Why Many CISOs Got Caught by the COVID-19 Pandemic

eWEEK DATA POINTS: Being able to support a remote workforce, essentially overnight, under the guise of protecting lives, brings a whole new pressure to the role of CISO.


At a high level, the IT industry may have been caught with its pants down a bit in the current COVID-19 pandemic. Not because there aren’t a lot of smart chief information security officers (CISOs) out there doing smart things, but rather in our/their ability to quickly adapt to an unprecedented scenario—and perform under an attack on personal safety.

We have always been afraid of a breach, but being able to support a remote workforce—essentially overnight—under the guise of protecting lives brought a whole new pressure to the role. Then, as we caught our breath, we had to adapt to a changing threat landscape.

Controls that we thought were effective were not. We realized that we didn’t put as much effort in validating third-party services as we should have (Zoom, for one widespread example). And we’re being asked to forward think and define a security fabric that protects the security and privacy of the “new normal” workforce. Some thought leaders have said for years that the CISO gig is not for the faint of heart; we’re essentially standing up to an invisible bully that is always looking to hit you while you are down.

How does it change the role/expectations moving forward? Our professional resource for this topic, Lewie Dunsworth, CEO of managed cybersecurity provider Nuspire, offers his real-world perspective on this.

Data Point No. 1: Digital Transformation

There is no doubt that CISOs will be asked to help their business accelerate the digital transformation process. CISOs will have to get comfortable with their own “new normal,” meaning a mobile technology stack and security controls that follow the user, the device and the data, regardless of where they are in the world. It’ll also force them to understand the risks with every business decision and be adaptable in figuring out how to best protect the company, both in the short term (with mitigating controls) and the long term (with more robust protection capabilities).

Data Point No. 2: Identity

As companies accelerate digital transformation, there will be more of an emphasis placed on controlling who has access, how the access is controlled, what they are authorized to access and what they do with that access. Identity-centric programs also will take on a whole new meaning; there will be a convergence, of sorts, between security and privacy. A pandemic, like this one, could create a social construct where people are almost “shamed” for being infected with a virus. So, privacy and protecting health information will be critical.

Organizations will be forced to provide “controlled” access from different places and devices. This puts pressure on technologies that support MFA, identity governance, DLP, privileged access, insider threat, contingent access and others.

Data Point No. 3: Endpoint

Protecting and monitoring endpoints is paramount. As a CISO, you have to assume that an endpoint has to be controlled in a way that prevents it from being exposed in a “non-company” environment. That will be the new normal. Security policies will need to be applied based on the behavior of the endpoint environment, or the risk associated with it, as much as the users themselves.

Data Point No. 4: Home Networks/Remote Networks/SDN

CISOs will need to find ways to containerize the endpoint on a home network. VPNs (virtual private networks) are antiquated and can be bridged, and, unfortunately, man-in-the-middle SSL (Secure Sockets Layer) hijacks are easier on a non-controlled environment. Finally, companies will accelerate the use of SDN (software-defined networking) technologies to bring together disparate networks, endpoints, resources and data into a virtual network; and provide more dynamic policies by understanding where network controls end and endpoint controls start and how identity determines how much a user is trusted given the situation they are in.

Data Point No. 5: Cloud, Cloud, Cloud

The future is now; cloud services dominate everything we do by extending capabilities wherever the business will take us. If they haven’t already, CISOs will need to embrace someone else being in control of protecting their data. There has to be an acceleration around third-party risk management, validating the efficacy of controls, hiring developers to automate the application of controls based on scenarios, and so on. More CISOs will self-consume services and controls versus always relying on consultation and other technologies.

Data Point No. 6: Attack Landscape

It is critical for every organization to understand its entire attack landscape from the hackers’ eyes. Having an “eyes-wide-open” mentality to the risks you have, everywhere, is a necessity.

If you have a suggestion for an eWEEK Data Points article, email [email protected].