On June 11, 2021, Protiviti’s Scott Laliberte, who leads the firm’s emerging technologies practice and is president of the Information Systems Security Association (ISSA) Delaware Valley chapter, hosted a panel with three Chief Information Security Officers (CISOs), representing three different industries, each facing unique challenges presented by the global COVID-19 pandemic. The panelists included:
- Nick Falcone – CISO of University of Pennsylvania, one of eight Ivy League higher education institutions
- Jason Stead – CISO of Choice Hotels, an international hotelier with over 7,200 properties
- Anahi Santiago – CISO of Christiana Care, the largest healthcare system in the U.S. state of Delaware
While higher education, hospitality, and healthcare all faced their own distinct pandemic-related issues, many common themes emerged during the discussion, which have been edited for brevity and clarity.
People are still our most precious resource – continue to take care of them and maximize flexibility.
The onset of COVID-19 exacerbated the pre-pandemic challenges of hiring and retaining key security personnel. These included, but were not limited to, hiring freezes, angst about job security and burn out from increased remote workloads during this disruptive period. Looking forward, there are additional challenges based on a physical return-to-office dynamic, with employees split along fault lines such as commutes, communal spaces, dress codes and flexibility.
The panelists agreed that remote work has helped expand their recruiting reach and talent pool but are still managing the challenge of how to innovate in a hybrid environment. Stead, of Choice Hotels, remarked that, while productivity has increased with remote work, many still look to white boards and in-person meetings for collaboration and innovation. Stead wondered whether these conflicting dynamics in management will continue to support a fully remote model, and whether they must support such a model in order to remain competitive.
Penn’s Falcone added, “For me, it’s not how will we embrace this new remote model, it’s what will happen if we don’t?” Could information security talent acquisition and retention challenges become even more insurmountable in the face of hybrid and fully remote models?
Focus on improving core processes and automating where possible.
A major key to getting through the pandemic was “doing more with less,” as pandemic-related revenue shortfalls led to constrained budgets across industries. In healthcare, where the most lucrative elective procedures were put on hold, Christiana Care’s Santiago emphasized focusing her team on their core processes. For example, she explained how her team, initially struggling to handle the significant increase in zero day attacks in 2020 and 2021, instituted a daily stand up between all key team members to analyze new threat intelligence, understand any issues that happened in the last 24 hours and mobilize the team to take informed action. The other key theme that emerged was to automate as many processes as practical to reduce workload on personnel, allowing them to focus their attention on more challenging and rewarding tasks.
Simplify your tech stack (and your life) and get control of the cloud.
All panel participants agreed that the pandemic conditions resulted in some level of technology rationalization and prioritization. Santiago ventured a sometimes-difficult question: “can we get full functionality of what we have?” especially when it is tempting to always go for best in breed and maintain many tools. All agreed reducing the number of tools and focusing on maximizing utilization of fewer common platforms netted them tremendous benefits, including budgetary relief, while reducing both internal staff workloads and those of interdependent teams such IT operations. Stead shared, “we were able to reduce our reliance on anti-virus because of our investment in endpoint detection and response tools. Removing that one tool reduced IT [operations] workload quite a bit, and they were very appreciative.”
One common tool did emerge across all panelists as an area of new and priority investment – Cloud Security Posture Management (CSPM). Stead noted, “the pandemic forced the business to accelerate its digital transformation which required [security] to quickly get control of our cloud environment. CSPM helped us to do that quickly.”
Make lemonade from lemons
“In the midst of every crisis, lies great opportunity.”
All the panelists spoke about how the crisis spurred a new sense of urgency behind several key initiatives that needed support for some time. Falcone said, “topics that were politically sensitive suddenly became [less] contentious and people were more open to embracing the need for additional controls such as multi-factor authentication or end point response tools.” A key theme for the panelists was how messaging the crisis and associated struggles helped to provide practical context and attention to initiatives that may not have gotten support otherwise.
While organizations across all industries have grappled with similar challenges during the pandemic, information security continues to face unique hurdles in a return to normalcy. For many security teams, “normal” meant already being at the brink in terms of a talent shortage, sporadic organizational support and a dynamic threat landscape. Security teams should ensure that the lessons learned during these trials are kept top of mind, as the resilience, ingenuity and flexibility gained out of necessity should continue to lead to innovative solutions for future success.