Many authors have surveyed the impact of COVID-19 on different aspects of the economy and culture, and speculations abound on what the "new normal" will look like for different segments of society and in various types of organizations. It is important to consider how the pandemic has impacted us as security leaders, and how we can navigate the uncertain waters of the emerging post-COVID world in the coming months and years.
The past 15 months have been unlike any other time in our careers. In early February of last year, a very respectable analyst firm predicted that by 2023, 30% more workers would work from home. That would have been a big increase over the share of office workers that worked from home at the time, and may have been seen as a rather bold prediction. But less than a month later, the world changed completely, and a majority of office workers were working remotely.
CISOs are no strangers to the turmoil of those first couple months. Almost overnight, we were no longer the gatekeepers of which IT devices, practices, and software were sufficiently secure. Instead, we were tasked with implementing emergency measures to maintain business continuity and security while the whole world of work was changing before our very eyes. Then, later in 2020, many of us were key players in planning for the post-pandemic future of our companies. This future will require the holistic vision of cybersecurity that most of us were advocating for even before COVID-19.
As we move into a brave new world in the last half of 2021, I think it is beneficial to look at three dimensions of the CISO's role—all of which have been expanded in some way by the pandemic:
Digital innovation was already in full swing at most enterprises, but the pandemic forced an already accelerating trend to move even more quickly. Projects that were several years out on the roadmap were suddenly business-critical. Companies could no longer just maintain, but instead needed to enable a new generation of networks, collaboration tools, and cloud-based services with a widely distributed architecture—and protect it at the same time. In other words, we must do two seemingly contradictory things: protect and connect. The security leader is an increasingly essential part of these conversations.
As we emerge from the pandemic, no one should expect the need for digital innovation to slow down. But to do these innovations safely, a holistic approach to security is increasingly critical. This is why COVID-19 may have put the final nail in the coffin of the "point product" approach to solution selection. This approach involved conducting a separate search for each element of the network or security architecture, without regard for how the siloed solutions would work together. Ultimately, someone had to glue everything together—usually by doing a lot of manual work to collate information from different solutions.
A holistic approach means building an entire architecture as a single unit, enabling organizations to accomplish both digital innovation and security at the same time by using native integrations. I should quickly note that holistic is not necessarily monopolistic, and organizations do not have to throw away their installed base to take advantage of an integrated cyber response. However, security elements should be chosen so that they natively work together.
The holistic approach has a number of benefits that align with today's requirement for rationalization. The perfect example is the massive adoption of secure software-defined wide-area networks (secure SD-WAN). The demand for secure SD-WAN is accelerating due to its increased agility and reduced cost coupled with full visibility into traffic. Smart companies are adopting a security-driven networking approach as they perceive the need for network innovation and advanced security to be addressed as one. This merges two previously siloed functions, improves the efficiency of both, and makes security an enabler of digital innovation.
Another element of the holistic view is adaptive cloud security. The cloud is one of the biggest IT trends of our generation, enabling incredible computing power without capital expenditures. Some enterprises have tried to focus on a single public cloud because security protection is more straightforward that way. But this also locks the enterprise into following a specific technology roadmap—and a future cost structure—that it may not control. On the other hand, if security sits on top of a distributed, multi-cloud infrastructure, the enterprise has freedom to find the best cloud for every service.
A third pillar of this approach is zero-trust network access. With this approach, access to resources is dynamically granted and reevaluated based on the real-time context and behavior of the requestor. As billions of new devices are trying to access our connected world, we must permanently challenge all attempts to access the network and different resources within it.
More than a decade ago, the CISO was a relatively low-ranking leader whose team was mostly focused on antivirus administration. At this time, there was little need for skills in public communication. Today, even the CEO turns to security leaders when it comes time to explain a breach to stakeholders, answer to the press, or ground a security posture in facts.
The CISO is even becoming part of the decision tree for mergers and acquisitions. An acquisition target with a poor cybersecurity posture can cause significant problems for the larger organization, potentially negating the value that would be derived from acquiring it. Our opinion as security leaders is more and more integrated as part of the due diligence.
During the pandemic, the ability to communicate became even more important than before. Cyberattacks increased in many industries, and security leaders were tasked with explaining them. CISOs also must depict the company's recovery roadmap in a way that reassures employees, customers, and shareholders. Internally, it is increasingly critical to communicate the "why's" of any new security initiative, especially if it requires additional attention from employees.
A decade or two ago, the CISO was well insulated from the financial and risk management sides of the business. From the CFO's perspective, their operation was a cost center—necessary for the business, but not immune to cost-cutting initiatives. From a risk management perspective, while the security leader's tools were needed to meet risk benchmarks, they were straightforward and somewhat commoditized, and thus were not a part of strategy discussions.
Again, the pandemic accelerated the need for a change here. Security leaders had to learn to speak the language of the business to explain why their team is a value center for the organization—and a vital part of risk management strategy—rather than a cost center. This was a stretch for some CISOs, who often worked up to their positions from the technology side rather than the business side. But in the past year, many security leaders found themselves in a situation where they could invest more. They were also given a voice in corporate investments, as they had demonstrated that they understood risk management.
The benefits of investing to mitigate a specific risk is a relatively easy calculation to make. If a specific incident is likely to occur twice a month, and the related losses are $1 million each time, the company carries a yearly risk of $24 million. In such a context, it makes perfect sense to spend a tenth of this amount and $2.4 million becomes a very responsible investment. There is a big difference in articulating this budget request in this way, rather than simply asking for an extra $2.4 million budget allocation. As CISOs learn to speak in the language of risk management, they make powerful friends in the boardroom and get their fair share of top executives' attention.
There is another big trend that was accelerated by the COVID-19 pandemic as the new normal: changes in how organizations recruit, manage, and retain the people that do the work of the business. This is true across all departments, but perhaps especially true with cybersecurity as we deal with an ongoing skills shortage.
In essence, we must recruit differently now than we did in the past. We previously looked for someone with a specific skill—neuronal networks experts, for instance. With automation, we free the human brain from repetitive correlation and enable our teams to gain more interesting ground. Job descriptions include technology, but also human collaboration with other departments. The economic dimension of cybersecurity becomes a part of the cybersecurity remit. With the repetitive tasks automated, the humans are invited to be more strategic in their daily work. This gives companies the freedom to favor skills like critical thinking, communications, and business acumen rather than only technical experience.
In 2021 and beyond, the ideal security leaders will be technology partners, communications partners, and financial partners for the business. They will provide coherent and consistent content for crisis management and ongoing expertise to inform the organization's whole risk management portfolio. And they will build systems that make our hyperconnected world a safer place, no matter the crisis.