When the COVID-19 pandemic began, every CISO across every industry scrambled to get their teams up and running. When we left our physical office space, we left our traditional security strategy behind with it. The theme of remote security has stayed top of mind since March: Cybersecurity experts correctly predicted that cybercrime in a virtual workforce would be a central topic at the recent Black Hat conference, and CISOs have had to rethink 2020 strategy with remote work leading the way.
While the initial remote shift opened the floodgates for many challenges, it also opened pathways to more longer-term strategic opportunities for CISOs. Rather than behaving as "reactors" to security issues and taking a back seat in leadership compared with their C-suite peers, CISOs are now in a position to be change agents. During these unprecedented times, they must pave the way toward securely enabling the future of work and digital experiences and thinking through every potential future threat scenario.
CISOs have been waiting to prove their worth — and now is the perfect time to do so. Here are four ways they can successfully lead with change and act as more strategic C-level partners.
Carve Out More Time with C-Suite Stakeholders
CISOs and CSOs typically come from a technology background, like me — they usually have a computer science, engineering, or security degree, where there is little emphasis on topics like leading organizational change. The COVID-19 pandemic has introduced roadblocks nobody has ever encountered before, and the CISO has had to weigh in regularly on the security side as broader organizational decisions are discussed. The past few months have challenged CISOs with every type of experience and background to join in the executive ranks and collaborate more with C-suite decision-makers.
For me, this has meant carving out time for more frequent meetings with executives I'd typically only meet with on strategy every couple of weeks. I'm spending more time with my engineering and IT leaders to securely enable our workforce, and I'm also spending more time with our CEO to discuss cyber-risks as they evolve with COVID-19 — specifically, what that means not just for ourselves but also our customers. When I first started a few months ago, I met with him every day for one hour to talk to him about what we should be prioritizing on the security front. Our time was spent discussing the immediate needs and actions that we needed to take as a company, but importantly, we spent a great deal of our time dedicated to looking at how we can leverage our shared experiences to better protect and enable our customers in an ever-increasing threat environment.
Shift Focus from Your Team to the Company as a Whole
While a CISO's day-to-day role before the pandemic might have been centered primarily on initiatives tied to his or her own team, now, every CISO has to broaden and get involved in every team across the organization. A CISO's vision is always to create a culture of security across the organization, and over the past few months, working with customer-facing and other critical frontline teams on specific security measures has surfaced as an undeniably critical priority.
Depending on the size and nature of your company, this might mean taking time to learn about new roles and getting more deeply ingrained in other team's responsibilities to understand how CISOs can play a bigger part. I myself am spending time working with a number of teams outside of security from customer service to sales and the field to support how we deliver services for a remote work world. As this environment continues to change and remote work becomes permanent, collective action and cross-collaboration must happen to instill security across the entire organization.
Balance Remote Work Vulnerabilities with Transformational Change
The hardest challenge for many CISOs right now is balancing the influx of remote work threats with the need to focus on long-term strategic goals. With remote workers using more tools, apps, and technologies than ever before, we've had to ensure security remains at the forefront and that our employees take time to slow down and consider the security implications of every new technology deployed. At the same time, CISOs need to stay one step ahead and consider how they can play a leading role in changing frontline technology services that facilitate improvements to both workers and customers.
No matter how many urgent remote work vulnerabilities arise, CISOs must maintain a focus on what comes next. I'm juggling new inbound and quick-turn needs that arise every day but also collaborating with the executive team on our plan for dynamic work and how we'll design, run, and secure our offices of the future. There has never been a better — or more crucial — time for security leaders to have a seat at the decision-making table.
Look to Hire Globally and Expand the Team
CISOs can also make a more strategic impact when it comes to intentional hiring during this time. As we start to break down preconceptions about the effectiveness of working remotely, we'll start to see a movement toward hiring in any location and seeking out candidates with a much broader, more diverse set of experiences and skill sets.
According to the Cybersecurity Workforce Gap report, by 2022, the global cybersecurity workforce shortage is projected to reach more than 1.8 million unfilled positions. By pushing their organizations to consider a new global, remote pool of talent, CISOs can confront this security skills and talent shortage while further closing the diversity gap in the cybersecurity industry overall.
While CISOs faced many barriers to overcome in early March during the shift to fully remote work, they've also encountered many opportunities to more strategically collaborate and think about long-term security success. I like to visualize the notion of keeping a hand in strategy with a foot firmly planted on the ground. For me, this means I'm heavily engaged in a dialog with my executive team and leading from the top while also remaining deeply connected with what is happening day in and day out with my own team. Getting that balance right is one of the biggest challenges security leaders face as we deal with the implications of COVID-19. CISOs have a new opportunity to lead with change — not chase it — and fundamentally shift the way in which companies secure their operations and deliver fully digital experiences.
David Bradbury is Chief Security Officer at Okta. As CSO, he leads overall security execution for the organization and his team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, he is instrumental in helping ... View Full Bio