In an exclusive interaction with CISO Connect, Tarun Kumar, CISO – Nissan Digital, discusses the cyber security challenges of CISOs during COVID-19 pandemic and how they should gear up to meet the crucial issues in future.
Q1: In the context of COVID-19 Pandemic, what are the key cyber security challenges that CISOs are experiencing?
A1: In the COVID-19 context, CISOs need to take a stronger and more strategic leadership role within organizations. They need to move beyond being compliance monitors and enforcers to better integrate with the business, manage information risks more strategically and work toward a culture of shared cyber-risk ownership across the organization.
A formidable challenge for CISOs is protecting the organization’s digital infrastructure and assets while enabling operations without interruption. For example, cybersecurity teams must adjust security programs and risk management practices to enable the massive shift to work-from-home tools and fast adoption of cloud services. At the same time, they must make it possible for security team members to look after themselves and their families during a health crisis.
The sudden shift to remote workforce is also altering the risk profile of organizations. Most corporate networks are not tailored to allow majority of workers to connect remotely. With millions of workers signing into corporate VPNs through insecure routers and personal devices, the risk of cyber intrusion has increased exponentially.
The key concern for CISOs is to balance the need to bolster network capacity to accommodate the increased volume of remote traffic while protecting the security of networks and data.
Q2: Based on your experience, give us an your insight on the Cybersecurity strategy, risk management and its technical implementation for the budding CISOs
A2: CISOs should understand how crisis-driven operational decisions are changing the organization’s risk profile. They should stay on top of it to ensure controls are implemented smoothly without security compromises. As a CISO you need to answer the following questions (but not limited to):
- Can my business function effectively through remote working?
- Are traditional security controls operating in a similar manner in the new environment?
- Have VPN concentrators and gateways been assessed, and are they actively monitored, for bandwidth concerns?
- What single points of failure exist that should be monitored closely to achieve redundancy and maintain availability?
- What would happen if there was a cyber incident?
- Can Data Loss Prevention (DLP) or other similar tools be used to monitor and block the transfer of sensitive information?
- Can the use of home systems or other non-corporate devices be restricted?
CISOs should also be cognizant of the risks that change(s) in operating models of their key vendors’ bring to their organizations. Due to the unpredictability caused by the pandemic, your vendors can be expected to make quick decisions to protect themselves and their employees and in the process may not fully consider the effects on organizations they service. CISOs need to understand the current environment and proactively reach out to all critical vendors to understand how their operations have changed or are changing. Wherever required, organizations can relax certain requirements if that would ensure continuous, secure or reliable services.
In the prevailing situation, malicious actors are using COVID-19 as a bait to send emails with attachments or links to fraudulent websites to trick users into downloading malware or reveal sensitive information such as medical records or financial details. These are phishing emails or scams. Given the decentralized workforce, CISOs should continue to send frequent reminders to employees to avoid clicking suspicious links or attachments and remain vigilant against phishing emails. Security awareness trainings for remote workers are critical, and is the need of the hour. Conduct as many as you can.
Q3: What are the crucial qualities that are required for becoming a futuristic CISO?
A3: A great CISO is a highly sought after person, probably because the role combines great technical skill with great management and great personality. According to my experience, here are the Top traits of a great (futuristic) CISO:
- Ability to speak in a Language the Board understands: A great CISO should communicate regularly with the Board of Directors providing actionable metrics.
- Ability to align Security with Business Goals: A great CISO should understand that their role is not to control the business but to enable them to do what they need to do in a reasonably secure way. CISO should work towards creating a culture of change, which is not easy and requires plenty of this quality.
- Exhibit Risk Awareness: A truly great CISO should be risk aware, in touch with industry direction and should have the ability to translate into business impact and requirements. He / she should always be thinking about and prioritizing business risk.
- Be Friendly and Approachable: A CISO should have the ability to closely listen and be ready to speak with anyone in a friendly approachable manner.
- Exhibit Patience: Changing everything in an organization, from its risk tolerance and security culture all the way down to its processes, takes years of patience. CISOs need to understand that change in any organization is not an overnight story.
Q4: In this testing time of COVID-19 pandemic, how do you see the future of security aspects for organizations?
A4: First of all, organizations will need to re-establish effective controls over new working models — which is a new hybrid (home and office) working model. This involves more effective email and web security, dealing with backlog of patches, rolling out more robust (2 / multi factor) authentication for remote access, checking cloud security configurations and looking out for shadow IT created in the crisis period. Basically, getting organizations on a stable model for the future is the key.
Organizations should have to have a clear idea of who and what matters to their businesses, whether it is pertaining to critical business processes or key individuals. All of these will matter for the future, and organizations should take time to embed them into their future operating models.
Several firms are likely to move to different workforce models that could be a mix of permanent core employees, with staff augmentation from contractors, use of managed service models, etc. All of this will push for newer security models which will be based on federated identity and zero trust, especially when organization will be operating over untrusted networks and infrastructure.
Disclaimer: The views expressed in this Interview belong solely to the author, and does not represent or reflect upon the views of his organization.