Resilience in Action

Introduction

Cyber Continuity & Resilience

When COVID-19 began spreading around the world in early 2020, it unleashed an unprecedented wave of business disruption along with it. Entire cities and countries were shut down indefinitely. Businesses were forced to rethink products, processes, supply chains, and even their business models. 

Evanta communities comprised of C-level executives from around the world began gathering virtually to share ideas and collaborate on responding, coping and leading their teams through the pandemic crisis. After more than 60 gatherings, four leaders are sharing takeaways for the larger CISO community on what actions they took to secure their businesses and what they have learned.

The CISO Response to COVID-19

CISOs representing the world’s leading global organizations met virtually over the past two months to discuss cybersecurity and business continuity amidst the challenges of coronavirus. Their cities, organizations and industries were impacted differently, but many of their actions and the needs they had to fulfill were similar. 

In these Evanta virtual gatherings, participants discussed the resilience of their organizations in managing the crisis and the increased security threats. Three themes emerged from those discussions among CISOs.

1. Securing the Remote Workforce

The immediate action for CISOs in responding to the pandemic was to seamlessly support and secure their remote workforces.

1. Facing Increased Threats

CISOs have seen an escalation in cyber threats and are focusing on communicating and training employees on how to work safely from home.

1. Accelerating Transformation

CISOs’ third takeaway from the pandemic: don’t waste a crisis when it comes to accelerating digital transformation.

CISOs were a critical part of the immediate response to the pandemic. As companies moved business activities from offices to homes to help slow the spread of the virus, CISOs supported the workforce transition with technology and security. Most organizations were prepared on some level for remote work, even if the size and scope of the situation came as a surprise.

1. Securing the Remote Workforce

CISOs immediate response was to seamlessly support and secure their remote workforces.

All CISOs reported that they had to immediately and broadly scale up their remote workforces in response to the pandemic. Challenges included how to source equipment and licenses, acquiring or prioritizing communication and collaboration tools, ensuring security for cloud applications, and enabling virtual desktop solutions.

• Some CISOs said there was a scramble to procure laptops and VPN licenses and to ensure their bandwidth.

• Organizations that had already transitioned to cloud applications found the transition a bit easier.

• A remote workforce poses unique challenges to daily operations, like patching and password resets, and introduces unknown variables if personal devices are given access to their networks.

In terms of business impacts, the pandemic has brought a mixed bag. Some CISOs are seeing a substantial increase in business, while others have had to severely reduce operations. With no end date in sight for remote work, communication and flexibility remain the top priorities of C-level leadership teams.
 

Community Voices

Almost immediately, we doubled down on VPN, on cloud, and on our posture assessment to manage remote employees. In healthcare, we quickly discovered confidentiality issues caused by household electronics like Amazon Alexa or Google Home, and employees cannot use their family devices. We had to think about how employees could print – then shred – documents.

Esmond Kane
Boston CISO Community

New York is where the pandemic is the worst – we were heavily locked down. We had prepared for remote working, but not for everything hitting at once. This put a huge stress on our bandwidth. We also weren’t prepared for everyone wanting to download Zoom or their favorite app, so we looked at blocking file transfers. We had to think about how critical apps get processed.

Energy SVP & CISO
New York CISO Community

We did a work from home test on March 11, and by March 15, we had our entire workforce working remotely. We already were a very mobile workforce; everyone had laptops. The same protections were still there. Interestingly, one of the things I had to send out was a ‘how to make password changes’ communication to remind everyone how to do it.

Food Service CISO
Southern California CISO Community

On March 5, we had a report about an employee with potential COVID-19 exposure. Our leadership decided that people should work from home the next day, and over the weekend, we closed our offices. We already had highly collaborative capabilities and infrastructure. I feel fortunate that we follow ZTA and are not challenged with the VPN constraint. Overnight we could be very functional.

Kevin Clark
San Francisco CISO Community

2. Facing Increased Threats

CISOs are reporting an uptick in cyberattacks and using employee education as one of their defenses. 

Executive communications have become extremely important over the past few weeks. Many security leaders have an emergency response team set up along with daily standup meetings. Organizations have ramped up employee communications around remote work and cyber security, using education as a defense against phishing and other cyber threats. 

• CISOs said that cyber threats have not taken a break; in fact, they have escalated during a perfect storm for cyber criminals. 

• The executives have seen a surge in phishing attacks, people trying to break into systems and an increase in connection attempts on their networks. 

• CISOs report that they are on a “heightened sense of alert.”

One security leader stated that their CEO, for the first time, shared a message on the importance of security, stressing that every user must help protect the company. Another CISO noted that the C-level is hyperalert and “gets it” on security right now – a positive outcome in the midst of this disruption. 
 

Community Voices

This is the time to indicate the benefit of security. In fact, it’s sort of escalated during coronavirus with phishing. In healthcare, the philosophy is – first, do no harm. When we are helping our business be conducted, what controls make sense? We try to look at when we can be pragmatic and when we can empower people. No technology can compensate for good education of your employees.

Esmond Kane
Boston CISO Community

We need to lean in and tell people what is acceptable and what isn’t. We are putting together a list of unacceptable practices – temporary exceptions to our normal protocol. What is short term and long term is going to change over time. We must show people the disruptions that are happening. The attacks are coming out more and more. We also help remote workers on their personal devices.

Energy SVP & CISO
New York CISO Community

There is additional risk that our executive teams need to understand. It is important to me to get the message right. It needs to be succinct; it should go out at the same time every day, and it needs to be consistent. Security needs to be some of the strongest leaders in the company. We had one network before – now, thanks to remote work, we have hundreds of networks to watch.

Food Service CISO
Southern California CISO Community

We’ve always had a high level of support for application-specific security and daily security operations. We still have support for Red Team exercises. One of our challenges was how to effectively provision equipment with no in-office IT team to build it. We weren't entirely prepared, but we put together a plan. We’ve tried to reinforce best practices to make sure people are thinking about security.

Kevin Clark
San Francisco CISO Community

3. Accelerating Transformation

The CISO mantra right now? Don’t waste a crisis when it comes to accelerating digital transformation.

Facilitating and securing a newly remote workforce has given security and network teams a time to shine. Demonstrating flexibility and rapidly adapting to a fluid and uncertain environment is helping security leaders show they are trusted advisers and business enablers.

• While some digital initiatives accelerated, CISOs are thinking about how they can “bake their processes in” and ensure that it’s not a rushed implementation leaving room for gaps.

• There is an opportunity for security leaders to influence the business amidst this cultural shift that has changed the workforce and driven everyone into the digital space.

• Business leaders and the rest of the C-suite see the importance of security in the current environment – and this gives CISOs more power at the table. 
   

Community Voices

There is a joke going around that COVID-19 has done more for your digital transformation than anything else. Aside from remote work and telehealth, other projects have been postponed. Look, no plan survives first contact. We need to be adaptive and flexible. We’ve been engaging where we had a plan and focusing on resilience.

Esmond Kane
Boston CISO Community

Right now, we must pivot. We will be a lot more remote than before. From experience, make sure you have some statistics and points on hand that help you communicate what to do from a risk standpoint. When shifting resources from one to another based on need, you will need to be able to explain that. You must do that now for your business and the impact it will have.

Energy SVP & CISO
New York CISO Community

Our e-commerce and mobile applications are tremendously important right now. Our digital numbers are going through the roof. There is a certain amount of manageable chaos. Remember to make yourself available. I make it a point to be extra available to take a call at any time if I need to. I need to be able to respond directly whenever needed. Be present when not present in the office – this is very important.

Food Service CISO
Southern California CISO Community

I like to think it is business as usual, but we’re even more relevant right now. Our platform has been a huge boon because our internal communications were not interrupted. We are hiring aggressively with no plans to slow down. Security is one of the highest investment areas for percentage of headcount growth at Slack.

Kevin Clark
San Francisco CISO Community

Conclusion

Organizations were in various stages of crisis preparedness before the pandemic hit. But there were some hidden surprises that forced security teams to adjust and even take on risk that they wouldn’t normally do. However, CISOs also view this as an opportunity to show their organizations the value and importance of security.

As leaders in their organizations, they are also thinking about the long-term effects of remote work on recruiting and culture, what their approach is to a zero trust security posture, and how they will manage business continuity planning now that they have seen a bigger disruption than could have been imagined.

Incident response and business continuity plans provided a framework, but on-the-ground changes and maintaining agility have provided even more value. There were many lessons learned, and going forward, these frameworks will likely be more robust. Seizing on the opportunity to insert security throughout the business and showcase partnership at all levels will ensure that security is incorporated into the company culture and remains a voice amid disruption.

Special thanks to all participating companies.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.