The outbreak of the global COVID-19 pandemic necessitated a shift by organizations to fulltime remote working. The shift was dramatic and stressful for tens of thousands of business leaders around the world. The frenetic pace at which security teams had to oversee a dramatic shift left saw businesses defending a wider perimeter against threat actors that would surely succeed in attempts to steal proprietary data. Adding to the complexity are the long-lasting impacts of the global SolarWinds and Microsoft Exchange Server breaches.
It is safe to say that the last year has given CISOs many reasons to have a headache.
So, what is the new normal for CISOs? When will businesses begin to scale back remote operations and reopen their brick-and-mortar locations? Does the new normal include permanent remote or hybrid working models and, more importantly, perpetual uncertainty?
The pandemic was an unprecedented phenomenon that changed everything, from the way we lead our everyday lives to the blueprint of our cybersecurity structures. Yet, it is unlikely to be the last: other unforeseen events, big and small, will only ever continue to materialize. Organizations that fail to recognize this will struggle for years to come.
The ability to respond to uncertainty must be built into a company’s DNA. Businesses cannot depend on a static checklist to get them through difficult times. Rather, they need a fluid and adaptable playbook in hand. With the right plan, organizations can better position themselves to keep pace, and even thrive, with emerging trends. In other words: find a balance whereby security continues to be of top priority without sacrificing innovation and growth.
So, how does one go about constructing a security program and infrastructure that is extensive and agile?
In the first instance, organizations must pay due attention to two specific areas: identity and access management, as well as endpoint and mobile management. Where your company’s system is the castle, every user and endpoint are the doors. It is critical that these doors remain shut and locked to bad actors. Moreover, deciding who has the keys to your kingdom and which doors are opened at any one time should be in your security team’s full control. Put simply, visibility of your assets is fundamental to a sound security strategy and access to your assets should operate on the principle of least privilege. Where possible, additional security measures should also be in place – not least, risk-based authentication and multi-factor authentication, which can drastically reduce the chance of a breach.
The second step security teams must hone in on is embedding a cybersecurity mindset throughout the organization. Long gone are the days where cybersecurity rests heavily on the shoulders of security teams in isolation. Every individual, from the CEO down, has a responsibility in keeping the organization secure. As such, organizations must implement regular and consistent security awareness training, not only to remind and empower employees of their role in the company’s security success, but also to prepare them for the threats they are likely to face.
In tandem with this, CISOs need to assert themselves, positioning themselves to have the ear of the CEO and other board members. Concurrently, the CEO and board members must be receptive to the CISO’s recommendations as a subject matter expert and a trusted risk averse advisor. Now more than ever, we need to recognize that maintaining cybersecurity is intertwined with effective operations. In short, it is a business decision; therefore, CISOs and management need to work as partners.
Last but certainly not least, is the ability to scale one’s IT infrastructure. Doing so is pivotal to achieving agility, and agility is necessary to steadily accelerate the organization’s pace of innovation. It is all fine and well having the latest technologies to tackle each emerging threat but at some point during the company’s growth, managing this will become taxing. Each with their own unique demands, companies would need to grow their security teams: a challenging endeavor in an industry that already faces significant skills shortages. Therefore, organizations should seek a solution that can consolidate the various findings to offer a single vantage point. From this perspective, security teams can build a bigger picture of attacks and priorities the risks so that the root cause is addressed, as opposed to merely applying a band-aid on a bullet wound.
More importantly, the organization’s security program should be constructed with automatable processes – processes that can respond swiftly to a threat and administer maintenance efforts. By doing so, manual overhead can be significantly reduced, freeing up time and resources to expand on the company’s innovation.
Even as the COVID-19 vaccine rollout inspires hope, and the public and private sector come to terms with the SolarWinds and Microsoft Exchange Server breaches, it is unlikely that the workplace will be the same as it was pre-pandemic. The pandemic will not be the last disruption to our security planning, and responses need to be swift and direct. Forward-thinking, nimble organizations that design their infrastructure and security policies to be agile will win. Others will face the possibility of huge losses and lawsuits that could leave their businesses facing an uncertain future.