As the COVID-19 pandemic drags on and shows no signs of abating before 2021 at the soonest, we are all expecting a fall with more unprecedented changes. School startup and a contentious presidential election season will also adding to the fun we’ve all been having. Whatever new normal we had begun to feel since March is set to shift again.
For CISOs in higher ed, healthcare, and government verticals particularly, the fall is shaping up to be a critical season for unique cybersecurity challenges. However, the trials of the past few months have provided a crash course in cybersecurity emergency management that can help set the priorities for the rest of this crazy year.
One of the major takeaways from the pandemic thus far is that response time is everything. When something new and huge—like your organization’s entire workforce going remote…right now—hits, how FAST your team can address the situation will correlate to how WELL your team can address the situation. This concept isn’t really new for CISOs, speed in identifying threats has always correlated to successfully responding to them. However, the fall months will be particularly defined by speed and agility for CISOs in many organizations.
As healthcare workers continue the grind of a seemingly endless stream of COVID-19 patients, their CISOs are facing a similar gauntlet of new and recycled attack strategies aimed at capitalizing on fear and chaos. Similarly, as university presidents and school superintendents make tough decisions to deliver education in hybrid and fully online models to students of all ages, their CISOs consider how to secure devices and connections used at home by teachers and their seven-year-olds students. As Biden and Trump enter the campaign homestretch, their CISOs face threats to security from every side at home and abroad.
All of these examples have something in common, the sprint will not last forever. A vaccine will slow the spread, fall semester will end, Tuesday, November 3rd will come and go. This particular vortex of emergencies making all vectors of cybersecurity more challenging than ever before, will pass. Even though the pain is temporary, it doesn’t make the labor facing CISOs this fall less painful. But how quickly they can plan, execute, and adapt their strategies will determine what kind of baby they birth come spring.
CISOs that have a clear view of their organization’s security posture will be posed to make the split-second decisions that will be required to protect against novel threats and support the last-minute changes in direction that have characterized the coronavirus world thus far. Those that have invested in products and partners that allow for continuous monitoring and coordinated communication amongst team members will be able to manage the known unknowns facing us all in the next few months.
Communication—not just between security team members—will also be key. Coordinating strategy and implementing strategy will require both horizontal and vertical support. As decisions are made on all fronts of organizational operations, the CISO will need a seat at the table to both direct and respond to decisions that may be far outside their normal jurisdiction.
Like the knights at Arthur’s legendary round table—where all were equal, and cooperation was king—CISOs will need to work with all the key organizational leaders to ensure that security risks are considered, and procedures and strategies are embraced across all sectors.
CISOs should brush off the old copy of “How to Win Friends and Influence People.” This fall will be the moment, if ever there was one, to embrace collaboration and practice the power of persuasion. Budgets are tight, businesses in all sectors are facing do or die decisions, and more operations than ever are happening online. The CISO’s time to influence the success of the whole organization is NOW.
At least some of the CISO’s work when it comes to communicating with the decision makers will be to influence the budget, assuring everyone understands what the cybersecurity program needs to support a remote workforce for the long haul and protect against increasing attacks targeting infrastructure and personnel. Again, investing in the right vendor partners to weather the coming storm this fall will require strategic budgetary decisions and lots of buy-in. Hopefully, these investments will also reap dividends when the dust settles next spring.
As much as CISOs might want to focus on system and programmatic issues during this season, they will likely have to prioritize the human component of their management responsibilities. Their teams are likely short-staffed, and their team members exhausted and stretched thin. Additionally, all the employees—whose adherence to company security policies and vigilance about personal cybersecurity is necessary to minimize social engineering attacks—are also exhausted and working under less than ideal circumstances. CISOs must recognize and address the huge human problem on their hands to successfully manage the digital ones.
One of the best sources CISOs have to draw from in supporting their teams and employees’ company-wide is their own experience as people. CISOs are living through a pandemic just like everyone else. CISOs are concerned about getting sick or getting well after being sick, concerned about kids going to school or not being able to go to school, concerned about the economy, social justice, and which candidate can best address these issues—just like everyone else.
When seeking to implement new protocols, introduce training modules, teach critical technologies, CISOs can get a lot farther with a little bit of empathy and a lot of explanation. Like rebellious teenagers, stressed out people recoil at doing things just because the boss says but can prioritize when they understand the reason behind the rule. Giving employees the big picture may take more time, but it will produce better and longer lasting results. CISOs should think about how to communicate the significance of their asks holistically. For example, explain how always using the VPN instead of a personal network not only protects company data but also makes it easier for the organization justify employees working from home now and in the future.
CISOs should also advocate for their teams to get what they need to be successful. Whether it’s additional positions or products, whatever the team needs to be firing on all cylinders even though the car is low on gas, the CISO should be working to get. In other words, even the most excellent teams have individuals not able to give their best right now. CISOs should recognize this people problem and compensate however they can.
Facing this fall comes with a fair amount of trepidation for everyone. What we hoped would bring a fully functioning economy, kids back to school, and a respite from COVID-19, is offering no such promise. But now we’ve had time to prepare and prioritize. Unlike in March when CISOs were stunned by sudden disruption, they now have what little experience can ever be expected to be gained on a problem in the constantly evolving world of cybersecurity. They know what needs to be done, now to the equally ridiculous task of actually doing it.
For more conversations about issues facing CISOs and the vendors they work with, check out the CISO/Security Vendor Relationship podcast, each Tuesday.