The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.
By Pragati Verma, Contributing Editor, Straight Talk
Covid-19 has delivered a new array of cybersecurity challenges. A sudden shift to large-scale remote working setups and a surge in opportunistic cybercriminal activity has pushed CISOs, CIOs and CTOs to reorient their security programs, according to an expert panel of security leaders at 2020 MIT Sloan CIO Digital Learning Series
“The pandemic has created the perfect storm of fear, uncertainty, doubt, and chaos,” said Keri Pearlson, the executive director of Cybersecurity at MIT Sloan. According to her, keeping organizations safe has never been more urgent and important. “Bad guys have upped their game and we have to do the same,” she cautioned.
How Secure Are We?
Pearlson began the discussion by asking panelists how secure their organizations are against the increasing cyberattacks. “How do you think about this question? What factors do you include when you evaluate how secure your organization is?” she added.
Liberty Mutual CISO Katie Jenkins, who has worked in cybersecurity for over 20 years, responded by calling it a complicated question. She explained why, “I don't think there's one definitive view that tells the story of how secure we are.’' She and her team engage third party experts to assess their organization’s security level and “marry self-assessment with independent assessment.” Additionally, there has to be a holistic view that includes elements such as how secure “our partners are and the people we do business with,” she said.
Andrew Stanley, CISO of Mars, company best known for its confectionary brands like M&M's and Snickers, reframed the question, "It's not how secure are we, it's how ready are we to respond?” He argued that the threat landscape changes daily and even if they build great in-depth defenses, new issues can come up and completely undermine all their great work. “So it really comes down to how ready you are and that comes down to how well protected you are, how well you can anticipate security events and ultimately your ability to respond, contain and restore,” he added.
For Veam Software CTO Danny Allan, this question typically comes from the board of directors or CEO: ”The answer is simple, we're never as secure as I'd like us to be because there is so much complexity and so many components to being secure.” He said that he prefers to break it down into two questions. First is: Are we more secure than yesterday? "Ultimately, security is an iterative process so we're always looking for a 'yes' on that,” he said. The second question is to gauge whether his security team is being proactive or reactive. “You never want to be reactive. You want the process and technology you use to be proactive,” he added.
To Test Employees or Not
As the coronavirus pandemic has spread, cybersecurity teams seem to be re-evaluating their priorities and tightening controls.
For Jenkins, the process began with assessing the security of collaboration platforms like Zoom and “third party risks”, such as their partners’ remote work arrangements and how they engage with Liberty Mutual’s data and processes. She said, “[COVID-19] has “put us in a position where we have to rapidly assess and look at new types of risks that could change our security posture.”
Her team tried some new anti-phishing exercises for their remote workforce. For instance, they send employees an email that was branded to look like it came from Zoom and asked employees to update their credentials, prompting them to click a link. “If they did, they were notified that they failed the exercise,” she said.
The anti-phishing exercises that Jenkins tried were “super controversial” at Mars, according to Stanley. “There’s a part of me that wanted to leverage the crisis" and help people understand that they are more vulnerable, he said. However, “in the Mars culture, that is deeply alienating” and “going through that exercise during a time of crisis felt unfair and exploitative.” Mars took a cautious approach and waited 10 weeks before conducting any phishing exercises, usually done every six weeks.
While testing employees against phishing during the pandemic was up for debate, all the panelists were unanimous that assessing or quantifying cyber risks and communicating it to a non-tech leadership team is a big challenge.
Stanley recalled how he initially believed that he could assign dollar amounts on specific risks and his board and his CEO would understand it. “I have moved away from that view, primarily because “over-quantification of risk outside of certain circles is controversial” and is “essentially picking a fight with the risk owner.” He went on to describe how some risk owners might say,” You are not valuing me enough.” According to him, managing risk involves a discussion around actions, their outcomes and tolerance for that outcome, along with how much money the organization wants to spend. "We still argue and debate whether we should get to a quantification point and put a dollar figure on it. I'm resisting it,” he said.
Allan agreed that risk is a big discussion, but “almost impossible to quantify because the same event has a different risk profile for everyone.” According to him, everyone needs to agree on a framework and be aware and transparent about how much risk they are willing to accept. “Everyone says that I want zero downtime. We can achieve it, but it costs a lot of money,” he cautioned.
In the end, CISOs might be the security expert, but they should not try to assess the acceptable level of risk. As Allan said, “Security shouldn’t be making that determination, but the line of business.”
Pragati Verma is a writer and editor exploring new and emerging technologies. She has been a business journalist and managed technology sections at India’s The Economic Times and The Financial Express.