The impact of the changes brought about by the pandemic is the one inescapable topic running through my current conversations with CISOs. For me, this tends to fall into three subtopics: team management and people strategy, visibility, and crisis response operations.
While change can be hard, especially in challenging times, those in senior management need to empower their security leaders to make important decisions. In an uncertain business environment, doing so can be the difference between being well-positioned for the upswing or losing the initiative.
Team Management and People Strategy
The management of security teams has changed significantly since the world was forced to work remotely. The rug has been pulled from beneath once well-established processes, such as onboarding and morale building, and CISOs are having to adapt to stay relevant and keep teams connected to one another. The pandemic has emphasized the need to build teams and strong relationships remotely. It's critical in any industry, but especially for overworked and stressed security teams, to ensure they're rewarded, clearly communicated with, and motivated in their jobs.
Mental health is also a pressing concern, not just for CISOs but also for their teams. The stress of the pandemic coupled with isolation are further amplified by the never-ending demands of the threat landscape. It is still too early to say definitively how to address many of these difficult and delicate issues; however, it is apparent that our forced digital transformation is having unseen human impacts.
From my point of view, motivating a security team can be achieved by giving them challenges and a means to progress. The best cybersecurity talent is creative, curious, and hungry to learn. Being remote doesn't have to change this, and some of the most well-bonded teams I see are those who are given a clear path to development.
Having a team that has scattered to the seven corners of the earth because of the pandemic makes understanding their capabilities and current state of readiness difficult. Whereas previously you would catch up regularly, either informally or formally, now it's hard to understand where the different human assets lie in your organization and what their current capabilities are.
As an industry, we are hardwired to collect data from technology platforms but less so from a people point of view. This speaks volumes about the fact that human capabilities are often viewed as secondary to technological assets in cybersecurity.
However, progressive CISOs appreciate that skills weaknesses are as much a part of the attack surface as technological ones. By understanding this point, and mapping people data against common attack techniques, they can significantly increase effectiveness. This kind of view is especially crucial while remote and human assets are "at a distance".
It's Time to Update Crisis Simulations
Even before the pandemic, legacy crisis response training was falling behind the attack landscape. Cumbersome and infrequent, it's too static and resource intensive to effectively address a fast-paced, agile adversary.
Despite the rapidly increasing pace of the threat landscape, over a third of organizations still leave a year or more between cyber-crisis simulations, and 42% don't have regular cross-team incident planning at all. This legacy approach must change, building in greater frequency of training while simultaneously making it less onerous on people and involving a broader range of stakeholders. This lends itself to running shorter but more frequent crisis exercises that can be understood by everyone from public relations and legal teams to technical talent.
Crisis exercising in this way, known as micro-drilling, helps team members build vital muscle memory, which will teach them the instincts necessary to respond when the worst happens. What's being taught isn't the response to a specific issue but the ability to adapt and think on their feet when the worst happens. Teaching this kind of cognitive agility is crucial to building a resilient frontline response team.
This lends itself to a remote workforce. Employees in flux are more likely to engage with innovative methods such as this, which are often delivered collaboratively through the browser and bring together incident response teams to practice on real-life simulations of recent crises.
COVID-19 is forcing every element of business to adapt, and the security function isn't immune. To achieve this agility, senior security leaders themselves must be open to new ways of doing things. The underlying problems may be similar, but forced digital transformation adds a requirement for security to also transform. The successful CISO will be the one who understands this and is prepared to evolve, without putting pressure on constrained resources.