On the evening of Sunday March 22, UK Prime Minister Boris Johnson announced the plan for public lockdown in the battle against COVID-19.
This led to a closure of pubs, shops and ultimately, the creation of a remote workforce as employees were encouraged to work from home if they could. Now that we are three months on from that, Infosecurity looks at how lockdown impacted the various facets of cybersecurity.
The Professor
Professor Steven Furnell is associate dean of information security at the University of Plymouth. He said from his view, it’s actually been a fairly smooth transition in terms of the delivery. “I think it’s fair to say that cybersecurity – and indeed computing as a topic area more generally – lends itself to remote online delivery more easily than some others (e.g. topics dependent upon fieldwork or wet lab facilities).
“So, for me (and for what I’ve seen from colleagues) it was a fairly straightforward transition in terms of both session delivery and project supervision.”
Furnell admitted that certain assessments have needed to be adapted to the new context, to take account of specialist facilities that students would no longer have access to, but this has been done in a way that maintains the ability to meet the learning objectives of the modules concerned and degree programs overall.
“If anything, the ability to switch over so quickly with relatively little disruption has perhaps shone a light on how effectively some of the delivery can occur in this mode,” he said. “This has the potential to benefit cybersecurity education moving forward, as we could well see certain courses being made available more flexibly as a standard option.”
The Vendor
Nico Fischbach is CTO of Forcepoint. He admitted that the company was prepared for the lockdown, having put plans in place for a number of product launches in advance. In terms of communication with the employee base, he said he does “miss social contact and Zoom is not the answer.”
Has he seen a significant change in approaches to security? He said from his perspective as CTO, he had not seen a change. “We are a global organization of 3000 people in engineering sites, and have a daily time span which starts in Israel, moves through Europe in Helsinki, Reading and Cork, and across the US, and we use tools to communicate,” he said.
He explained the main change he saw was more around sales and marketing and the way they worked with a switch in events from physical to virtual and customer outreach being affected, but the company was focused on changing tactics to connect with new clients.
“For us, 2020 is all about execution and strategy,” he said. “We dropped Dynamic Edge Protection in April, and for us it is all down to managing execution.” He added it was about making small course adjustments, as in the SaaS world “the product is the touch point” as more companies are using SaaS to force transformation.
How did he see things changing in 12 months time? He predicted that things would not go back to the old ways of before, but we will look at how transformation was enabled. He said many companies would take a year or two to adopt a fully cloud-first approach, but he saw many users were already “hybrid-ready.”
The Penetration Tester
Gemma Moore is a director at Cyberis. She said that Cyberis was already an “agile, technology-focused business” and already had employees who worked from home permanently and a cloud-first architecture, so the switch to home-working was not too painful for the company.
For its customers, the pace of change for businesses suddenly re-architecting their systems to allow remote working has been immense, “and inevitably businesses have sometimes had to make compromises that reduce their information security resilience in the short term but increase their ability to get employees back up and running from home quickly.”
She said, before COVID-19, the company visited customer sites and data centers a lot. “We would have face-to-face scoping meetings and workshops, we would sit with development teams while we tested their applications and have chats with security architects while we reviewed their networks. When the pandemic hit, that activity all stopped immediately, and we had to come up with other solutions to help our customers assess their onsite components.”
Moore claimed penetration testers have always had the capability to test internal systems from a remote point of view, and with lots of customers embracing the use of cloud services and cloud infrastructure in the last 10 years, the concepts of internal and external have shifted from their traditional definitions over time anyway, and the perimeter simply does not exist in the same way as it used to.
In particular, customers who previously wanted Moore and her team to work onsite closely with their teams are suddenly open to trialing remote testing options, and the cost and benefit analysis for provisioning remote access to testing teams has fundamentally changed for customers.
“As we ease out of lockdown, there are some requirements where we need to get a consultant on site to a customer, but now there is another layer of complexity in that on both sides; we need to check that our customer has appropriate protective measures in place to keep our consultants safe, and our customers need to check that we have appropriate procedures in place before we send a consultant to them,” she said.
“Longer term, I think the impact of the pandemic will be significant. I suspect that many businesses who have rapidly switched to a flexible remote-working culture will not want to move back to a standard office-based culture. That change impacts the architecture, the risk decisions they are making and the types of threats that companies need to counter.”
The CISO
Neil Thacker is CISO at Netskope. Asked how he felt the role of the CISO has changed in the last three months, he claimed the actual role of the CISO has changed as CISOs now have real-world business continuity planning and disaster recovery pandemic response experience, and have been reminded of the need for a solid and tested response plan.
“In addition, the need to future-proof our networks and infrastructure is key as we can never be certain what the future holds,” he said. “At Netskope, we are fortunate as our culture has always embraced flexible working and offered employees the option to work remotely. We are a ‘cloud-only’ organization and so the transition overnight to a fully remote workforce caused zero impact to our business operations.”
He was able to cite examples of other CISOs not experiencing such an easy ride, as one “witnessed the use of collaboration tools jump from 20,000 to 200,000 concurrent connections” and this prompted their organization to rethink how to secure this traffic, and it fast-tracked the company’s move to the cloud.
“From a risk and controls perspective, not much changed other than the location of our employees which became a variable to consider, especially when it came to data protection and privacy,” he said. “From a threat perspective, like many organizations, we witnessed an increase in the number of attempted attacks (phishing, drive-bys, etc.) so we issued further guidance across the organization to remain extra diligent at this time whilst ensuring our threat protection controls were being updated in real-time and covered web, cloud and endpoints.
Will this experience cause a change in the short and long term of how the CISO operates? Thacker said the CISO role has continued to change and evolve for the past 10 years, where security have evolved from the office of “no” to be more focused on “enabling” the organization through the implementation of more specific risk-based, data-centric controls. “In other words, the controls implemented are only enforced where there is a risk to the business rather than a set of generic rules that are applied to all.”
Thacker predicted that, post-pandemic, organizations will continue to offer their workforce the freedoms and flexibility in how they work, and remote working will outweigh the number of office-based workers for many organizations. This will lead to an increase of Zero Trust Network Access (ZTNA) “whereby we move away from a network IP connectivity model to be more focused on connecting our employees directly and securely to applications and infrastructure.”
He also said transformation through ZTNA and SASE (Secure Access Service Edge) networks will be how the CISO can be showcased as a team player “by being an enabler and innovator based on the needs of the organization.”
The Startup
James Hooker is CTO of Hack The Box, which was formed in April 2017 and won the Most Innovative New Cybersecurity Company award in 2019. Hooker said that despite the lockdown being an “initial shock to the system for the employees,” the company was still growing and still hiring.
With global offices and a base in Greece, he said that the pain points of lockdown were clear before the UK was locked down, and it had already taken steps to encourage staff to work remotely, and as a result did not suffer many issues.
“Initially we saw it as a two-week thing,” he said, admitting that the lack of in-person opportunities to work together had put a strain on the team, but the company was able to keep communication channels open and frequent, and keep employees up-to-date with the running of the business.
In terms of the wider impact on the cybersecurity industry, Hooker said there was a spike in traffic to its website at the start of lockdown, and it was seeing some “fluctuation in users as people come out of lockdown,” and he said he was confident that there will be a state of normality achieved. “As far as we are concerned, we are healthy as a company and our customers are happy, and in the long run, I think 2020 will look like a hiccup and eventually will normalize out.”
Join Gemma, Neil and Steven as we open the next Infosecurity Magazine Online Summit with a panel discussing the impact of COVID-1i on cybersecurity. Register here.