The events of 2020 have brought home (quite literally) the need for a robust remote working strategy. The question is how can infosec professionals best tailor their cybersecurity programs to the new demands of working remotely and ensure security and business continuity. How can they make sure their data is safe when employees are accessing information and corporate systems from their homes?
To answer these questions, we at Cisco asked leading information security experts about how organizations could best devise a cybersecurity program to account for these extraordinary times. Here’s what they had to say:
My main piece of advice would be to remember that the risks are not bigger or smaller. They’re just different.
It’s easy to get lost in old-world thinking. Architectural applications and data flow as if you had most of your workforce in single, concentrated locations. Those days largely are now over, so when you look at the classic network diagram with the companies’ offices at the top, data centers below, and then a big amorphous cloud, it’s the piece on the other side of the amorphous cloud, the last mile connection to the employee’s home, that is now of critical importance.
This means that any successful cybersecurity program now needs to swap its focus on how to enable secure home working with an emphasis on remote workers, rather than on the dwindling number of employees who are still resident in the office.
I’m going to give you three recommendations (for a cybersecurity program), and they’re based on what’s good for the people who will make your program happen. A great program is because of great people. These are as follows:
Running a cybersecurity program is fundamentally about planning for bad things to happen and mitigating and minimizing the damages. Disruptions in our technology infrastructure are the reality of the 21st century, and the companies that plan the best are the ones that survive the best.
There are a huge number of factors that go into developing, implementing, and operating a cybersecurity program, but one that always seems to get the least attention is the Business Continuity Planning components. If you don’t have a Business Continuity Plan when things go sideways, you’re not doing business continuity. You’re doing disaster recovery, and the impact to your organization can be orders of magnitude more devastating.
Knowing what you’re working with is key.
If this means spending a few months speaking to everyone in every department, that’s what you do. You have to know what is important to the business, your boss, the employees, etc. to know how well they will adapt to changes, what their pain points and struggles are with existing cybersecurity processes and what they have responsibility for.
You’re never going to make everyone happy, but you can make it a point to try. So often, we see cybersecurity programs that are sound but are consistently being circumvented by staff because it isn’t convenient or practical or simple enough. So, you’d have to maneuver around them by offering training or working with their existing habits.
Our users are not our weakest link but our strongest allies. We need to support them so that they can help keep the business safe, and that requires an ongoing conversation.
A cybersecurity program can only be successful when there’s support and commitment from the board and management. Leading by example is crucial for adoption. Using the right tools and processes is very important, but in the end, it’s the employees that make the difference.
Every employee should be aware that they can have a positive influence on the security of the company while doing their job. That’s why it’s so important that people in the security team not only have technical skills but also – probably even more importantly – have soft skills like communication and people management.
The security team should not be perceived as the group of people that always says no. Instead, they should explain to people why their actions form potential security risks, listen to them why they do what they do and help them to find solutions that are secure enough and still make it easy enough for them to do their job. Once people understand why security matters and realize it doesn’t have to be a barrier, they will adjust their behavior, and some of them will even become security advocates and help to further improve the security in your organization.
Look purely at the people side of things. Look at the culture look at the communications.
In other words, you’ve got to work within the culture you’ve got. You’ve got to work with what your people already listen to, within the challenges that they have and within what they celebrate and how the people like to work.
For a great cybersecurity program, know your people better than anyone else, and try to work with them so that you’re not constantly pushing against what they like to do and what they feel is successful.
If you can get your people on board, then you’re already more than halfway there.
Security is people, process, and technology. But people come first for a reason.
Our programs need to embed security/technology to work for the users in a way that doesn’t negatively impact them. We also need to build processes that work for their workflows in a way that enhances their working lives.
We must then teach, share knowledge, and provide the details on their responsibilities to privacy and security within the organization and the holistic program.
First, be open and personable. Gone are the days when you can be cold and impersonal, and just send something and be done with it. Security awareness and security programs have become something that’s more gamified, more open and more personable. And with that, you and your staff—whoever’s running the security program—need to match that energy as well. More companies are now online and on Twitter. They’re interacting with their consumers and customers. The same thing needs to happen internally so that more people are pushing towards that common goal.
The second thing to think about is not just checking the box but focusing on why you’re having this internal movement to security. Why are you actually doing this? So, getting behind the “why” and the “how,” so that everyone is behind the movement, is extremely important. You’re focusing on the goal of providing value to your clients, and you’re doing that by providing an internal space so that people can come together as a community.
The third thing is to be understanding and kind through the journey. Not everyone knows security. We must have a community-based way of getting the security message across, so that everyone understands what their part is. And that it’s actually their job. It’s not an addition to their job that feels like a burden. It should be something where everyone is along for the journey, so that everyone can understand how they can do their part, so that they can be a part of the community to make sure that the business is as secure as possible.
2020 has proven to be a “black swan event.” The term, coined by Nassim Nicholas Taleb in the book of the same name, is for rare but highly impactful and highly memorable events. IT and IT security teams are having a moment, as many have worked tirelessly to ensure their organizations’ ability to successfully respond to security incidents in spite of the quarantine. Now these same teams, in the near future, will be asked to be ready for the next one. But here’s the thing: black swans are, by definition, rare and unpredictable.
Develop a strategy that prepares for the unlikely, while strengthening defenses for more common threats. Let’s call these geese. A good security program readies the organization against all birds, be it the black swan or the unnamed goose.
When it comes to security, we talk about people, process and technology. It truly is in that order. The culture of the people will help influence the processes, which helps influence the buying decisions and implementation decisions of your technology. So, it’s really important to start with people.
The way to make that effective is that when you’re implementing security training and awareness programs, actually create a program that’s tailored to your organization and moreover to your employees instead of buying just some canned program that seems good and sends out phishing examples. This type of program will not only make its messaging and outcomes more effective, but will also create a stronger culture of security and thusly a stronger security program within your organization. By making it personal, people will actually pay attention. Nobody wants to sit through another 30-minute or hour-long training. It’s just not true—especially right now. We are in digital overload and being stuck in our houses.
By creating a program that’s very personal, you can strengthen your security program entirely. You can do this by tiering your phishing examples to not just the ones that people already make fun of on the Internet but also spear-phishing your employees and training them what actually to look for in a very personal way. That program should come with an actionable plan and consequences for whenever they don’t hit those marks.
All of this works because everyone is part of your security team in this day and age. Everyone. Not just your IT and Sec teams. Everyone is part of your security team. By creating a culture of security first, you will help to make that much more robust and resilient down the line.
The biggest impact on small businesses that is going to affect and/or change their security program is more compliance. There’s going to be so much compliance pushed through, whether it’s regarding security framework implementation in your organization, or whether it’s regarding consumer data protection laws that are being pushed through legislation.
The California Consumer Privacy Act (CCPA) was a large part of this push. I think what CCPA did was to motivate and incentivize small businesses to keep personal customer data safe. But, on the other hand, it is a regulation. It is something that needs to happen. So, if small businesses are not compliant, that could lead to some hefty financial penalties that will affect the small business significantly.
As a result, from a compliance perspective, I think there’s a lot to expect in terms of new regulations surrounding security and especially consumer data protection.
Security programs must adapt. They should be agile and cater for this shift, helping people do their jobs better and more securely. Protecting the remote workforce and your cloud infrastructure becomes a focus. It’s also a great opportunity to dust off incident response and business continuity plans to keep them relevant and in the forefront of everyone’s minds.
Work with your staff to explain the ways that bad guys take advantage of media-intense events for scams and fraud. Make it personal, use examples and relate to scenarios outside of the work context, too. Secure their devices and know your shared responsibility model when it comes to cloud services. Backups, logging and monitoring as well as identity and access management are all important areas to consider. Overall, it’s a good time to review your risk logs and threat models as well as to adjust your approach accordingly.
Longer term impacts of security will require greater internal structure and program support, even when some security activities are outsourced to a third party. There is a greater need for internal security program development, staff training and awareness as well as the associated governance to support and manage this due to increased regulatory requirements.
In addition, the rapid expansion of the current threat landscape and increased public visibility into attacks and data breaches have placed increased scrutiny on organizations of all sizes. The public expects more and wants assurances. Even if they are not tech savvy consumers, new language around data protection measures is now becoming part of the average consumer’s vocabulary. They want to be told precisely what checks and balances are in place today that help to protect their information.
In the midst of the rapid and unprecedented changes that accompanied our shift to remote work, investing in cybersecurity programs became more important than ever. You can hear other insights from infosec leaders on building a strong security program in the clip below:
This is a series of blogs sharing insights into how organizations are adapting their cybersecurity strategies during these extraordinary times. Other blogs in the series include: Experiences from Cybersecurity Leaders in Extraordinary Times: Adjustments and Outcomes & Adapting to a New Way of Working in 2020
The post Investing in Your Cybersecurity Program During Extraordinary Times appeared first on Cisco Blogs.