The world of cybersecurity was a mess prior to the pandemic. Now it is a textbook catastrophe that we are only now figuring out how to fix… maybe, according to the Omdia analyst summit that kicked off Black Hat 2020 in Las Vegas, Nevada. “Normality has been reset,” said Maxine Holt, Omdia’s senior research director for Cybersecurity, in her keynote address for the summit.
Holt said Omdia’s latest research found that the COVID-19 pandemic accelerated organizational journeys to the cloud to facilitate employees working from home. “Almost a third of organizations class the adoption of cloud services as significantly more important than it was before the pandemic. Insurance and security considerations were, at best, probably an afterthought.”
She explained these organizations were seriously vulnerable to cyberattacks, with the security team racing to protect a network edge that exploded in size. “Whatever had to be done had to be done quickly. Corners were frequently cut.”
Holt compared the early and most current efforts to apply a bandage to a deep wound with greater emphasis on keeping businesses open and profitable. ‘Business continuity has absolute priority over security and regulatory considerations. Security controls for an in-office environment … are falling short in the new environment.”
Holt suggested bringing security functions together with those ensuring business resiliency under the term Chief Security Officer. The CSO would report to the CEO. The CISO, CIO, communication, resiliency, and data organizations would report directly to the CSO.
The problem of employees
In a follow-up, senior analyst Curt Franklin spoke about “Turning Users into Cybersecurity Allies” through encouragement rather than punishment. The organizational strategy Holt outlined would probably help with that. Rather than siloing security where no other division would listen, it puts security into every operation of the company.
“Employees are just not good at cybersecurity,” said Franklin. Left on their own they “must be considered as a massive vulnerability.”
Punishing employees through audits, assessments and tests accentuate how bad the employees are and assigns blame, destroying morale and productivity. Franklin said training them the recognize dangers and how to respond to them is more efficient.
“Employees start out as disasters but training increases awareness,” he explained. Rather than blame individuals, awareness translates into individuals accepting responsibility, he said. Eventually, that makes them allies and even security professionals.
“Users are never neutral. They are either vulnerabilities to be managed or part of your cybersecurity defenses.” He stated.
In the Q&A after the session, Holt supported Franklin’s thesis. “There are some organizations that don’t have the required expertise in security for remote working and would prefer employees to be in the office. That’s not realistic. The infosec function needs to be able to work with the customers and be adaptable.”
That’s only possible, Holt and Franklin agreed, if everyone is working from the same page.