Why CISO’s Got Caught by the Pandemic

This article was originally published on eWEEK.com on April 27, 2020.

When it comes to the changing role of CISOs in light of the coronavirus pandemic, at a high level, I think the industry got caught with its pants down a bit. Not because there aren’t a lot of smart CISO’s out there doing smart things, but rather in our/their ability to quickly adapt to an unprecedented scenario, and perform under an attack on personal safety.

We have always been afraid of a breach; but, being able to support a remote workforce, essentially overnight, under the guise of protecting lives brought a whole new pressure to the role. Then, as we caught our breath, we had to adapt to a changing threat landscape. Controls that we thought were effective were not. We realized that we didn’t put as much effort into validating third-party services as we should have (see Zoom). And, we’re being asked to forward think and define a security fabric that protects the security and privacy of the “new normal” workforce. I’ve said for years that the CISO gig is not for the faint of heart; we’re essentially standing up to an invisible bully that is always looking to “hit you when you are down.”

How’s it change the role/expectations moving forward?

1. Digital Transformation –There is no doubt in my mind that CISO’s will be asked to help their business accelerate the digital transformation process. CISO’s will have to get comfortable with their own “new normal.” Meaning, a “mobile” technology stack and security controls that follow the user, the device, and the data, regardless of where they are located. It’ll also force them to understand the risks with every business decision and be adaptable in figuring out how to protect the company best, both in the short-term (with mitigating controls) and the long-term will more robust protection capabilities.
2. Identity – As companies accelerate digital transformation, there will be more of an emphasis placed on controlling who has access, how the access is controlled, what they are authorized to access, and what they do with that access. Identity centric programs will take on a whole new meaning as well, where we have convergence, of sorts, between security and privacy. A pandemic, like this one, could create a social construct where people are almost “shamed” for being infected with a virus. So privacy, and protecting health information will be critical. Organizations will be forced to provide “controlled” access from different places and devices. It’ll put pressure on technologies that support MFA, identity governance, DLP, privileged access, insider threat, contingent access, etc.
3. Endpoint – Protecting and monitoring endpoints will become paramount. As a CISO, you have to assume that an endpoint will have to be controlled in a way that prevents it from being exposed in a “non-company” environment. That WILL be the new normal. Security policies will need to be applied based on the behavior of the endpoints environment, or the risk associated with it, as much as the user themselves.
4. Home Networks/Remote Networks/SDN – CISO’s will need to find ways to “containerize” the endpoint on a home network. VPN’s are antiquated and can be “bridged,” and man in the middle SSL hijacks are easier on a non-controlled environment. Companies will finally accelerate the use of SDN technologies to bring together disparate networks, endpoints, resources and data into a virtual network, provide more dynamic policies by understanding where network controls end, endpoint controls start and how identity determines how much a user is trusted given the situation they are in.
5. Cloud, Cloud, Cloud – The future is now. Cloud will dominate everything we do by extending capabilities wherever the business will take us. CISO’s, if they haven’t already, will need to embrace someone else being “in control” of protecting their data. There will be an acceleration around third party risk management, validating the efficacy of controls hiring developers to automate the application of controls based on scenarios, etc. More CISO’s will self-consume services, and controls, vs. always relying on consultation, other technologies, etc.
6. Attack Landscape – It will be critical for every organization to understand their entire attack landscape from the “hackers” eyes. Having a “eyes wide open” mentality to the risks you have, everywhere, will be a necessity.