[BreachExchange] Profile of the Post-Pandemic CISO

[Destry Winant]

https://www.darkreading.com/edge/theedge/profile-of-the-post-pandemic-ciso-/b/d-id/1338202

Chief information security officers (CISOs) were forced to make many
pivots in the wake of COVID-19. The most obvious need, of course, was
to ensure widespread work-from-home arrangements were secured quickly
– like, almost overnight.

But now the early days of business disruption are over, and
organizations are settling into the reality that current arrangements
could stay in place for the foreseeable future – or even permanently.
Projects and initiatives that were pre-pandemic priorities have taken
a back seat to new business needs.

"What the company needs from its CISO has changed massively since the
pandemic," says Gavin Reid, CISO at Recorded Future. "To start, our
team at Recorded Future had a lot of plans and roadmaps that stopped
making as much sense."

So how has the role of the CISO and security management changed in
recent months? And what new responsibilities will CISOs be expected to
keep in the pandemic's aftermath? Security experts share their
insights.

More Emphasis on Physical Security May Become the Norm
"I have had to do way more physical security than ever before," Reid
says. "Setting a company health-related policy for the offices is an
example. I have had to do that for each country and location in the
country, and keep them updated as guidance changes. I have had to do
the same for travel and customer visits. These are challenging as we
balance organizational needs with our employees' safety being the
highest priority."

The convergence of the security of physical spaces, such as office
buildings, and information and data has been an ongoing evolution
since security first found its way into corporate structure. But
several security managers note that as companies attempt some level of
in-person work again, security managers will inevitably need to be
involved in the physical security of spaces.

Occupancy control per space, social distancing analytics, and updated
security, safety, and screening policies are just a few of the
considerations CISOs may be asked to manage, says Ahmad Zoua, senior
project manager at Guidepost Solutions.

"Return-to-office procedures and cybersecurity-scanning policies will
also need to be revisited and include new technologies such as
touchless solutions, integrated visitor management systems, and cloud
solutions," he adds.

For most organizations, the tools and technology required to implement
proper social distancing in the office or screen for potential illness
will be new ground for security managers. As a result, it will
essential for CISOs to come up to speed on how they are used and
develop the appropriate vendor relationships in this space.

Sponsored Content
3 Tips & Tricks to Find & Retain Cybersecurity Talent in any Economy

There's fierce competition to recruit the most talented cybersecurity
minds. For individual contributors and recently promoted business
managers, these tips will help you hire, manage and retain
high-performing experts.

Brought to you by (ISC)²

A Focus on Mental Health Is Now Essential
CISOs were already stressed before the pandemic hit. But now it's
important for them to be empathetic leaders of teams who are also
likely feeling burnout.

"I think many CISOs have unwittingly been thrust into the position of
looking after the mental health of the teams they manage," says Max
Vetter, chief cyber officer at Immersive Labs. "As social creatures,
we don't truly know the impact on employee performance from such
isolation, so security leaders have to be careful to monitor their
direct reports."

In a blog post on managing mental health. Forrester analyst Jinan
Budge suggests CISOs allow themselves to be seen as more vulnerable
because it will help team members handle their own stress levels.

"At this time more than any other, your team will benefit a lot from
seeing that you are human and that you are sharing the same
experiences they are," Budge says. "This will create trust and give
them the permission to be open with you."

If They Weren't Before, CISOs Must Zero in on Business Strategy
It's a message that has been repeatedly stressed in the security
industry for years: CISOs must advocate for a seat at the table with
the board and executive management. The pandemic and increased
emphasis on security only accelerates the need for CISOs to be seen
not only as security leaders, but business enablers.

"CISOs now need to be more like CEOs, believe it or not," says Kurt
John, chief cybersecurity officer at Siemens USA. "While delivering
the technical solutions to help protect the organization, CISOs will
also need to be savvy strategic partners who are able to contribute to
business solutions aimed at solving increasingly complex issues."

This could bring CISOs into new territory, with involvement not only
in securing the organization but also advising product managers and
developers given how customers are increasingly viewing security and
privacy as essential.

"Many CISOs will find themselves being pulled into product discussions
as [subject matter experts] to advise on how to adapt products and
services for this new normal, says Ryan Weeks, CISO at Datto. "This
means increased responsibility not only for securing products, but
engaging in future discussions."

"We're driving the digital transformation of entire industries and
making the case that cyber-risk is business risk," adds Bob Huber,
CISO at Tenable. "We're analyzing our security posture, benchmarking
ourselves against peers and competitors not just because we want to
drive continuous improvement, but because boards of directors
understand that managing cyber-risk results in competitive advantage."

The Attack Surface Must be Redefined
The massive work-from-home directive has upended security's
responsibilities, leading to even more concerns over new attacks as
criminals find new ways to exploit the pandemic. In fact a new survey
of executive decision-makers conducted by Deloitte finds 69% expect
the number and size of cyber events targeting their organizations to
increase in the next 12 months.

"Essentially, the post-COVID 19 world is not work-from-home but rather
work-from-anywhere, including coffee shops and hotels," says Candid
Wüest, vice president cyber protection research at Acronis. "This has
to be reflected in the security policies that probably need to be
updated."

As Immersive Labs' Vetter points out, now that workers are almost
everywhere, visibility has drastically diminished and greatly
increased the attack surface. For those who did not have a progressive
telecommuting policy, the sudden loss of the network perimeter has
been a shock. Security managers will have to reprioritize using this
new definition of the attack surface.

"If the working world changes to the degree that many are predicting,
it could mean a sea change in security strategy," Vetter says. "Take
training, for example, which is crucial to building a defense that is
up-to-date with the threat landscape. If teams have to maintain a
social distance or can't even go into the office, how do you ensure
skills development effectively?"