In the spring of 2020, organizations sought to protect their workforce by mandating and enabling their employees to work from home. While necessary for saving lives, this experience physically separated security professionals from their own teams, from the employees who depend on them, and from the systems they’re responsible for. The new work arrangement also placed greater strain on some personnel during an already stressful time.
That’s not to say that we can’t find ways to adapt to this new way of working. In the spirit of this reality, we asked several thought leaders in the industry to share their recommendations on how security teams can make the most of this change and set a strategy that works for the future. Here’s what they had to say.
Cheryl Biswas | Specialist, Cyber Threat Intelligence Program, Global Bank | @3ncr1pt3d | (LinkedIn)
Remote work has been a huge adjustment for many. For some, this has been very isolating. For others, it’s been hard dealing with the uncertainty.
You should set up time with your team or co-workers to meet regularly. We do a daily sync in the mornings. It’s not structured. We can talk about anything including work. It lets us connect with each other, and it’s really strengthened our team.
Also, set a schedule so that work is not all day, every day. Use visual management aids like wall calendars and white boards to track time, deliverables, events, etc. And make sure you take time to get outside, take a walk, get up, and stretch regularly.
Stephanie Ihezukwu | Cloud Security Operations Analyst II at Duo Security, Cisco | @StephandSec | (LinkedIn)
It is 100% normal to not perform as you normally do. This is not normal. We are all reacting to this in different ways. Some of us are lucky enough to be productive during this time. Some of us are barely holding on. Make sure you work WITH yourself, not against yourself. If that means taking time off or speaking with your boss about your struggles, do so.
However, do not stay down for too long. Feelings and emotions only last for 90 seconds. Our thoughts can push them to last a lot longer than that. Give yourself a day or two and then try again.
Also, maintain connections with your colleagues, family, and friends. Try to take regular breaks. Go back to things you used to do for fun but which life has caused you to forget. Get outside. But remember, you need to be well in order to do the awesome work you do, so take care of yourself.
Most importantly, taking your lunch as well as short breaks is crucial for your well-being and sanity. Keep in mind that working remotely (or from home) is a bit different than working remotely during a pandemic, so have patience and don’t be afraid to recalibrate and shift until you find what works for you.
Isiah Jones | Owner & SR ICS OT Cybersecurity Consultant | @blackCyberDude | (LinkedIn)
I’ve spent most of the last six years working remote plus global travel, and much of the last 15 years working with geographically dispersed teams (especially since I came from DoD, including Navy civil service). As a result, I don’t see this as being anything new, special, or different than what has already been shared by many of us for over a decade in terms of security advice.
My advice to people for this time is to use basic sense and start following the advice that has already been around. Don’t overthink and emotionally complicate things. If anything, the move to telework should finally force people to start doing what they should have been doing the last 10 years.
My advice is to follow the security controls and best practices that already exist for mature levels of handling insider threats, access control, change control, configuration management, asset inventory details, as well as secure remote access. (NIST SP 800-53, CIS Top 20 Critical Security Controls, etc.) Don’t make it overly complicated on the ICS side, which is my focus (not IT). It’s the same advice, but they should focus on ISA/IEC 62443 and ISA84 security and safety standard requirements for ICS OT equipment, people, and operations.
Mark Weatherford | Chief Strategy Officer for the National Cybersecurity Center | @marktw | (LinkedIn)
1. Don’t forget that while this situation has caused us to focus intently on tactical challenges, if you are a CISO, your job is also to keep your eye on the strategic direction of the security program. Your CEO might cut you some slack, but your regulator probably won’t.
2. Take advantage of the crisis and lean on your vendors for more support, product upgrades, and better pricing. Most vendors will find a way to work with you rather than potentially lose you as a customer.
3. Remote workers have increased the pressure on security teams to implement more robust endpoint monitoring and identity and access management (IAM) solutions. Use the crisis to get more internal support and budget to move these kinds of initiatives forward.
Jenny Radcliffe | People Hacker & Social Engineer | @Jenny_Radcliffe | (LinkedIn)
As a host of the Human Factor Security Podcast, we pivoted during this time and did the “Lockdown Diaries.” We interviewed a lot of people about what they were doing to cope with this sort of “new normal” through the lockdown period and beyond, and nearly everyone said what really helped them was having a routine.
So, on an individual basis, having a routine helps you cope, helps you get into work mode. It’s very difficult if you don’t have your own space to work in. We’re working from home, and not everyone has a designated office space. So, if companies can take account of that and perhaps not be so rigid as they’re used to being with working hours and other things, that really helps employees.
People can relax into this new way of working. I think we’ll find that people want to work to outcomes and objectives as opposed to the clock. If we can be flexible about how people best fit into this new style of working, I think that would be very helpful for businesses to get the most out of their staff at this time.
Matt Pascucci | Sr. Cyber Security Practice Manager | @MatthewPascucci | (LinkedIn)
Throughout the past couple months, the entire world has made a dramatic shift to how they’re working not only from an employee perspective but also from an operational standpoint. For companies that weren’t geo-diverse before the pandemic, this caused fear and anxiety. There has frequently been the pull to allow flexible work to employees as a perk, but the fear of completely breaking the mold had held institutions back from attempting it. With the pandemic thrusting most of the world on some form of lockdown, we had to evolve.
Some of the major security concerns came from having the threat landscape expanded by having students, children, and spouses all working remotely under their personal wireless network. The lack of full segmentation on these systems allows risks from one system to spread to others, potentially spreading back into their organizations.
With all these changes, I’ve seen companies start focusing on the shifting criticality of externally exposed infrastructure with a solidarity from the security and business teams. As an example, remote access tools like VPNs have become not only a business enabler, but also a critical system to have business continue. These shifts show that we’re adaptable to times of crisis and can securely and effectively work remotely.
There have also been changes to how leadership is required to work with a remote work staff. Many are doing this already, but when a sea change came upon us, the management styles of leaders were put to the test. With proper objectives, results, and oversight, the remote workforce can act just as organized if not better than a typical on-premise office, depending on the function of the employee.
To embrace this new way of working, you should look for what works for you. Working remotely/from home/not-office location is about flexibility, inclusion, and creating a space where you’re best supported. For some, that means going to an office, and I believe in the future, that should be available but with a non-mandatory approach.
For others, public transport isn’t feasible. Owning a vehicle isn’t possible and going into the office each and every day doesn’t work. Therefore, creating an office space at home or nearby is perfect.
I like a routine. I get up and make a cuppa, let the ferrets out, sit down, and start things up. This routine helps me in days when I can’t be bothered and days when I’m overwhelmed. However, finding a routine I can stick to wasn’t exactly simple. In a home environment, it requires flat mates to stick to their routine as well, and if I’m honest, I get frustrated when they don’t.
Why is routine so important? Well, it helps me quickly identify the normal in my environment. When things stick out, I question them. At times it’s simply a difference that isn’t threatening. Other times, it’s an event in need of investigation. That routine, behavior, consistency is how I help not-as-technically-minded teammates to identify things that require escalation.
Chloe Messdaghi | VP of Strategy, Point3 Security, Inc. | @ChloeMessdaghi | (LinkedIn)
A majority of breaches happen because employers are not investing in their employees. When we do not invest in our team, we become a threat to ourselves. To support one’s security team, it’s critical to provide ongoing training and support around mental health. Within InfoSec, we have a problem with burnout because we struggle to balance our work and personal life.
As a company or a leader, it is your job to make sure your employees are feeling balanced by providing resources and support. Lastly, remember you wouldn’t have a product if you didn’t have a security team. So, treat them well. Your company depends on it.
The sudden shift to work from home has brought both opportunities and threats for security leaders. On the opportunities side, we’ve seen some of our CISO customers using the reduced-time-to-decision to accelerate the implementation of certain security solutions, which support organizations’ overall digital transformation.
Equally, we’ve also witnessed an increased review of key security processes such as securely managing remote users and reviewing their access rights, especially privileged users. Working from home also means an introduction of a whole slew of BYOD issues, which warrants a review of BYOD/acceptable use policies as well as a renewed focus on remote device management execution.
On the threats side, bad actors have been taking advantage of COVID-19 in phishing campaigns, but again, this brings an opportunity for anti-phishing awareness and ongoing education to the fore. It also underscores how the education of users on new security implementations are a necessary part of an organization’s digital transformation curriculum.
Tricia A. Howard | Marketing Manager at HolistiCyber | @TriciaKicksSaaS | (LinkedIn)
It’s no secret that this situation has really messed with the way we work these past couple of months. For some of us, it might not be ending anytime soon. Even though things are starting to open back up, companies are realizing that they might not even need a brick-and-mortar office. That means that this “work-from-home” life could become a lot more permanent.
If you find yourself in this scenario, it’s important to have a distinction from your work-from-home life and your home-from-home life. Sometimes, that’s easier said than done.
One of the things that’s helped me a lot is trying to emulate my commute as much as possible both in the morning when I’m starting the day and also when I’m done for the day. By listening to music, listening to a podcast, or walking my dog for around the time that it would normally take for me to get into the office, it helps me mentally prepare for the day and also shut down whenever I am done working. It’s been extremely helpful.
Gabriel Whalen | Principal Field Solution Architect – Information Security at CDW | @Ghostmath1 | (LinkedIn)
Before this year, my recommendation to every organization was to consider implementing a security framework. All too often, there is a focus on having a “blinky box,” rather than testing or implementing non-technical (administrative and physical) security controls. It doesn’t matter if an organization has the best-in-class technical solution if they don’t have visitor access policies, locks on doors, a cadence of reviewing and improving security controls, etc.
The next level is actually executing a business impact analysis and implementing business continuity plans and exercises. Generally speaking, many organizations I speak with are focused on those annual or otherwise required technical tests, but it’s always on my list of proactive recommendations.
Now, I’m definitely hearing that more organizations looking at business continuity not only prepare for the uncertain, but also increase awareness of critical asset reliance beyond traditional silos in business units. This is an excellent second order result of the business impact analysis and business continuity planning and testing, as it really contributes to the maturation of an organization’s security posture and ROI.
We have now arrived at a point in time where this is not the new normal so much as the day-to-day business. Now that we’re moving into the acceptance phase of the way to get work done, we need to make sure we’re keeping a keen eye on three elements, with the human element being primary.
For most people working remotely, this is a completely new experience. Sure, they had taken the occasional Friday, but working as a dedicated remote staffer is another thing entirely. We as security practitioners need to be there to provide guidance more so than in previous years.
The second element to keep in mind is the use of defined, repeatable processes. Having people working remotely will help to draw this need in clear definition. The chance for things to go wrong is compounded by having this lack of face-to-face interactions.
The third element to keep in mind for the remote working force is the democratization of security. We have to be sure to provide security tools such as MFA to our employees that enable them to do their jobs safely and securely.
This is a series of blogs sharing insights into how organizations are adapting their cybersecurity strategies during these extraordinary times. Other blogs in the series include: Experiences from Cybersecurity Leaders in Extraordinary Times: Adjustments and Outcomes