[BreachExchange] Post-pandemic responsibilities for a modern day CISO

[Destry Winant]

https://www.techradar.com/news/post-pandemic-responsibilities-for-a-modern-day-ciso

It’s no hidden secret that businesses have been moving toward digital
transformation for years, but the current pandemic has accelerated
this movement at a rate and scale like never seen before. As Microsoft
CEO Satya Nadella recently put it, “We have seen two years’ worth of
digital transformation in two months.”

As organizations worldwide adjust to what’s being called the “new
normal,” especially in the digital context, roles and responsibilities
of all employees from the top down are looking different going forward
– especially CISOs. From enabling the ability for all employees to
work remotely in a secure manner to ensuring the security of newly
adopted applications and software, it’s safe to say CISOs have their
hands full. Let’s explore what exactly the “new normal” looks like for
these security leaders.

A Shift in Priorities

The CISO has likely been working tirelessly throughout the pandemic to
help secure a new, remote workforce and fleet of technologies. Moving
forward, CISOs will need to ensure that the proper security
protections are in place for many different types of software,
applications and devices, as well as how they are accessed. It is
their responsibility to ensure response measures that were put in
place quickly are now robust and enterprise-grade for the long-haul.
This requires a shift in prioritization including:

Prioritize Popular Workplace Communication Software

The software employees rely on the most differs based on their working
location. For example, when an employee is remote, video conferencing
software is being used daily to communicate with co-workers.
Adversaries have taken note of this shift, targeting platforms where
they can become silent eavesdroppers, steal sensitive information
that’s now being transferred over the web, and more. There are now
heightened concerns about meetings taking place online which used to
be protected by four walls and a door, and rightfully so. Ensuring
that virtual meeting platforms are secure from a network and software
aspect is necessary.

Prioritize Cloud Computing Infrastructure

Employees need secure access to information, especially when outside
of the office. Another change that will be essential for business
continuity is the adoption of cloud-based infrastructure that is
accessible from anywhere. Many organizations are realizing the
potential of cloud services to rapidly scale and deploy new services,
particularly in terms of remote working. Yet, according to KPMG and
Oracle's third-annual Cloud Threat Report, 92% of IT and security
professionals do not trust that their organization is well-prepared to
secure public cloud services. The adoption of cloud computing requires
the implementation of a strong security framework and foundation in
order to protect business assets stored online from theft, leakage,
and deletion.

Prioritize Communication of Key Policies

Cybersecurity procedures and policies need to be clearly communicated
from the CISO, now more than ever before. One area that will get a lot
of attention in the post-pandemic virtual economy is associated with
data at-rest and data in-transit policies. With virtual work,
determining what is and isn’t acceptable must be clearly articulated
for employees, leaders, developers - everyone. If this doesn’t happen,
organizations run the risk of turning into the ‘wild west’ when it
comes to security guidelines, with each person essentially operating
under their own rules, thereby increasing risk of data being
compromised due to insecure transit or storage practices. A successful
defense for corporate and private networks depends on good policies,
education, and widespread internal alignment on new, clear-set
policies.

Security is in Everyone’s Job Description

Shifting back to in-person office work environments will be one of the
last things to return and many employees are likely to take a hybrid
approach to office work, meaning they will mix working from home with
being in- office week to week. All employees should be well trained on
software-related security concerns and what is expected from them in
both the office and at home. One way to mitigate employee risk is to
provide special training for developers and security staff, and take
the time to address the root cause of many software-related security
issues: security awareness.

This can be achieved in a few ways, but one of the most effective
tactics is to ramp up cybersecurity training programs. Utilize
interactive, gamified components to keep employees and developers
engaged and entertained, and deliver lessons in short, frequent bursts
to keep security top-of-mind in their daily operations. More broadly,
address security throughout the entire organization, pointing to
security best practices for staying safe while remote. At the end of
the day, security is everyone’s job, not just that of a few
individuals.

The pandemic has taught us that software is essential as we adapt to
new ways of working and living and a driving factor in the digital
transformation escalation. Software, on both the web and mobile, has
enabled continuity in both our business and personal lives. However,
with this increased dependence on software and technology comes the
critical need to ensure these platforms are trustworthy and secure.
Without secure software, business and social activity would come to a
halt. It is the CISOs responsibility to recognize that digital
transformation efforts are not temporary solutions, but the future of
work.