Chief information security officers (CISOs) were forced to make many pivots in the wake of COVID-19. The most obvious need, of course, was to ensure widespread work-from-home arrangements were secured quickly – like, almost overnight.
But now the early days of business disruption are over, and organizations are settling into the reality that current arrangements could stay in place for the foreseeable future – or even permanently. Projects and initiatives that were pre-pandemic priorities have taken a back seat to new business needs.
"What the company needs from its CISO has changed massively since the pandemic," says Gavin Reid, CISO at Recorded Future. "To start, our team at Recorded Future had a lot of plans and roadmaps that stopped making as much sense."
So how has the role of the CISO and security management changed in recent months? And what new responsibilities will CISOs be expected to keep in the pandemic's aftermath? Security experts share their insights.
More Emphasis on Physical Security May Become the Norm
"I have had to do way more physical security than ever before," Reid says. "Setting a company health-related policy for the offices is an example. I have had to do that for each country and location in the country, and keep them updated as guidance changes. I have had to do the same for travel and customer visits. These are challenging as we balance organizational needs with our employees' safety being the highest priority."
The convergence of the security of physical spaces, such as office buildings, and information and data has been an ongoing evolution since security first found its way into corporate structure. But several security managers note that as companies attempt some level of in-person work again, security managers will inevitably need to be involved in the physical security of spaces.
Occupancy control per space, social distancing analytics, and updated security, safety, and screening policies are just a few of the considerations CISOs may be asked to manage, says Ahmad Zoua, senior project manager at Guidepost Solutions.
"Return-to-office procedures and cybersecurity-scanning policies will also need to be revisited and include new technologies such as touchless solutions, integrated visitor management systems, and cloud solutions," he adds.
For most organizations, the tools and technology required to implement proper social distancing in the office or screen for potential illness will be new ground for security managers. As a result, it will essential for CISOs to come up to speed on how they are used and develop the appropriate vendor relationships in this space.
A Focus on Mental Health Is Now Essential
CISOs were already stressed before the pandemic hit. But now it's important for them to be empathetic leaders of teams who are also likely feeling burnout.
"I think many CISOs have unwittingly been thrust into the position of looking after the mental health of the teams they manage," says Max Vetter, chief cyber officer at Immersive Labs. "As social creatures, we don't truly know the impact on employee performance from such isolation, so security leaders have to be careful to monitor their direct reports."
In a blog post on managing mental health. Forrester analyst Jinan Budge suggests CISOs allow themselves to be seen as more vulnerable because it will help team members handle their own stress levels.
"At this time more than any other, your team will benefit a lot from seeing that you are human and that you are sharing the same experiences they are," Budge says. "This will create trust and give them the permission to be open with you."
If They Weren't Before, CISOs Must Zero in on Business Strategy
It's a message that has been repeatedly stressed in the security industry for years: CISOs must advocate for a seat at the table with the board and executive management. The pandemic and increased emphasis on security only accelerates the need for CISOs to be seen not only as security leaders, but business enablers.
"CISOs now need to be more like CEOs, believe it or not," says Kurt John, chief cybersecurity officer at Siemens USA. "While delivering the technical solutions to help protect the organization, CISOs will also need to be savvy strategic partners who are able to contribute to business solutions aimed at solving increasingly complex issues."
This could bring CISOs into new territory, with involvement not only in securing the organization but also advising product managers and developers given how customers are increasingly viewing security and privacy as essential.
"Many CISOs will find themselves being pulled into product discussions as [subject matter experts] to advise on how to adapt products and services for this new normal, says Ryan Weeks, CISO at Datto. "This means increased responsibility not only for securing products, but engaging in future discussions."
"We're driving the digital transformation of entire industries and making the case that cyber-risk is business risk," adds Bob Huber, CISO at Tenable. "We're analyzing our security posture, benchmarking ourselves against peers and competitors not just because we want to drive continuous improvement, but because boards of directors understand that managing cyber-risk results in competitive advantage."
The Attack Surface Must be Redefined
The massive work-from-home directive has upended security's responsibilities, leading to even more concerns over new attacks as criminals find new ways to exploit the pandemic. In fact a new survey of executive decision-makers conducted by Deloitte finds 69% expect the number and size of cyber events targeting their organizations to increase in the next 12 months.
"Essentially, the post-COVID 19 world is not work-from-home but rather work-from-anywhere, including coffee shops and hotels," says Candid Wüest, vice president cyber protection research at Acronis. "This has to be reflected in the security policies that probably need to be updated."
As Immersive Labs' Vetter points out, now that workers are almost everywhere, visibility has drastically diminished and greatly increased the attack surface. For those who did not have a progressive telecommuting policy, the sudden loss of the network perimeter has been a shock. Security managers will have to reprioritize using this new definition of the attack surface.
"If the working world changes to the degree that many are predicting, it could mean a sea change in security strategy," Vetter says. "Take training, for example, which is crucial to building a defense that is up-to-date with the threat landscape. If teams have to maintain a social distance or can't even go into the office, how do you ensure skills development effectively?"