The COVID-19 crisis has forced many infosec leaders into panic mode, having to deal suddenly with large numbers of employees needing secure remote access, more cyberattacks and slashed budgets.
One expert says things aren’t going back to normal when the crisis ends, but this presents a significant opportunity for CISOs to improve operations and best practices.
“My hope is we’re going to begin to streamline and de-complex organizations,” Kristin Lovejoy, global cybersecurity leader at EY told a recent webinar on what’s next in cybersecurity hosted by Hewlett-Packard. “We’re going to look at our controls, infrastructure. We’re really going to think about security within the context of business, as opposed to how we’ve been considering it before.”
News reports of large-scale data breaches and ransomware attacks are increasingly getting the attention of executives, she said. Combined with the pressure to rationalize spending, she hopes that will change infosec pros’ attitudes towards cybersecurity.
“I think CISOs are changing … I have some level of hope because CISOs are more business-aligned, more (aligned with) transformation. I think their pragmatism will fare us well in the future.”
Other panellists were Charles Blauner, former CISO at JP Morgan who is now CISO in residence at Team8 Capital of New York and has his own consultancy; Boris Balacheff, HP Fellow and chief technologist for security research and innovation at HP Labs; and Ian Pratt global head of security for personal systems at HP.
Blauner was also hopeful but in a cautious way. “I have to be optimistic because (in this industry) if you’re not, you’re suicidal,” he said.
Despite the crisis, nothing fundamentally has changed in security for infosec leaders, he argued. The CISO is still responsible for understanding what and where critical assets are and protecting them. “I think the best CISOs are already business leaders. What makes life complicated is everything else has changed.”
COVID also made people think of operational resiliency a lot harder, he said.
“The really good CISOs are those who understand how to build on the fact that security is a foundational aspect of operational resiliency.” Those CISOs, Blauner added, are seeing their budgets increase. “This is an opportunity for good CISOs to change their relations with CEOs and their businesses. The really good CISOs are now thinking about how to leverage security technology to help transform the business. The good CISOs are taking the opportunity to put good ideas out there. It’s the really bad CISOs who are struggling to catch up to all the changes that no-one ever talked to them about.”
After quickly rolling out remote access for staff working from home, Blauner said “we’ve proved we can move fast. No one’s going to slow down now. The pace of change I think is what will be the most lasting thing of this (crisis).”
Pratt noticed that the pandemic has also forced IT operational procedures to change. With most staff working from home IT is rarely able to centrally buy, image and distribute laptops, he said. Some organizations are asking suppliers or manufacturers to image and then distribute PCs direct to end-users. Perhaps soon staff will buy a laptop and when it is plugged in at home it will be configured by the employer’s network.
With all the people working from home — even in manufacturing — the future will be what Balacheff called “distributed infrastructure.” That will also mean no one will come to an employee’s door to handle support, he added, so PC manufacturers need to think about systems having autonomy, being self-healing, and offering resilience.
It wasn’t all optimism. Lovejoy worried about the nature of some cyber attacks that aren’t necessarily criminal. “People are mad, and we have to recognize that the nature of these destructive attacks will continue.
The increase in ransomware attacks troubled Blauner, who noted it can be a dilemma for organizations to decide to pay a criminal or terrorist organization, or go bankrupt. Cyber insurance isn’t necessarily a solution, Lovejoy said, pointing out that some American cities that refused to pay ransoms in the thousands of dollars had to pay millions to cleanse their systems. Insurers look at those numbers and advise customers to pay, she said.
But Pratt argued that basic cyber hygiene can stop many cyberattacks. Seventy per cent of attacks start with an endpoint being compromised, he said. And 99 per cent of the time it’s because a user clicks on a link or an attachment.
Finally, moderator Ed Amoroso, CEO of TAG Cyber, a New Jersey consulting firm, asked the panel if organizations will be better or worse off after the pandemic. “I don’t think we’ll get back to normal,” said Lovejoy. “That may be OK. I’m cautiously optimistic.”
We would be better without COVID, said Blauner, but the pandemic will get CISOs there faster. Pratt agreed. Organizations will be better because they are paying attention to things they wouldn’t have had previously, said Balacheff.
Amoroso was less optimistic: The same, if not worse, he answered.