Security Leaders Reflect on COVID’s Impact

Plenty has been written about how organizations need to respond to the new and challenging work environment that has evolved from the pandemic that is now facing the global economy and society in general. Now, more than ever, organizations need to find ways to support each other in an effort to survive, while also finding future paths to adjust their overall business models. 

With this in mind, Protiviti reached out to a few organizations to learn how cyber security teams were pivoting to their new operating environment (“next normal”) and to get a glimpse into what may be coming next. I would like to thank a few of the many executives and practitioners that contributed their insights to this article.  

  • Ryan Frillman – Technical Information Security Officer, Equifax 
  • Robert LaMagna-Reiter – CISO, First National Technology Solutions 
  • Steve Lodin – Sr. Director, Sallie Mae
  • Matt Sharp – CISO, Logicworks 

As one could expect, organizations encountered waves of challenges over the past few weeks. While many of the technical challenges were similar and the most mature cyber programs tried to leverage information flowing out of Asia and Europe to enhance their planning process, each organization still faced their own unique hurdles. For example, how to handle new employees, what to do when hardware isn’t available for order, is it okay to temporarily break with policies or procedures, what happens if an employee doesn’t have internet access at home? While these challenges are easily handled when presented in a one-off manner, solving for hundreds or thousands of employees requires a different approach. Ultimately, quick decision making, creativity, agility, trust and some long hours seemed to be common ingredients for success. 

Like many peopleam finding myself parked in front of my TV way too often during my extended home time. In commemoration of all the added screen time, we have leveraged themes from some of the mostbinged shows that during quarantine. Enjoy! 

Crash Landing on YouTear up the playbooks and go! 

Security executives were on the hot seat almost immediately to quickly answer risk and compliance questions from executive management and their board or directors. Customer impact was also an immediate concern for all organizations as contractual and service level agreements were reviewed to understand flexibility and how to properly prioritize operations. At the same time, customer inquiries spiked surrounding pandemic plans, service level agreements and other contractual obligations. Beyond these macro topics, security leaders were busy tending to pressing tactical efforts such as leveraged code freezes to reduce unintended code quality issues and emergency patching cycles to shore up core technologies and remote devices and tuning threat intelligence functions to refocus on new COVID related threats. 

Little Fires EverywhereBalancing today while pivoting the business for tomorrow 

As organizations started to settle into their new operating environments, time was spent to double back and review newly deployed technologies to ensure they were properly configured and secured (there was a lot of positive feedback on the speed and ease of integrated solutions versus multiple point products that all require their own evaluation). Monitoring was re-focused on newly deployed technologies and high-risk user groups to create visibility across the expanded attack surface. Additionally, organizations needed to consider revamping their asset management processes to track down and catalog the influx of new corporate owned devices and services (including shadow IT). 

At broader levels, organizations were coming to grips with their new risk profiles as they tried to comprehend short- and long-term impacts related to the influx of operational change. At the same time, key third party relationships and related service level agreements were reconfirmed or altered to ensure ongoing operations. 

Stranger Things: What is on the horizon after all this craziness? 

While many organizations are updating or changing their operational plans on a frequent basis, all organizations acknowledged that they were reviewing budgets to understand where recession proofing” could take place and reviewing all non-essential projects. In addition, a tremendous amount of attention is being invested into employee reentry strategies. Most organizations acknowledged that theare looking to local, state and federal government for ideas. The most proactive organizations are leveraging phased approaches, while all organizations acknowledged the privacy challenges that come with balancing a return to business as usual and employee health. 

As part of their planning around the “new normal”, organizations are reevaluating their third-party assessment approaches to ensure supply chain and logistics challenges are discussed and properly tested in the future. They are also starting to plan for the onslaught of questions they expect to get from their auditors and regulators surrounding exception tracking and rollback plans. 

Finally, and expectedly, most organizations acknowledged a need to improve business agility, resilience and workforce productivity and are planning to launch various digital transformation, cloud adoptionzero trust, disaster recovery and business continuity initiatives to address these needs and to help prepare for future challenges.   

Common Themes and Lessons Learned 

While many organizations had various levels of business continuity and pandemic specific plans in place, no organization was fully prepared to quickly and securely pivot their businesses to respond to the scale and speed of COVID-19.  As expected, organizations that had invested in mapping their critical business elements or implemented (even partial) aspects of Zero Trust or Secure Access Services Edge (SASE) architectures, reported far fewer challenges in aggressively pivoting their workforces.  Some examples include data flow mapping for key systems/processes, business unit dependencyremote single sign-on, virtual desktops, VPN split-tunneling, cloudbased visibility and control stacks (i.e., CASBDLP, EDR). Organizations were also successful in pivoting operations by promoting iteration (aim for good, not perfect), agility (learn and adapt) and the freedom to cut through procedural “red-tape, such as fast-tracking change management, promoting decision-making delegation to front-line managers and letting employees experiment with innovative ideas. Furthermore, near constant and creative communication was essential to help rapidly reset expectations and educate employees, while also collecting feedback on all fronts. 

That said, there are some hurdles that some organizations are still struggling to overcome. Office-only cultures found it difficult to not slip into micro-management practices with their teams working from home.  Call center environments posed significant hurdles as organizations were forced to balance business needs, employee safety and technology shortcomings. Extending custom applications, VOIP, call recording solutions and “clean desk” environments were common sticking points. On a more technical level, organizations acknowledged that they will be rethinking their technology evaluation processes as they faced an increase in failure rates for on-premise technologies that tout remotely expandable or “cloud-like” functionality. 

As a key solutions provider to organizations across all business verticals, Protiviti has been working closely with hundreds of companies to assist with their business and technology challenges. From helping companies to rapidly assess and understand their new business risks to the secure and rapid deployment of people, process and technology to address said risk, Protiviti has doubled down oour commitment to a clientfirst partnership. Innovation, inclusion and integrity are cornerstones that we continue to rely on as we help our clients solve their current challenges and prepare for better future. 

Want to hear more CISO’s talking about their response to the COVID-19 pandemic? Listen to this on-demand webinar, The Evolving Role of the CISO: Preparing for the New Normal, featuring security leaders from The Estee Lauder Companies, Equifax Workforce Solutions and Microsoft.

Nick Puetz

Managing Director
Technology Consulting – Security and Privacy

Subscribe to Topics

As technology needs become more complex and expensive, companies are increasingly turning to Application Managed Services (AMS) to manage their business intelligence platforms. Our SAP blog explains the benefits.

http://ow.ly/tirf50Bzp3X
#SAPblog #ApplicationManagedServices #AMS

For any organization functioning in today’s digital landscape, data breaches are inevitable. Join our experts as they walk through three possible attack scenarios. #PROwebinar 10/1 from our #TechInsights series http://ow.ly/Sbjs50BzxF5 #cybersecurityawarenessmonth #BeCyberSmart

As technology needs become more complex and expensive, companies are increasingly turning to Application Managed Services (AMS) to manage their business intelligence platforms. Our SAP blog explains the benefits.

http://ow.ly/tirf50Bzp3X
#SAPblog #ApplicationManagedServices #AMS

As part of National Preparedness Month, our Technology Insights blog details one possible solution to data management and recovery. Read part 1 at http://ow.ly/YtSc50BzojX

#TechnologyInsights #BCM #BusinessContinuityManagement #NationalPreparednessMonth #DataManagement

What is the value-add for incorporating SAP SAC planning into your FP&A Process? National Vision partnered with @Protiviti to use this approach to increase efficiency in its #FinancialPlanning cycle, with exceptional results http://ow.ly/fQku50BBJdU @NVIofficial #SAP #SAC

Load More...