to purchase hundreds of laptops for employees to use and set up separate Citrix sessions for those that didn’t have them. This was important so they could keep their private and work data separate.

Later on, the company encountered issues around patching. Laptops couldn’t be updated to the latest versions to reduce vulnerabilities because no one was in the office to facilitate the automatic rollout. Another issue was that, in order to get the patch when you’re working from home, you have to be connected to VPN, and not everyone was. So, it was an incredible challenge to make sure all the patching was being done. Other issues emerged such as other PHP activities and patching of other systems. A lot was done on a temporary basis as a ‘quick fix’ to get up and running as safely as possible.

Another problem Katherine reports is that the business had no real measurements – only mandatory training. However, information is distributed through newsletters and ‘lunch and learns’ which has proven to be extremely effective in informing employees as to the risks, and how to avoid them. In fact, lunch and learns are more successful during the pandemic as it is easier to get more people to come along to the sessions, due to the additional flexibility.

“Finding the balance between ongoing communication around cybersecurity awareness, without bombarding employees with too much information, can be challenging”

Engagement is Key

The sessions are an opportunity to have dialogue with employees over security, offering them a chance to ask questions. It’s important to use real-time examples so employees can put the information in context and start practicing what they learn. Employees were also updated monthly through a newsletter by regular liaison with the communications team to include relevant information updates on cybersecurity.

Annual mandatory training is of course very important. However, it’s not very effective in changing behavior by itself as it only occurs once a year. It’s what you do throughout the year that counts. Even before COVID-19, the company had updated the existing training course to make it more engaging and relevant to employees, as well as add more realistic questions at the end. Unless employees are engaged, they won’t absorb the information from the material.

It can be really effective to roll-out two- or three-minute clips on a monthly basis as a series of small episode snippets. These clips need to be more fun and perhaps a bit more humorous to make them more engaging. It can be fun to make it into a competition, so employees compete for points. Finding the balance between ongoing communication around cybersecurity awareness, without bombarding employees with too much information, can be challenging.

The organization has seen an increase in threat, especially phishing attacks, up by as much as about 20%, although attempts to attack have been thwarted and they have (been so) far unsuccessful. Katherine reports that two employees clicked on links, however, that was quickly reported and managed effectively thereby avoiding harm to the company. An increase in phishing attacks may be simply because it has become easier to be successful from the perspective of the perpetrator, since working from home was introduced. Employees are receiving too many emails – more than when in the office – and so it’s easy to lack the required attention to detail on each and every single email. The other problem occurs when people are distracted, perhaps due to having children at home, and so links are clicked on without thinking.

“It’s the job of the CISO to reinforce the importance of taking responsibility for security, but also give examples of how security plays a role in people’s private life”

New Opportunities, New Attacks

An increase in cyber-attacks is also happening due to the topics surrounding the recent pandemic, so criminals are scamming people by taking advantage of their interests in topics such as HMRC and the vaccine.

Interestingly, she explains how scam calls to business landlines stopped during lockdown. Then, once the restrictions were lifted, they suddenly started again, slowly, but then they stopped again, once people were back into lockdown, because they knew everyone was working from home.

Some companies took the time to do a thorough needs assessment so as to have the appropriate tools in place according to security requirements, while others prioritized speed and getting some technology up and running as quickly as possible. Katherine explains how the pandemic opened up new opportunities to invest in technology that may not have been there before, which was exciting. However, with the sense of urgency to get something in place, it became obvious that security had been an afterthought when perhaps it should have been higher up the agenda prior to the pandemic.

In terms of security tools, she stresses the importance of being careful to evaluate whether the security monitoring tools really capture everything in terms of the scope. Ensuring the security monitoring tools are appropriate to the situation, whether employees are located in the office or remote working is critical to reducing vulnerability. Do you only get all of the data off the log files when you’re in the office and connected to the environment there, or do the tools stretch to the remote workforce? This is vital, she explains, in order to enable proper ongoing security monitoring. Use the appropriate tools that allow for patching when employees are working from home so it can be done remotely. Diversify the tools to suit the situation. It’s also important to ensure that the right controls are in place to prevent data leakage when an employee leaves the company, so access needs to be removed within 24 hours.

The trickiest part, Katherine sighs, was the call centers, as their time is spent talking to customers and they don’t necessarily have the time to connect to the VPN and do the required updates. A way around this which helped was to reach out to line managers and create a ‘huddle’ where a team lead was responsible for a group of call center agents and scheduled time to simultaneously connect them to the VPN and update their PCs.

Since working from home, some people have become more aware and others have tried to take shortcuts and workaround any tools that are seen to be a barrier to business. One reason for that may be an increase in workload and working hours compared to before the pandemic, both for Katherine and her teams. Some teams really understood the importance of security and not bypassing it.

Protective Measures

Several steps were taken to protect the organization; the company created a new working from home policy, which needed to be signed by employees, Katherine reports. They also brought the training forward as it was due for later in the year, and they felt it was important to do it sooner so employees could be reminded to take care, especially when working from home. Enhancing password settings is something else they have had to do since employees have worked from home. The policies, as well as education and awareness programs, need to be very clear on the message that employees must not send any work-related information to any private email address. It is of course possible for employers to see when an employee has sent an email to a private address.

There was an initial decline in cyber-hygiene and cyber security behavior, upon working from home, but then it improved to as it was prior to the pandemic. However, Katherine has seen an increase in people reaching out for questions and asking for support and advice in how to do X, Y and Z. This is based on all the education and awareness training and being known as the go-to person for security questions. She is the face users can identify as being responsible for driving security and reach out to when they are concerned.

When discussing the education and awareness campaigns and training she stressed the importance of paying attention to the content to be sure it’s appropriate and interesting for that individual employee, whatever department they’re in and whatever role they have. They need to ensure that the topics they are covering in training are appropriate to their current situations – i.e. working from home. For example, when talking about physical access to PCs and laptops, it’s important to address the potential risk of allowing access to devices by family and friends. This is much more useful than reminding employees to wear ID badges when walking around the office.

Security must resonate with everyone in the organization and they need to understand that they are also responsible for cybersecurity, as part of their day-to-day job. It doesn’t matter whether it’s the CEO, or call center manager, it is everyone’s responsibility. It’s the job of the CISO to reinforce the importance of taking responsibility for security, but also give examples of how security plays a role in people’s private life. If people understand how it works in their private life then they can apply it when working for the company. For example, most people who do mobile and online banking need to provide a username, PIN and password, which is two-factor authentication, similar to the process adopted in the company. Making the connection between private and working lives in terms of security not only reinforces the message but also enables people to practice the skills to the benefit of both the employer and the employee.

“Security must resonate with everyone in the organization and they need to understand that they are also responsible for cybersecurity, as part of their day-to-day job”

Onboarding Challenges

The onboarding process can be a little trickier now than before in that companies have to consider how to ship equipment to employees and get the appropriate IT support to get it up and running and support that employee on an ongoing basis. However, there hasn’t been a change to training and that still happens when it should, within the first few weeks of joining.

When new joiners are on boarded, it can be challenging to build a new positive relationship with them and create a good first impression. One way to get around this is to set up non work-related virtual coffee or drinks on a Thursday or Friday evening. However, this is not easy managers have to be mindful of the quantity of meetings that people are having to attend and so, as managers, can’t add extra pressure. If you have been looking at a screen all day, the last thing you want is to look at a screen in the evening too.

Katherine herself has started a new job and feels it is more challenging to build up a good relationship with her colleagues and manager. She tries to be herself and be as natural as she can, in the same way as you might when meeting someone face to face, so as to get a feeling for the person and find it easier to work with them later on. Chitchat has become incredibly important and facilitates a discussion that isn’t just focused on work, which all helps in getting to know colleagues and working together in the long-term. Sometimes it can be as simple as asking how someone is, and not cutting straight to the chase in terms of work-related conversation. It can be really helpful to have the camera turned on when interacting with colleagues to build stronger professional relationships.

Katherine explains how one of her employees is really struggling psychologically, with working from home in the same room as others all the time. This can have its toll on employees’ feelings of wellbeing and their general mental health. Being honest about the challenges you may be facing, perhaps feeling exhausted or down, and showing your own vulnerability can be a powerful way of building trust with the employee. She has struggled herself with the issue of working in the same room as others, not having access to a separate office. It makes it difficult to switch off from work. Ideally, one should try to keep these separate but this, of course, isn’t always possible and then the line between work and personal life becomes blurred.

Encouraging your team to take holidays even though they cannot travel is important for mental health so that people take a break and have a rest from work, stresses Katherine. However, the company has also offered employees the opportunity to roll-over their annual leave to the following year should they wish to, as this feels like the fair thing to do considering the circumstances with travel restrictions.

Working from home can be stressful for some people. The key thing is for the manager to recognize this early on so they can intervene and support before the situation deteriorates. Early intervention is not only important, but critical.

As a manager, it is also really important to have a high degree of self-awareness and speak up when you need help. She often has to remind herself to take care of herself as well as her employees, which can easily be forgotten in all the chaos. She advises people to take note of themselves, take note of how they’re feeling and how this may come across to others. If you’re pessimistic then others will notice and may be affected by that. It’s also important as a manager and security professional to be visible as well as transparent. Having a face to security makes it more personable and easier to digest and incorporate.

Katherine hasn’t noticed a change in the level of commitment from employees to the organization throughout the pandemic, which is of course encouraging news. If anything, she reports that people seem to be working harder to create a good impression. Although, how this develops in the long-term is, of course, not yet known.

What’s hot on Infosecurity Magazine?