CISO, Security Transformation Securing “The New Normal,” or What to Do Now That Everyone is a Remote Worker
Apr 30 2020

Securing “The New Normal,” or What to Do Now That Everyone is a Remote Worker

If we had a dollar for every blog post that started with “we are living in unprecedented times” in the last month, we’d be sipping mai tais … in our living rooms. But it certainly is true and I don’t mean to make light of the extreme situation we’re all in right now. Case in point, recent reports from Netskope, and the industry at large, show that more enterprises are moving their workforces to remote, resorting to cloud adoption at a breakneck pace and certainly faster than any projections I’ve seen in recent years from industry leaders or analysts.

For businesses, these changes can be categorized into how services are being consumed and how they are being delivered. We’re seeing leaders work hard to understand how they deliver value to customers who are no longer able to come through the door. As a result, they’re finding ways to pivot their business to online storefronts, curbside pickup, and delivery. All of this taken together is digital transformation in action, but with that also comes new threats and security transformation.

All of this flux and forced mobility as the result of the COVID-19 pandemic, means that security teams are evolving and transforming very rapidly while also trying to understand what a “new normal” could look like for their business. I’ve had a chance to talk with a number of CISOs over the last month, and here are some of the key takeaways from those conversations and some guidance for how CISO’s and security teams should be adapting their strategies:

1. Breathe, get your footing, circle the team

Unless you were Nostradamus last year and said “We’re going to move everything to the cloud and be able to support a 100% remote workforce by March 2020,” you’re now in the process of rethinking everything or having to accelerate your plans. Everything you thought you were going to be doing this year just got turned on its side and there’s nothing you can do about that. The first thing CISOs are telling me is that it’s very important to take a deep breath, stay human, and just acknowledge this moment with your team. Recognize that this is likely the hardest crisis many people have had to confront in their lifetime. People are going through a lot at home and with their families — so be sure to create the safe space people need to do the best that they can. Once you do that, many teams are realizing that there are actually opportunities during a crisis — we’ll talk about that more in a second.

2. Adapt expectations of how people work and don’t be afraid to throw out current models

This is a situation that actually encourages quick and nimble thinking because companies and security teams alike need to rethink how they can do business in this new world. We have some uncertainty as to how long we’re all going to operate in this manner, and we may even find that there are some efficiencies for companies to continue operating this way. Can employees shift to more flexible hours to manage their work and life? Does this mean that you might actually have more coverage on a weekend or evening shift? Embrace the opportunity to evaluate existing norms and maybe it will actually create a better situation for people to get work done.

3. Get back to first principles 

Remember, your core tenets keep you safe. In all of this change and uncertainty, coupled with the need to make fast moves, it’s important to remember that chaos and confusion aid the mission of bad actors trying to take advantage of this situation too. And with all of the potential exposures and gaps you may discover with your legacy security stack, recognizing and reducing complexity goes a long way, so be sure you’re staying true to the fundamentals of your security strategy within your architecture. With a highly remote workforce and a co-mingling of work and life at an extreme, domain separation becomes an interesting first principle to revisit. Do employees also have a personal Microsoft Teams account? Are kids accessing Google Classroom from a corporate asset? Getting back to first principles can help ground your thinking during uncertain times. 

4. Necessity is the mother of all invention

When people, teams, or organizations go through a crisis, priorities become blindingly obvious. Like it or not, a crisis also has a way of cutting through bureaucracy, and can clear a path to get things done. And the reality is that you MUST address specific issues at this time or suffer greater consequences. In that context, here are a few examples of what CISOs are dealing with right now:

VPNs are getting crushed

When testing and deploying legacy VPN solutions, we never intended to have them handle a work from home mandate like we’re experiencing now. CISOs are leaning on security architectures to quickly pivot to solutions in the cloud where there’s plenty of bandwidth, services, and connections you can leverage. 80% of the CISOs I’ve talked to in the last month are looking to modernize their approach to VPN through things like Zero Trust Network Access.   

Moving security to the cloud just went to warp speed

Most modern CISOs are in some state of security transformation and that means moving security to the cloud. Accelerating this is hard and uncomfortable, however, since it involves people and major surgery to the legacy security stack. For those who were already far enough along the transition has been easier, since it’s meant moving up deployments that they might have spaced out more to balance against concurrent projects that are no longer a priority. For others just getting started, it’s meant that they’ve had to hurry up the internal discussions and get really practical about addressing their greatest needs.

Collaboration apps are now mission-critical and under attack

Speaking of greatest needs, in some places the use of tools like Slack and Microsoft Teams have increased exponentially, and the security of those transactions is under the spotlight due to the uncanny timing of bad actors’ desire to exploit situations like this. Nearly every conversation I have with CISOs involves sharing best practices for securing collaboration apps. Of course the ability to cover these tools varies greatly from company to company. Recently after Zoom shared that their daily active users skyrocketed from 10 to 200M in three months and if you’re also seeing this exponential growth, you are also grappling with how your networks and VPNs might handle such a challenge (keen statement of the obvious — they are not!).

I’ll end with a final thought, which is to think about how you want to look back on this time. Without a doubt, things will not be like they were before COVID-19. Even with the return of sporting events, trade shows, getting back to the office, and returning to schools, we will be forever changed. Think about the shape you want your team and security program to be in when we start to turn the corner. Beyond the immediate firefights, will you accelerate out of this or be in the same place you were in before this all started? If you’re like me, you want to come out stronger and more ready for the next time. I’d love to talk with you about how you’re going to do that. Connect with me on LinkedIn if you want to start a conversation. 

author image
About the author
Lamont Orange has more than 20 years of experience in the information security industry, having previously served as vice president of enterprise security for Charter Communications (now Spectrum) and as senior manager for the security and technology services practice at Ernst & Young.
Lamont Orange has more than 20 years of experience in the information security industry, having previously served as vice president of enterprise security for Charter Communications (now Spectrum) and as senior manager for the security and technology services practice at Ernst & Young.