CISO on CISO Perspectives
Organizations around the world are engaged in one of the most rapid network transformation exercises in history. Tens of millions of workers are suddenly working from home, small branch offices, or in modified shifts to ensure their health and safety while ensuring business continuity.
Recently, three of Fortinet’s field CISOs – Renee Tarun, Jonathan Nguyen-Duy, and Courtney Radke – sat down to discuss the efforts, challenges, and opportunities organizations are facing as they transition to new work paradigms.
Many of the organizations I work with already have some employees working remotely. Their main challenge is how to scale those remote worker operations, how to ensure that the critical staff needed to run their data centers remain available, and how their service providers – who are hosting their business applications – are going to scale.
A good portion of their revenue and productivity was already online, right? So they're working through their business continuity plans to make sure that their third party suppliers are actually able to execute. A lot of those business continuity plans were geared around regional or maybe national issues, but they really weren't equipped for a global pandemic.
And I'll add a little bit to that. While a lot of businesses are shutting down some of their physical, in-person operations such as indoor dining, they still need to maintain operations for behind-the-scenes work such as data center or security operations. By changing to a teleworker approach, businesses have had to quickly assess their overall technology maturity, and unfortunately, since they haven't had to operate in this fashion before, it may not be there. So in addition to making sure that identity and access controls were in place, they also need to ensure that their existing resources are robust enough for this new paradigm.
Another thing to note is that while this is an unfortunate time for all industries, it's also an opportunity for threat actors to capitalize on. When the majority of your traffic is suddenly originating from outside your network, it's much harder to sift through the millions and millions of additional hits to your digital and e-commerce platforms that you weren't expecting.
So they are not only going to have to deal with issues of scale from a teleworker perspective but also make sure that they can keep up with legitimate attempts to access their platforms. Which means they are going to have to scale up or automate from a security standpoint to make sure that they're able to watch and manage the rise in users, devices, applications, workflows, and transactions.
And speaking of adversaries, we need to remember that 95% of attacks are still happening through e-mail, and we're seeing a large uptick in phishing attempts using the coronavirus as a means to play on people's emotions. They're sending out e-mails implying that they’re friends, or the CDC, or the World Health Organization to exploit people and human weaknesses to either steal financial information or gain access to personal information.
I guess it really depends on how they were set up in the first place. The controls and visibility around them should be the same. There's just more of it. They still need to be looking for key indicators of compromise, following up on events, reviewing reports, etc.
The biggest problem is scale, and many organizations are being limited by their infrastructure, so they can’t get their users online in the first place. But once they're online, and if setup correctly initially, they shouldn't have to change their security approach very much. There may be more alerts and bigger reports to sift through, but the controls should have already been in place.
Of course, there would be a heavy lift and shift if they're trying to build security controls in place after the fact. If you've never thought you'd have to use some sort of remote or telework process, and you're now having to build controls without knowing what your baseline was previously, it's going to be pretty difficult.
VPN is going to be very important, but it may also pose a challenge, especially if there wasn't an infrastructure or BYOD (Bring Your Own Device) policy set up beforehand. You will also want to perform posture assessments, as you don't want to give network access to somebody who may be using a device that's not up to your security standards. You will need forward policy checks to make sure, from a patch management or security posture standpoint, that those devices connecting back into the network meet your security standards before you allow them to connect.
Exactly. For companies that didn't necessarily have a mobile workforce, people aren't going to be taking their office desktops home with them. So, having an effective BYOD policy in place is going to be more in play than ever.
Organizations are going to have to figure out how to get their work done with a skeleton staff. From a cybersecurity perspective, this means that organizations are going to have to rely more on security automation to deal with the low hanging fruit so their available staff can focus on higher-order issues.
Yeah, the lack of cybersecurity resources is being exacerbated. So, for businesses to maintain operations, they're going to have to switch to or expand on their digital and e-commerce presence. This means their cybersecurity teams will also need to be focused on digital and e-commerce platforms. That will be a challenge because, especially in retail, those had already become the top threat vectors over the last two years, which is only going to be magnified now.
Another issue is going to be compliance, especially around the privacy issues highlighted in GDPR, CCPA, and the New York State regulations. I think that enterprises, in particular, as well as service providers, are going to really struggle to maintain the level of privacy those regulations require. How do you enforce and maintain compliance at a global scale to such a degree of granularity – especially when you have so much fluidity in the way that people are accessing and authenticating themselves across your environment?
Organizations are going to have to take a look at their supply chain risk management plans. This means ensuring that they have adequate sources to provide the necessary products and services. In many cases, this will require vetting multiple sources to ensure security and availability.
Learn more about how to maintain business continuity through broad, integrated, and automated Fortinet Teleworker Solutions.