In December 2021, in my role as president of the ISSA Delaware Valley Chapter, I had the honor of hosting a panel with five Chief Information Security Officers (CISOs), representing five different industries, each facing unique challenges presented by the global COVID-19 pandemic. The panelists included:
- Robert Younce – CISO of Mannington Mills, one of the world’s leading manufacturers of fine flooring
- Phil Curran – CISO of Cooper Health, a leading academic health system
- Lucas Burke – VP of Security, Compliance and Risk Management for Radian Group, a mortgage insurance company with a suite of mortgage, risk, real estate and title services
- Leonard Nelson – CISO for Rowan University, a public research university in Glassboro, New Jersey, with a medical campus in Stratford, New Jersey and medical and academic campuses in Camden, New Jersey
- Roger Young – Senior Director of Information Security and Compliance for Morgan Lewis, an American multinational law firm with approximately 2,200 legal professionals in 31 offices across North America, Europe, Asia and the Middle East.
While higher education, hospitality, healthcare, manufacturing and financial services all faced their own distinct pandemic-related issues, many common themes emerged during the discussion with these security leaders. While many of the themes were similar to those identified during ISSA’s June 2021 CISO panel, each issue has evolved requiring new thinking about how to deal with the problem today, as well as the longer-term effects in the future.
We are in the most difficult talent market ever seen. We need to continue to care for our people and get creative about how we develop new talent.
The pandemic has caused most companies to move to a remote workforce and it does not look like this will change anytime soon. Companies are no longer competing for talent regionally, they are competing on a global scale, making it difficult to identify, hire and retain cyber resources. From a retention perspective, organizations are realizing they need to maintain flexibility for their workforce. “Companies who try to force people away from remote work and back to the office are going to miss out,” said Leonard.
In addition, finding new talent is also difficult as everyone is battling for the same talent and salaries are increasing dramatically. These security executives have had to get creative in finding talent. “We have had success in finding people in other groups such as IT ops, IT audit, and development and training them for security”, commented Lucas. The others agreed they have been “stealing” resources from other IT departments and training them for security with good success.
Will borrowing from other groups and retraining work for the long haul? Probably not and the panelists agreed other methods need to be explored quickly.
Robert said he is looking to outsource parts of his security operations and save his limited resources to focus on tasks that would be difficult to hand off to a third party. “I plan to outsource my SOC so I can repurpose the people I currently have performing those tasks to other areas that would be more difficult to outsource,” he said.
Automation was another theme the CISOs agreed needed to be developed quickly. “If I have to keep hiring people that I cannot retain, I might as well start investing in automation and deploying it where it makes sense,” Roger said. Lucas added that it is a challenging cycle to hire inexperienced resources, investing in them and training them when, after a few years of experience, their salaries and value grow exponentially, making it difficult to retain them.
The CISOs also are hoping higher education will rise to the challenge and start turning out qualified resources more quickly. While four-year degree programs are valuable and are building qualified candidates, shorter, more focused certification programs may also be a way to get more talent into the market quickly. Leonard said, “We are expanding our degree programs as well as pushing certificate programs to get people up to speed quickly so they can start working and then pursue their degree.”
Budget is not a problem, but getting the work done will be difficult.
The CISOs all stated their 2022 budget requests were approved with little pushback. For the first time, they received almost everything they asked for.
Lucas offered, “organizations and boards are realizing it’s cheaper to fund a strong security program than respond to a breach.”
Phil added, “The board saw ransomware impact on our peers and brought in a third party to do an analysis of our program and develop a three-year plan.”
Organizations seem to be getting the message they need to invest in security and are taking action. All the CISOs received the funding they asked for, but now will be challenged to deliver with limited resources.
Third and fourth parties consumed a lot of resources in 2021 and we don’t see that changing soon.
Third- and fourth-party risk was a key concern for all the CISOs. Supply chain attacks consumed a lot of resources — both responding to incidents, but also trying to prove it was not an issue with other products in the organization. The CISOs spent considerable resources responding to supply chain cyber attack issues such as SolarWinds and others. Every time the press spoke of a new supply chain ransomware attack issue, the CISOs had to spend considerable time reassuring management the issue was under control, even if it was not a big threat for their organization. Many companies then wanted to do a knee-jerk reaction to the affected product and replace it throughout the organization.
“If I had to throw out every product in my program that had a vulnerability, I wouldn’t have any products,” said Roger. So the challenge becomes how to manage the risks that come from using third-party products and services. Even harder is trying to manage fourth parties, many of whom carry significant risk, which the organization can do little about. Healthcare has a slight advantage with fourth-party risk management due to business associate agreements (BAA). “With healthcare, I have an advantage because our BAA makes third parties responsible for their fourth- and fifth-party suppliers,” Phil commented. The challenge for other companies without BAAs is they do not have any direct contract or leverage with the fourth party and often need to rely on the third party to effect any change. Regardless, third party risk management and supply chain attacks are issues organizations will struggle with for some time.
It may not be how much you need or how expensive it is, but can you get it at all?
Cyber insurance is becoming more expensive, receiving greater scrutiny by providers or threatened to be denied altogether. “Insurance providers are looking at companies’ security postures very closely and looking at how we manage ourselves as well as how we manage our third and fourth parties,” said Lucas. Most are now seeing extensive questionnaires from insurance brokers requiring answers to be backed up with evidence. Many carriers are threatening to drop or are dropping companies if they do not have key controls such as multifactor authentication for remote access, robust patching hygiene or privileged access management (PAM). Most believe this trend will continue as breach costs and frequency continue to increase and carriers will get more stringent in their expectations and criteria for coverage. All saw rates increase substantially, anywhere from 120% to over 200%. On the positive side, all CISOs commented that the insurance carriers have been more involved and on point with their guidance and support during an incident.
Year two of the pandemic seemed to exacerbate the issues we saw in the first year. We now know there will likely not be a new normal, but constant evolution and flow of change organizations must struggle to adapt to and manage. The security management practices of yesterday are gone and new agile, innovative organizations must rise to the challenge of staying safe and secure. While organizations struggle with resource issues, they must use ingenuity and creativity to continue to succeed.
Readers may also be interested in this blog: Becoming a CISO: If I Knew Then What I Know Now.