Security Think Tank: Time for security teams to learn from Covid
This article first appeared in Computer Weekly
After a year of unprecedented disruption thanks to Covid-19, it looks like remote working is set to remain with us for now, which means security strategies will change in 2021. What will this change look like, and what tools and services will be selling like hot cakes?
In the future, organisations will need to become more adaptive and not just survive but thrive in the increasingly fast-paced digital world. They will need to build a culture of experimentation and empower the workforce to be innovative and agile in their thinking.
This needs to be underpinned by a balanced-trust approach to cyber security that means you can build good cyber security into your culture and trust your citizens who take pride in the fact that their organisation looks after information, supported by processes that encourage compliance so that it is easier to do the right thing, and backed up by monitoring those things that are genuinely important and impact the “crown jewels”, using artificial intelligence (AI) to track anomalies and data to “nudge” behaviours in the right direction.
Good cyber hygiene needs to become second nature and the healthy scepticism of a zero-trust approach must be embedded in the mindset of the whole workforce.
Covid-19 has taught us several things: that the world can change in weeks; that we can survive that change; and that adaptive organisations can thrive through that change by using innovative technology underpinned by good cyber security and digital trust. There are a number of key success criteria to achieving this new way of working.
Cyber now a board-level business differentiator
In the past, cyber was seen as a necessary protection, but also a cost to the business. With the arrival of Covid-19, citizens are demanding security by default, especially in the face of increased phishing and ransomware attacks. They expect to have multifactor authentication and what was once viewed as creating friction to a business process is now considered a key differentiator in doing business.
The key is to think about cyber “business first” – looking at the business imperatives and organisational strategy so that the aims of the business, and the health of the bottom line, are the focus of the cyber and digital transformation effort.
Innovating at cyber speed
What used to take years now takes months, what used to take months now takes days, and what took days now takes hours.
The new digital ways of working driven out of necessity have truly transformed the way we do business. Cyber was previously seen as slowing things down, but we are now increasingly seeing cyber as a board topic and one that enables business to move at a faster rate. Using phrases such as ‘cyber speed’ creates ideas in board members’ minds that cyber helps their organisations grow and respond rapidly in an increasingly digital world.
Adopting a new virtual culture
Old leadership practices are no longer valid in the new normal. Leaders need to embrace the new ways of working and accept that the traditional playbooks of management doctrine may not always apply. In the early days of the pandemic, those who made bold decisions quickly – and were then willing to revisit and change those decisions as more information became available, came out of the crisis well.
The new ways of working also provide much more flexible working patterns, allowing for greater levels of diversity and inclusion in the workforce. And there is greater access to new talent pools as the need to be physically collocated with colleagues has reduced. The removal of geographic limitations enables levelling-up and a global workforce. This is a welcome benefit in what has been to date a war for cyber talent.
Balancing control and trust
We can no longer physically view how our people or citizens are behaving so spotting what was once obvious is very difficult in the new world.
However, we need to trust our people more to mitigate the need for greater levels of control. To do this, we must train and educate them in the opportunities that digital ways of working offer and the increased cyber-related risks associated with this.
We also need to provide them with processes and systems that encourage and support compliance. While trying to be all-controlling erodes the effectiveness gains we have made in the new virtual world, some level of control is still required. This should be explained and viewed as supporting and protecting our people from threats.
The long tail of third-party risk
We are now surging towards cloud adoption. This provides great benefits in terms of handling volume, building new services at pace, cost reduction, flexibility and zero-based trust models with greater authentication of identity and granular base security access. However, the use of third parties also carries with it reputational and financial risk and, thanks to the new raft of privacy legislation, joint liability.
We need much greater oversight of our third parties on an ongoing basis, not just an annual review. The adaptive organisation of the future demands confidence through continual assessment and a detailed understanding of the third party’s supply chain and how those risks are collectively managed.
The challenges of Covid-19 and remote working have brought the necessity of digital transformation and good cyber security to the fore and highlighted the changes we need to make to the way we lead, grow and manage our organisations. Bringing a new balance to trusting our people and controlling our information and systems, in line with the business priorities of our boards, will enable organisations to deliver at the increasingly fast cyber speed which will enable growth in the digital world.