Plenty has been written about how organizations need to respond to the new and challenging work environment that has evolved from the pandemic that is now facing the global economy and society in general. Now, more than ever, organizations need to find ways to support each other in an effort to survive, while also finding future paths to adjust their overall business models.
With this in mind, Protiviti reached out to a few organizations to learn how cyber security teams were pivoting to their new operating environment (“next normal”) and to get a glimpse into what may be coming next. I would like to thank a few of the many executives and practitioners that contributed their insights to this article.
- Ryan Frillman – Technical Information Security Officer, Equifax
- Robert LaMagna-Reiter – CISO, First National Technology Solutions
- Steve Lodin – Sr. Director, Sallie Mae
- Matt Sharp – CISO, Logicworks
As one could expect, organizations encountered waves of challenges over the past few weeks. While many of the technical challenges were similar and the most mature cyber programs tried to leverage information flowing out of Asia and Europe to enhance their planning process, each organization still faced their own unique hurdles. For example, how to handle new employees, what to do when hardware isn’t available for order, is it okay to temporarily break with policies or procedures, what happens if an employee doesn’t have internet access at home? While these challenges are easily handled when presented in a one-off manner, solving for hundreds or thousands of employees requires a different approach. Ultimately, quick decision making, creativity, agility, trust and some long hours seemed to be common ingredients for success.
Like many people, I am finding myself parked in front of my TV way too often during my extended home time. In commemoration of all the added screen time, we have leveraged themes from some of the most–binged shows that during quarantine. Enjoy!
Crash Landing on You: Tear up the playbooks and go!
Security executives were on the hot seat almost immediately to quickly answer risk and compliance questions from executive management and their board or directors. Customer impact was also an immediate concern for all organizations as contractual and service level agreements were reviewed to understand flexibility and how to properly prioritize operations. At the same time, customer inquiries spiked surrounding pandemic plans, service level agreements and other contractual obligations. Beyond these macro topics, security leaders were busy tending to pressing tactical efforts such as leveraged code freezes to reduce unintended code quality issues and emergency patching cycles to shore up core technologies and remote devices and tuning threat intelligence functions to refocus on new COVID related threats.
Little Fires Everywhere: Balancing today while pivoting the business for tomorrow
As organizations started to settle into their new operating environments, time was spent to double back and review newly deployed technologies to ensure they were properly configured and secured (there was a lot of positive feedback on the speed and ease of integrated solutions versus multiple point products that all require their own evaluation). Monitoring was re-focused on newly deployed technologies and high-risk user groups to create visibility across the expanded attack surface. Additionally, organizations needed to consider revamping their asset management processes to track down and catalog the influx of new corporate owned devices and services (including shadow IT).
At broader levels, organizations were coming to grips with their new risk profiles as they tried to comprehend short- and long-term impacts related to the influx of operational change. At the same time, key third party relationships and related service level agreements were reconfirmed or altered to ensure ongoing operations.
Stranger Things: What is on the horizon after all this craziness?
While many organizations are updating or changing their operational plans on a frequent basis, all organizations acknowledged that they were reviewing budgets to understand where “recession proofing” could take place and reviewing all non-essential projects. In addition, a tremendous amount of attention is being invested into employee reentry strategies. Most organizations acknowledged that they are looking to local, state and federal government for ideas. The most proactive organizations are leveraging phased approaches, while all organizations acknowledged the privacy challenges that come with balancing a return to business as usual and employee health.
As part of their planning around the “new normal”, organizations are reevaluating their third-party assessment approaches to ensure supply chain and logistics challenges are discussed and properly tested in the future. They are also starting to plan for the onslaught of questions they expect to get from their auditors and regulators surrounding exception tracking and rollback plans.
Finally, and expectedly, most organizations acknowledged a need to improve business agility, resilience and workforce productivity and are planning to launch various digital transformation, cloud adoption, zero trust, disaster recovery and business continuity initiatives to address these needs and to help prepare for future challenges.
Common Themes and Lessons Learned
While many organizations had various levels of business continuity and pandemic specific plans in place, no organization was fully prepared to quickly and securely pivot their businesses to respond to the scale and speed of COVID-19. As expected, organizations that had invested in mapping their critical business elements or implemented (even partial) aspects of Zero Trust or Secure Access Services Edge (SASE) architectures, reported far fewer challenges in aggressively pivoting their workforces. Some examples include data flow mapping for key systems/processes, business unit dependency, remote single sign-on, virtual desktops, VPN split-tunneling, cloud–based visibility and control stacks (i.e., CASB, DLP, EDR). Organizations were also successful in pivoting operations by promoting iteration (aim for good, not perfect), agility (learn and adapt) and the freedom to cut through procedural “red-tape,” such as fast-tracking change management, promoting decision-making delegation to front-line managers and letting employees experiment with innovative ideas. Furthermore, near constant and creative communication was essential to help rapidly reset expectations and educate employees, while also collecting feedback on all fronts.
That said, there are some hurdles that some organizations are still struggling to overcome. Office-only cultures found it difficult to not slip into micro-management practices with their teams working from home. Call center environments posed significant hurdles as organizations were forced to balance business needs, employee safety and technology shortcomings. Extending custom applications, VOIP, call recording solutions and “clean desk” environments were common sticking points. On a more technical level, organizations acknowledged that they will be rethinking their technology evaluation processes as they faced an increase in failure rates for on-premise technologies that tout remotely expandable or “cloud-like” functionality.
As a key solutions provider to organizations across all business verticals, Protiviti has been working closely with hundreds of companies to assist with their business and technology challenges. From helping companies to rapidly assess and understand their new business risks to the secure and rapid deployment of people, process and technology to address said risk, Protiviti has doubled down on our commitment to a client–first partnership. Innovation, inclusion and integrity are cornerstones that we continue to rely on as we help our clients solve their current challenges and prepare for a better future.
Want to hear more CISO’s talking about their response to the COVID-19 pandemic? Listen to this on-demand webinar, The Evolving Role of the CISO: Preparing for the New Normal, featuring security leaders from The Estee Lauder Companies, Equifax Workforce Solutions and Microsoft.