A Security Strategy for the New Normal

During the ongoing COVID-19 outbreak many security professionals have by necessity been operating tactically & in response mode, trying to identify and mitigate the security risks of organisations that have had to move rapidly to remote working. It is right that they do, as the risks are clear & stark, for example NASA’s Security Operations Centre has observed:

• A doubling of email phishing attempts
• An exponential increase in malware attacks
• A doubling of NASA systems trying to access malicious internet sites

This is unsurprising, bad actors since the beginning of time have always exploited opportunities, and COVID-19 related remote working has created several:

• Employees working on & saving company data on less secure home networks and home computers which are often shared with other family members
• Lack of VPN licences or VPN bandwidth issues meaning increased insecure network access from untrusted machines
• Employees being asked to use unfamiliar & hastily configured tools for conferencing, remote access, or sharing information
• Simple process changes such as authorisation of invoices remotely being ripe for business email compromise where bad actors convincingly & often extremely successfully, impersonate senior executives and trick workers into sending sums of money into their account

Looking to the future, whilst fighting fires is never easy, now is the time to think about what a security strategy will look like in the “new normal” and the danger if security professionals are not able to influence wider organisational thinking at this time. So, what will the “new normal” look like? Well, it seems clear that some degree of social distancing is going to remain in place for the foreseeable future, and this is going to have a major impact on travel, and the way traditional workplaces operate. More importantly, I have spoken to many executives from a variety of sectors, who have concluded with surprise, that they are actually able to do many of the things remotely, that they previously were sure had to be done in person, in the office, face to face. Accordingly, it is reasonable to assume that organisations are going to use the experience of COVID-19 enforced remote working to review their estate & people strategies, with the likely outcome being less office based working, more home based staff, & greater use of true hot desking, all rapidly underpinned with technology providing a secure & seamless work experience wherever the user happens to be. Sounds great, doesn’t it?

The fundamental problem here is that the words “seamless work experience” and “secure” are rarely found in the same sentence, particularly if the word “rapidly” is there too! In my experience, when executive teams are faced with the need to compromise something to achieve a vision it is often “secure” that is squeezed, particularly if the solution is to be delivered through “Agile” or “Lean” methodologies. As an example, I will cite my experience supporting a global enterprise that was undergoing a fundamental transformation programme, championed by a charismatic COO. The COO had set extremely tight timescales for completion, and a loose programme of semi-independent “Agile” project teams to deliver aspects of the solution. The enterprise had a well defined & documented risk appetite, linked to the heavily regulated sector it operated in. However, it was quickly apparent that the outcome of the transformation projects would lead to a situation where the organisation was operating well outside its stated risk appetite and risking regulatory action. How had a global enterprise got into such a situation? In simple terms, the answer was that the CSO & CISO were entirely disengaged from the transformation process, and the project teams were primarily driven by the need to deliver within the tight timescales. What contact there had been from the security team was seen as a “problem” and “unnecessary process” inhibiting delivery. Despite there being a comprehensive Risk Register, that was regularly reviewed by a Board Risk Committee, none of the security related risks were scored highly enough to merit Committee attention, so the security issues with the transformation programme were never subject to proper scrutiny. So, what are the lessons here for CSO’s & CISO’s as their organisations look to the future?

• The key lesson is do not allow yourself to be marginalised when fundamental change is being planned, you will not be thanked if a programme is derailed in-flight due to security issues that should have been flagged earlier
• The Risk Register is your friend. If you can get your risks before a Risk Committee or Executive Team, and be able to articulate them in a positive & constructive way, you are far more likely to see them addressed
• Make sure that you are either present or represented on Change Boards, and ensure that your concerns are recorded
• If you do not have a Board or Ex Team position, escalate early
• Finally, remember that done well – security is a business enabler!