What was it like working cybersecurity this year? We know all the obvious answers: The pandemic forced just about everyone to work from home, security teams had to scramble to protect disparate networks and home setups, and cybercriminals made life miserable by taking advantage of the chaos.
But with 2020 a few days shy of being behind us, what are some of the takeaways and relevant experiences security professionals think about on a deeper level? Eight security leaders shared with The Edge what stands out for them the most.
"It was a bit like falling down the rabbit hole in Alice in Wonderland. Things are oddly familiar but also different. It's like in the tale, but in this case, especially with SolarWinds happening, maybe we fell into the next hole. But in each case, we make our way through, we rely on our peers as a tribe, and we demonstrate that while we are all worn and weary and our proprioception [the senses that orient us to our surroundings] is confused, we continue the struggle with dedication to get through it."
— Malcolm Harkins, Chief Security and Trust Officer, Cymatic
"Starting as a new CISO at a Fortune 500 enterprise is a big responsibility and requires intensive stakeholder collaboration, so the 'new normal' of everything going virtual — from the entire interview process to onboarding and beyond — certainly presented a unique set of challenges. To this day I'm still waiting for the opportunity to shake hands with other executive leaders, board members, key clients, as well as the vast majority of my security team. In order to thoroughly assess the company's privacy, security, and risk posture, you really want to be sitting across the table from your team and interacting in person as much as possible."
— Seth Cutler, CISO, NetApp
"When I was leaving a [security role with a major government health agency], people would ask why I was so happy. I wasn't aware that I had been smiling more than usual, and I felt a bit embarrassed because it must have seemed like I was happy to be leaving them and this role. After some reflection, I realized my happiness came from a massive burden being lifted.
"I was working under enormous pressure and felt completely responsible for all [our] medical devices' cybersecurity. I was dealing with everything from daily fires from WannaCry to single manufacture issues while simultaneously trying to advance policy to ease that constant post-market burden. I was constantly aware of how far we had to go and what it would take to get to a steady state. I was barely sleeping and dreamt of wading through endless paperwork that would lead me to some miraculous security solution. Stepping away from this role felt like I was removing the weight of the world off my shoulders."
— Seth Carmody, now VP of Regulatory Strategy, MedCrypt
"The pandemic introduced a few major challenges, the first being the dramatic pivot to work from home and the increased attack surface area along with it. The second [was] the mental strain on an already taxed cybersecurity workforce. We've already seen mental health as an issue in this industry, with coping being done via abuse of alcohol and narcotics by some and others simply leaving the field. The pandemic over the past year and its associated fallout have caused several people I've known in this industry to commit suicide. We often talk about the health of our technology defenses, but we too often forget about taking care of the human defenses."
— Ken Underhill, Master Instructor, Cybrary
"As a company that launched at the 2020 RSA Conference (RSAC) in February, QuoLab Technologies felt the impact of the COVID-19 pandemic at the very beginning. During RSAC, several key vendors and companies announced they would no longer attend, which framed the overall tone of the event. At a critical time when we were trying to get in front of potential customers, partners, and investors, we realized we were going to be faced with an even steeper uphill climb to stay relevant and viable than most early-stage startups. By March, when public gatherings — including critical conferences and networking events — came to a halt, we completely reimagined our business model."
— Dan Young, CEO, QuoLab Technologies
"While conversations regarding mental health and burnout have previously found their way into massive events like RSA and Black Hat, 2020 put them on the center stage — the stage being everyone's home offices. Since the onset of COVID-19, the security industry has tipped upside down. Instead of juggling new alerts and threats, practitioners also had to add at-home daycare, schooling, and more into the mix. On top of this, barriers created by remote work made it exceedingly difficult to gauge teams' mental state. The line between work and home was no longer a car ride, bus ride, or walk, which left managers scratching their heads about how to successfully lead a team while coping with uncertainty themselves."
— Sam McLane, Chief Technology Services Officer, Arctic Wolf
"It is hard to recall a period of time during the Internet Age where foundational operating procedures changed so rapidly and significantly seemingly overnight in every industry globally. The rapid implementation of social distancing and lockdown procedures associated with the pandemic meant that security teams had to adapt and defend digital infrastructure that was being spun up in real time to enable remote work functions.
"Even the best security teams had trouble keeping up with all the necessary changes for business continuity. While this put extreme stress on all the teams involved, it also has led to some positive outcomes. It was a forcing function to become more strategic around business disruption planning. It also provided an opportunity for security teams to evaluate what processes and capabilities are broken or outdated given the changes to the technology stack."
— Ross Rustici, Global Head of Security Architecture and Threat Intelligence, ZeroFOX
"Before 2020, many security professionals would admit that their business continuity and disaster recovery plan was the driest program. It typically received the least amount of love and attention. After all, it was the type of plan you created for a worst-case scenario. Security and operational professionals would often snuff at the example scenarios they needed to plan for. In comes 2020, and suddenly, that business continuity and disaster recovery plan, even if it wasn't perfect, is suddenly the bell of the ball. Lesson learned: Always provide care and feeding to your company's business continuity and disaster recovery plan. You never know when you are going to need it."
— Kathy Ahuja, VP of Global Compliance and Information Technology, OneLogin