The CISO’s agenda in a post-pandemic world | Straight Talk

SUBSCRIBE NEWSLETTER

The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.

How Covid-19 and its impact on the business world is changing the cybersecurity landscape

By Pragati Verma, Contributing Editor, Straight Talk

With the coronavirus pandemic forcing organizations around the world to adapt to work-from-home technologies, cybercrime has been surging.  

The threat is alarming enough to draw notice from the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the UK’s National Cyber Security Centre, who have issued a joint alert. Businesses are feeling the heat too. Almost half (46 percent) of global businesses have encountered at least one major cybersecurity scare since shifting to a remote working model during the Covid-19, according to a Censuswide and Barracuda Network survey of over 1,000 business decision-makers in the UK, US, France, and Germany. 

Gartner’s research reflects the same trend. According to their recent survey, more than half of legal and compliance leaders are concerned about third-party cybersecurity risk since the onset of the pandemic. Vidhya Balasubramanian, managing vice president in the Gartner Legal and Compliance practice explains in the report: “Remote working has been hastily adopted by suppliers to keep their business running, so it’s unlikely every organization or employee is following best practices.” As a result, she notes that legal and compliance leaders are “concerned about the new risks this highly disruptive environment has created for their organizations.” 

Time to Step Out of the Comfort Zone 

And this increases pressure on CISOs and security teams. Forrester Principal Analyst Jinan Budge says, “Even before Covid-19, CISOs had a stressful job. They were already dealing with bureaucracy, internal politics, lack of organizational support, and the constant feeling that they would be breach scapegoats. Cue Covid-19, and a precarious situation for CISOs got more complex.” 

It’s no wonder, then, that Forrester principal analysts Jeff Pollard and Josh Zelonis, in a blogpost, urge “security leaders to step out of their comfort zones and adapt to current circumstances.” They explain, “Covid-19 has changed the security landscape for CISOs: employees working remotely off non-work-provided devices, data flowing haphazardly, and strategic plans disintegrating.”  

 “Every CISO is now a transformational CISO,” they write; everyone is involved with retooling, restaffing, and rebuilding their security program. They go on to outline four behavior modifications every CISO should adopt during these turbulent times: 

  • Lead with empathy and make it a foundation of your approach to leadership.
  • Learn to “thrive in chaos” by releasing the grip on control and instead adapting to circumstances.  
  • Don’t stress over the short-term imperfections of the current security programs; rather, focus on how to make things “just work.” 
  • Recognize the stress, work to alleviate employee stress, and connect with like-minded peers to build your confidence that you’re doing what’s right “right now.” 

Resilience Roadmap 

These are big changes, but they will take place gradually in stages, according to International Data Corporation Program Vice President, Security Services, Christina Richmond. In a blogpost, she predicts that enterprise security will go through five phases. 

During the first phase, Reframe, all security providers have been swamped, she writes, especially the managed security service providers. “From a corporate security perspective this phase is mostly behind us,” she notes. She warns that the second phase, Refresh, is the toughest. “Organizations sought — and many are still seeking — to stabilize their operations, and some are beginning to think about future resiliency. Thankfully, we are beginning to see this phase in the rearview mirror,” she says.  

In the next stage, Recover, she believes that organizations will migrate to cloud more aggressively and make changes to security systems and their security strategy due to digital transformation activities. “Because of the distributed nature of our new architectures,” she says, “edge computing and IoT security will rise in importance and we will see automation and orchestration of key business functions proliferate.” She predicts that “risk and privacy” will become “critical benchmark services.” 

During the fourth phase, Rebound, she expects to see pent-up demand for security services attached to delayed projects and the use of microservices and Zero Trust. “In the new software designed perimeter, identity and data will replace old castle and moat security structures and vendor-agnostic orchestration/automation security platforms will begin to flourish,” she adds. 

Finally, in the fifth phase, Recreate, as “crisis behavior diminishes,” she believes that cybersecurity teams will seek renewal. “At some point, we will not only come back to normal but, as with all crisis and recovery, we will find silver linings, count our remaining blessings and innovate.” Her hope: As we develop software more rapidly and broaden platforms for threat visibility, IT service management and response, it is possible we will begin to catch the glimmer of an uber security platform where all security tools, regardless of vendor or host, can live harmoniously.” 

New Normal 

By the time businesses transition into this new normal, Richmond expects security professionals to have robust cyber resilience strategies in place. “Human nature dictates that as crisis behavior diminishes some of the lessons recede in our memories…Maybe, just maybe, service providers that have bundled these efforts into retainers will see muscle memory prevail,” she says. 

Pragati Verma is a writer and editor exploring new and emerging technologies. She has been a business journalist and managed technology sections at India’s The Economic Times and The Financial Express.