By: John PetrieMay 1, 2020
As companies, corporations, conglomerates plan for their re-entry to the economy around the world, security professionals are being asked what they are planning to support the Business Re-Entry? Through multiple conversations with many CISO’s, CSO’s, SVP’s, it is clear that they are taking similar actions.
First and foremost, they are adjusting their plans to support the business re-entry plan – which is likely to be different from the original business plan or strategy pre-pandemic. It is critical to understand if the strategy has changed for example, has leadership decided to accelerate their digital transformation strategy or perhaps they have determined that a re-branding is now part of the re-entry plan. These are some questions that Security leaders must know as they make their adjustments.
Ok, given that you have the goals and objectives of the business from the leadership, what now? Most CISO’s are in some variation of the assessment phase preparing to adjust the projects that they had planned or that they put on hold. The second question you should ask yourself as a CISO: was the resilience plan / recovery plan successful, given the global scope of the pandemic? Off the record, I am hearing from colleagues that the baked business continuity plans did not meet expectations. The CISOs should be prepared to provide recommendations regarding re-working the BCP or creating a use case reflecting the data collected during the global pandemic. This also means the need for assessing what actually occurred. Boards will be expecting answers to this especially if there were large losses and or additional expenditures associated with things like work-from-home and supply chain dependencies. Even if a CISO does not have the responsibility, I believe it is still something that you and your team have insight into and should provide input to leadership.
Concurrently, you as a leader should assess your people – the professionals that make your job easier. It has been a really hard few months for most people, their families and friends. If you haven’t been communicating, you should begin to over communicate, because I believe you are going to be asking more of your team. This especially applies, if your company had to let go or furlough employees during this dark time. Even if you do a health check every couple of days, 10 minutes to see how they are doing – not a work discussion – you will find that it goes a lot way from a loyalty perspective, but even the positive impact on the basic human condition is felt. Take care of your people, you need them to succeed.
From a security point of view, many CISO’s have expressed their concerns about the on-the-fly decisions they had to make to facilitate a 95-100% work from home environment. What decisions? Well, here are couple of interesting thoughts:
Case one, at the time that various countries were initiating a complete lockdown, employees could not go to work, but stayed home. Believe it or not, this took a lot of companies by surprise. There was no company stockpile of equipment (laptops, monitors, etc.) for 100% of the company’s employees to work from home. Companies who had some limited capability for the normal remote workers (VPN, virtual machines, or bring your own device (BYOD), etc.) found that they did not have the capacity to handle the load. Licensing became an issue short term, but most software companies waved the licensing requirements. CISO made decisions to relax the security requirement initially and allowed IT to just make things work. Which means that security controls that may have been implemented may have been broken down to make this work. Now is the time to assess what decisions made (probably for all the right reasons) and make sure you know what to roll back, or better yet, take advantage of the re-entry and make adjustments to improve the ecosystem based on the technology that worked the best during the crisis.
Case two, the decision about allowing BYOD and the implication of identity. In some cases, short cuts were taken to get users established as fast as possible, and shortcuts were taken. When you don’t correctly ensure that an identity is accurate (both computer, tablet, phone and people) you have broken down your trust model. This opens your enterprise to credentials theft, DNS manipulation, among other attack scenarios. You need to assess the decisions made by the resources who manage identity, and make sure that they did not make adjustments to your security protocols, and if they did, how to regain those controls. This could be an opportunity to re-engage regarding a “zero-trust” framework and take advantage of the lessons learned during this crisis.
There are many other decisions that CISO’s made during the beginning of this global pandemic, but clearly there appears to be a need to execute multiple assessments of the Company’s Eco-system to ensure that gaps were not created by some of the decisions made in favor of ensuring the business could still operate. Again, CISO’s are creating their re-entry plans to support the business strategy post global pandemic, and taking some advantage to assess the business risk posture, and identifying the gaps created – with targeted short-term recovery strategies to ensure security controls are more than adequate. Remember, bad actors always take advantage of a crisis situation and exploit it, and not necessary for immediate exploitation, but setting up for a more impactful decision.
Supply chain is at the top of mind, as we found the world dependent on Chinese manufacturing of raw materials as well as critical supplies. CISO’s are assessing their reliance on products and solutions that were impacted by supply chain outages and what was the impact on their business. This is something that also needs to be assessed.
CISO’s are also thinking about budget cuts, and funding redistribution. As the business begins to re-enter the economy, all available funding is moving toward starting up production lines, services, and delivery processes that enabled the business to be successful prior to this crisis. Many CISO’s are being asked to do more with their existing budgets and not to expect any increases. In some cases, it might be necessary to look at taking a loss based on technology and infrastructure failures associated with the global pandemic, and potentially ‘write off’ those losses depending on the data and situation.
So, the bottom line is that CISO’s have canceled or delayed projects, in some cases let talent go, and many other decisions in response to the global pandemic. The more prepared companies are impacted less, but still impacted. CISO’s are proactively engaging with the business planners and company strategists, ensuring that security is part of the re-entry plan. They are reviewing capital expenditures and operating expenditures, and taking this opportunity to reevaluate their financial plans – perhaps to take advantage of the lessons learned from an “all work at home” workforce, and less of a reliance on physical office space. Different security control issues, not less. CISO’s are assessing their enterprises using consultants rather than taking their own people – they need their own people for more direct issues and support to the business. I suspect that most CISO’s will get back these assessments and there won’t be a lot of surprises, but there will be a recommended prioritization of effort and this will be useful in the CISO’s discussion with their Board of Directors or Executive Leadership. The CISO’s job is complicated and challenging – it is why many of us have taken the CISO path.