ISA Cybersecurity hosted the latest in a series of virtual fireside chats on September 23, 2020. The topic of this month’s discussion was how to maintain business continuity amid the uncertainty brought on by the COVID-19 pandemic and escalating cyber threats to organizations of all sizes and industries. This month’s discussion brought together Enza Alexander, EVP at ISA; Gerry Owens, IT risk/cybersecurity executive and long-time senior executive at TD, and Chris Ruetz, AVP & Country Manager for CyberArk. The following is a capsule summary of the some of the key discussion points; complimentary access to the full video is available on ISA’s webinar archive portal. Stay on top of future online events by subscribing to our monthly newsletter.
Key Issues Facing Companies in the “New Normal”
Companies are facing strain caused by business operation changes, the shift to distributed workforces, and the financial pressures caused by the pandemic. Staffing challenges have appeared in multiple forms, from remote communication challenges to shifting workloads, added responsibilities, not to mention the mental toll that has been taken on personnel. Home/work balance, the effects of extended isolation, fear of health issues, uncertainty of back-to-work timing or conditions, and the burden of financial issues and unfamiliar routines have created significant stress. Plus, the expanded attack surface created by having remote workforces has created additional cybersecurity concerns.
The “new normal” is not all bad news, however. Many companies have surprised themselves with their ability to change and adapt. Bureaucracies that might have slowed or prevented initiatives have been streamlined. In this environment, every company has had to exhibit agility and nimbleness, or risk irrelevance in the new online-first operating world. Companies that may have been reluctant to leverage cloud offerings or microservices have jumped in quickly to stay competitive.
Companies must now realize that, with the rush to support distributed workforces and online services, appropriate security must be implemented as well. Security may have been traded for convenience out of expedience, but now that “identity is the new perimeter”, with so many people working outside the traditional office, considerations ranging from maintaining privacy, sharing equipment, securing WiFi, service contention, and password reuse issues have become more profound. Solutions must be holistic: for example, while VPNs are important, they aren’t a complete answer to security: MFA solutions must protect the user at connection time, while privileged access controls must stand guard at the network level. A more complete solution is essential to protect each set of corporate “crown jewels”.
While the focus of these security concerns has often been on the customer, it is important to remember that service organizations also had to scramble to provide secure distributed work environments. Unprepared companies might be in trouble; ISA, in contrast, was able to seamlessly deploy and support a fully remote workforce while managing its SOC 2 Type 2 Cybersecurity Intelligence and Operations Centre (CIOC) just days after the initial lockdowns in March.
How are cybersecurity leaders stepping up? What trends are you seeing?
For the reasons outlined above, it’s been very important for senior IT personnel and residents of the C-suite to take a leadership role. The threat of ransomware and cyber attack has accelerated in the COVID area, worsened by the expanded attack surface created by remote workforces. The most successful CISOs, CIOs, CFOs, and CEOs have worked hard to raise awareness, maintain open lines of communication, and ensure alignment between staff, other executives, and the board. The risks are great, with the potential loss of data, resources, private information, intellectual property and goodwill at stake.
People continue to be a weak link – successful security leaders are concentrating on rigorous cyber awareness and training to help shore up that last line of defense; to help prevent phishing and ransomware attack. Security is a team game, so getting all staff on board to be vigilant is a pathway to success. Smart companies are taking a page out of the health and safety playbook by emphasizing that security is everyone’s responsibility.
The rush to support remote access may have forced companies to add new services, products, and equipment – leaders are now taking the time to review and consolidate their fleet of solutions. Most intensive testing of the new distributed workforce models is a growing trend, with companies using more “red team” internal testing and/or employing third parties to conduct ethical hacking and penetration testing.
Cyber executives can show leadership by emphasizing the importance of “security by design”. Bolting on security after the fact may have been expedient in the early days of COVID-19, but may end up taking more time in the long run and creating exposures until risks are remediated. “Baking in” security to new implementations and projects helps create stronger, safer projects. Here, cyber executives need excellent communication and teamwork skills to explain the benefits and secure support. They will align security projects and initiatives addressing corporate risk tolerance and actual risk: this alignment to the business helps “sell” the message and get better buy-in than a pure tech discussion ever could.
Cyber leaders are emphasizing that security cannot end with the enterprise. With more and more third parties and cloud services involved with modern businesses, it’s essential to understand and account for risk from upstream and downstream suppliers and service organizations. Outsourcing technology doesn’t mean you’ve outsourced risk – you are still ultimately responsible for your customers’ and employees’ data.
Finally, a centralization trend is occurring in many multi-jurisdictional or international organizations. Cyber threats are being monitored and fought on a global stage, so larger companies are seeing the benefits of having a single strategy to support their business continuity efforts.
Other emerging trends
The panelists were heartened to see that executives are leveraging online resources, executive briefings, and knowledge sources in order to get deeper understanding of cybersecurity and risk.
From a people perspective, successful companies are helping their people achieve a better work/life balance. Creative time-shifting arrangements allow work-from-home parents to choreograph their familial and professional responsibilities. Where possible, companies are providing equipment to help isolate work product from home surfing and study. Virtual managers are striving to stay in touch with their staff, and watch for red flags in behaviour or productivity. In many cases, people have been working from home for several months, and back-to-the-office arrangements are well off in the distance – if they even exist at all.
Companies are also appreciating that perimeter management has never been more of a priority, with the change to distributed workforces. Companies are working hard to predict and defend against new risks that may have emerged with the move to remote locations; assessment tools, threat discovery, and cybersecurity audit have become more commonplace.
Raising Cybersecurity Awareness
Companies are getting the message about educating their staff. Cyber awareness training and testing practices are booming. Organizations are using threat education, security bulletins, and direct communications from senior IT staff to drive home the importance of being vigilant and aware. Companies are launching their own initiatives if they have the wherewithal to do so, otherwise they are looking to third parties for resources, expert advice, and external training. ISA has seen huge growth in this space in their cyber awareness training practice.
Management is faced with multiple challenges due to the pandemic, but they still need to take the time to recognize and celebrate successes, and help buoy the spirits of their staff. Companies like ISA have recognized that the virtual workplace has become less social, so they are offering mental health days, encourage breaks and work/life balance, and have even gone to the extent of having professionals on staff or retainer available for counselling and assistance. When each individual can cope, this can translate into over-all corporate resilience.