The CISO's Perspective: Eight Lessons Learned From COVID-19

Posted by Joe Vigorito on Jul 14, 2020 10:00:00 AM

Given the already-expanded attack surface, in my estimation it is never too early to look at lessons learned from the pandemic—and there certainly isn’t a shortage of teachable moments, right from the top down. Here are eight lessons for Directors of Security and CISOs whose organizations and livelihoods have been imperiled by the pandemic.

Lesson One: Do not expect the government (federal or state) to “protect and defend” as it relates to your organization’s cybersecurity because of COVID-19 pandemic exposures and vulnerabilities.

While the National Security Agency (NSA) houses some of the top cybersecurity talent in the world, their charter is to take offensive and defensive actions against those who wish to harm the United States in totality—not individual public and private organizations. Overall, our government has the same lack of skilled, trained personnel as we all do, with an estimated 3.5 million open cybersecurity roles worldwide expected by 2021, as per Gartner Group.

Let’s remember what the last decade looked like. Chinese military and Russian Army attacked the US Department of Justice website, Iran targeted several US banks with massive DDoS attacks, and both US Steel and General Motors were threatened by Russian actors. The Iran attack precipitated Stuxnet in 2010, the compromise of Iranian nuclear facilities by making centrifuges spin at dangerous rates of speed. The White House declined to help any of the private companies when asked to intercede, indicating that all must defend themselves. Expect that they will provide training materials and help with research, but not much more than that.

Lesson Two: The last thing you need in the middle of a pandemic is a brand-new security crisis.

We must be proactive about closing new security gaps that result from rapid process changes. Nature abhors a vacuum, and so do hackers. They will sweep into the space exposed by remote workers, empty buildings, and vacant streets and take any advantage they can find.

Let’s also get prepared to address the vulnerabilities brought on by a remote workforce. Many home offices are not secure, with antiquated internet routers configured with default admin privileges and passwords.

Make sure that remote staff have a clear communication process to validate any change in procedures. Teach all end users to err on the side of caution. Focus considerable energy on end-user security awareness in this new reality. The top modes of attack during the pandemic have been increased phishing, malicious applications, home users, fake websites, and ransomware. Security awareness for end users is a must.

Lesson Three: Privatize and formulate a “new work environment policy.”

Take into account that it’s not just work-from-home, but also work-from-Starbucks or the local internet café or library. Post-COVID, people may not come back into your office building, but do not anticipate that working out of their home is their only option. Physical security is an increased risk. Do not keep laptops visible in the car while you run into the grocery store after doing some work at the library.

Focus heavily on end-user security training. Hackers will attempt to victimize new work-from-home employees.

Lesson Four: Revisit and review your overall security strategy.

Do a virtual assessment or a workshop. We at ConvergeOne do them all the time—literally hundreds of them. We interview people over the phone in order to assess, analyze, document, and report. We call our process the WAVES Methodology. We may still perform a technical assessment with no physical access and no one traveling to your location, but that comes after the qualitative workshop.

Whether you work with us at ConvergeOne or do it yourself, you must recognize that your environment is now different. The world pivoted under the virus. Your exposures have completely changed, and you have a completely different risk profile and attack surface than you did previously. If you're still operating under your original playbook from February, or from the original security roadmap that you put together when you started the year, know it is likely no longer valid and your emphasis may now be in the wrong areas.

Then, be sure your risk tolerance is still what it was before COVID-19. Even though our priorities are shifting during the pandemic, now is not the time to put our security strategy on the back-burner. We have to be proactive about closing new security gaps that are the result of process changes. Let’s also prepare to address the vulnerabilities brought on by a remote workforce.

Think of the process this way: Perform—or seek help performing—a comprehensive current state assessment, gap analysis, and initiative generation to ensure that nothing is left off the table. Here are some key drivers for consideration:

  • Validate that the organization’s risk tolerance has or has not changed and in what direction.
  • Understand management’s new post pandemic-specific business objectives.
  • Uncover vulnerabilities based on new processes, social distancing, and remote work.
  • Identify resources required to de-escalate the new vulnerabilities.
  • Reprioritize existing policies in the security strategy to streamline digital defense efforts during the pandemic.
  • Create security training content specifically for new remote workers.
  • Form a Security Monitoring and Crisis Communication team to brainstorm where there are gaps in the existing security strategy. Identify how to fill those gaps and what resources are required.
  • Prioritize existing security policies based on the new gaps in the security strategy.
  • Reprioritize security policies to ensure protection for the business and its employees during the pandemic.
  • Enable this new personal focus as a driver for your organizational security awareness and training program.
  • The Security Monitoring and Crisis Communication Team should present security as a personal and individualized issue for employees that are new to remote work.

Lesson Five: Create a communication for your workforce and align it to a security checklist.

Make it read something like this:

“As the COVID-19 pandemic has increasingly required our team members to work remotely or from home, our IT security team has thought about how new remote-work policies may expand the attack surface of unprotected home networks, leaving your computer and our data assets at risk. Our organization has made remote work mandatory at this time, so we’ve developed a checklist for you to improve your overall security settings while working from home or at another remote location.

Non-corporate networks are often insecure because wireless routers and modems focus on ease of use right out of the box, but most modern routers come with more granular security controls that are turned off by default and require configuration changes to enable. People with older model wireless routers may also be set up with less-secure configurations.

Our IT security team will assist those working remotely so they can help make home networks and remote work more secure. The team will be announcing review sessions for using the attached security checklist to adequately protect our organization. We ask that you attend one or more of these sessions.”

Lesson Six: Use COBIT (v.2019) and its design factors to form a revamped and tailored governance system for your enterprise.

Regardless of where you find your organization post COVID-19, and whether you consider your environment to be traditional waterfall, agile, Dev/Ops, or hi-velocity IT, you need to have a dynamic governance system that can flexibly adapt to your changing governance and management objectives. That system is COBIT 2019. Think of it as the framework to manage your frameworks and use it to align the enterprise governance (e.g., business goal performance and compliance conformance like GDPR, SOX, and HIPAA) with standards and good practices (ITIL, NIST/ISO, PMBOK, or Critical Controls).

Lesson Seven: Don’t forget about privacy.

Laws that were on the books before the pandemic outbreak are still on the books, with employees and customers more concerned about their personal data being compromised than ever before. Requests may still come in for consumer rights, like right to know, data portability, and right to delete. Organizations will still be under pressure to ensure that all individuals responsible for handling consumer inquiries about your privacy practices are able to assist in the exercise of those rights. Now is the time to appoint a Data Privacy Officer (DPO), or virtualize one as a service to you.

You must also teach privacy along with security to your people working remotely. Mistakes happen, and with the current distraction level being high, a privacy or compliance issue may be the final impediment in your business getting back to the pre-COVID standing it held.

Lesson Eight: Revive your risk management program with a health check.

The think tank InfoTech asked 2,500 IT leaders to rate the importance of risk management and their organization’s effectiveness in managing risk. On a scale of 1 to 10, importance received an 8.2—but effectiveness only received a 5.9. Though critical, many of us do not believe we do risk management well. Then, for the last eight weeks, most organizations have focused on business continuity, system availability, and network availability for a largely remote workforce. Confidentiality and integrity have been assumed or, in more severe cases, ignored, because of opportunity costs and crisis-based decision-making. however, it’s time to evolve in many different domains. Setting up an IT risk management program that successfully mitigates key risks and raises the profile of IT risk in the eyes of the business is a significant step in your evolution as a strategic and proactive IT leader in the post-pandemic era.

However, the value of your latest risk assessment depreciates rapidly. Continuous monitoring and regular reassessment of your risk portfolio is crucial for ensuring that IT decision-making continues to be made through a risk management lens. Risk-conscious decision-making creates value for the business that should be measured and communicated. Unfortunately, even with the belief that we will soon emerge from under the lockdown measures of the healthcare crisis, now is not the time to take a bow or turn our attention from the imperative. A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up.

Therefore, risk management should be both seen and heard. Communicate the dollar value of risk management to keep the business engaged. That first health check you do is pivotal. Successfully going through the risk management process the second time around is the difference between IT risk management being perceived as a one-off project and an ongoing program. 

DISCOVER what's going to change in a post-COVID-19 world

CISO COVID-19 White Paper

Learn six action to take now by downloading the full white paper by ConvergeOne's Joe Vigorito, Senior Director, Cybersecurity Lifecycle Consulting.


Topics: Cyber Security, COVID-19