Crowe cybersecurity professionals discuss what’s next for CISOs.
The COVID-19 pandemic has presented several challenges to organizations, including responding to the pandemic, maintaining business continuity management, securing home networks, and dealing with email-based attacks. As the economy begins to reopen, executives responsible for information security and cybersecurity risk management are encountering dramatic new challenges.
Crowe recently gathered a panel of its leading information security professionals and asked them to offer their observations and insights into the priorities that chief information security officers (CISOs) will need to address during the recovery. The panelists included Mike Del Giudice, Sekhara Gudipati, Jared Hamilton, Dave McKnight, Lucas Morris, and Chris Wilkinson.
Q: Let’s begin with a broad overview. Many businesses and public sector organizations alike are struggling with severe revenue shortfalls, which are likely to result in tighter budgets for all areas including cybersecurity. How are these cuts manifesting themselves? What are you seeing?
Mike Del Giudice, Principal, Consulting: Well, clearly the effects vary by industry. For example, in my work with information security and data privacy for the public sector, clients have serious concerns about revenue shortfalls due to high unemployment and drastically lower tax revenues. But tax revenues always show up in arrears, so for tax-supported organizations, the budget crunches in IT and cybersecurity are likely to come in the next budget cycles, such as late 2020 and 2021.
Other organizations, such as educational institutions, are already encountering challenges because they must address financial pressures such as refunds for students whose classes were canceled or moved online. In the same way, some not-for-profit organizations are dealing with immediate shortfalls due to suspended operations, but others are actually experiencing record levels of donations and contributions, depending on their mission.
Jared Hamilton, Managing Director, Consulting: In addition to variations by industry, other variations in terms of the CISO’s area of specialization come into play. Among the healthcare organizations I work with, for example, a huge shift in emphasis – and in many cases a huge drop in revenue – took place as many elective procedures were canceled. At the same time, though, operations shifted to sort of an all-hands-on-deck approach for responding to the pandemic, restructuring providers, and buying ventilators and other gear. All of this meant incurring added data security costs for setting up certain technologies and biomedical devices or technology support for pop-up testing sites.
Of course, the big shift to push administrative staff offsite, working remotely, raises many new information security issues. Some new COVID-19-based phishing attacks also occurred, such as a fake Johns Hopkins site that could be used to inject malware. So while all this was going on, the focus unfortunately moved away from more routine practices – such as internal monitoring, patching, and all the things people would normally do in an IT security department – and increased cybersecurity risks.
Lucas Morris, Senior Manager, Consulting: We’re seeing similar things in other industries where I work. In life sciences companies, for instance, it’s either feast or famine. Some of our testing and device company clients are actually posting record revenues because, as Jared mentioned, they’re dealing directly with COVID-19. That, in itself, creates some added security risks because they’re much higher-profile targets. Some of our laboratory and testing companies are in a unique position because half of their business is going through the feast and half is going through the famine. So, like the healthcare providers Jared mentioned, they are trying to retool, retrain, and move people over to those areas on a temporary basis, just to meet changes in demand for COVID-19 tests.
Chris Wilkinson, Principal, Consulting: Another variable to factor in is not just the industry but also the relative maturity of a cybersecurity program. High-tech companies, which tend to have more mature cybersecurity programs, and some other industries or public sector organizations that are just getting started have significantly different priorities.
Mike Del Giudice: That’s true. I’d say most public agencies had some remote access capabilities for a subset of people such as administrators, but they didn’t have the scalability in their environments to get everybody remote so quickly. And that offered up some unique challenges. A few CISO clients I work with basically said they were told to hold off on security projects until the organization figured out how it could get everybody working remotely. In higher education and in K-12, too, organizations had to get the workers and students up and running at the same time. Sometimes that meant shipping out hot spots to people who lacked internet access in their homes.
So amid the early emphasis of just getting things up and running, security sometimes got deprioritized, and a lot of insecure solutions were deployed to help facilitate remote capabilities, such as people using personal devices to get remote access. Some organizations didn’t have enough resources to establish a virtual private network or they didn’t have scalability or enough licenses for their current solution. So for ease of deployment they opened up a remote desktop protocol (RDP) for people to remotely access. Using unsecure technologies to deploy remote access is still a major issue.
Q: So how can CISOs deal with all these changing priorities and uncertainties within their budget constraints?
Dave McKnight, Principal, Consulting: In the banking and financial services sectors where I work – as in almost every other industry – one key is to spend what is available in the smartest way possible. For example, many of our clients are capitalizing on free virtual training for their security teams.
Sekhara Gudipati, Senior Manager, Consulting: In general, the CISO’s role is very challenging. On one side we have continually changing targets and threat vectors. And on the other side literally thousands of technology products exist to address various information security needs. For instance, more than 100 different products can address viruses and malware. Similarly, there are numerous products for data loss prevention and perhaps hundreds of products for network security.
What often happens is those in charge of security might be tempted to purchase a cool technology product that they come across at a security conference, hear about from their peers, or see demonstrated by a cybersecurity technology vendor. They might end up spending whatever limited budget they have on that new product without doing enough analysis on how the product fits into their IT or business objectives or how it fits with their specific risks or their organization’s maturity. This approach can lead to focusing on technology rather than addressing prioritized business risks, and it can derail their own security road map.
CISOs should be very focused on how their security spend is aligned with the business risk. They need to make sure they are not just buying a product or spending on solutions but that they are focusing on the risk management aspects and how that spend can reduce the business risk.
Dave McKnight: It’s also critical for CISOs to consider the value they are receiving from outside vendors. For example, should service level agreements be adjusted? Should contracts be revised? Should a new vendor be considered? CISOs should scope their vendors’ work to cover any new or emerging risks that weren’t addressed in their initial plans. New deals or a more appropriate solution might be options, provided such changes could be approved and paid for in the available spend for this year. Things change and the scope should accommodate business needs.
Lucas Morris: We also need to be open to new ways of doing things. For example, one of our higher education clients had a significant shortfall in revenue, so it’s looking at some nonstandard education approaches. In this case, the client is creating a cybersecurity boot camp – maybe 10 or 20 weeks of intense education, six to eight hours a day. It’s one way to generate additional revenue, but it’s also a potential source of new cybersecurity talent. A lot of universities are looking for ways to fill their roles in the short term in this way, and I think it’s something CISOs need to be very aware of.
Chris Wilkinson: That’s a good example of the concept of doing more with less, isn’t it? And that’s one of the points I want to make because as budgets are getting cut, one of the things that we’ve seen is information security partnering with other areas of the business – whether that’s IT or internal audit – to get more done in their area. Internal audit in most cases is doing some type of a cybersecurity assessment, with budgets set aside for doing penetration testing, risk assessments, or whatever the case might be. When budgets are cut, those internal partnerships become even more important. CISOs are most effective when they have established good relationships with other areas of the organization and can then partner with them.
Q: Moving beyond budget issues specifically, what are the priorities of the CISOs you’re working with now? And, concurrently, what should those priorities be?
Jared Hamilton: I think one of the top priorities for CISOs in healthcare will be looking back to make sure nothing was lost during the COVID-19 battle – even the basic things like verifying that patches were pushed out, remote worker risk was mitigated, and teleworking was done in a secure fashion. A huge cloud of dust needs to settle. As important as it is to look forward, CISOs first need to look back and confirm that nothing was missed.
Then, looking ahead, a very particular thing that is going to pop up in healthcare is the need for future support for telehealth technologies. CISOs will need to focus on making sure that these new technologies are implemented and used in a safe manner and that the risk assessment is updated to show the impact of having much more telehealth in place.
I think another response we’ll see will be increased security awareness about pandemic planning activities and just doing more with less, as Chris said, focusing on strategic vendors and cloud services. Healthcare likes to do a lot of things internally, but because so many people had to shift roles, decision-makers might be more willing to ask whether it makes sense to have an outside vendor do some basic tasks, like internal monitoring, handling email, or moving services to the cloud.
And finally, I think healthcare CISOs are going to want to look at automating repeatable functions. Doing so will help them focus on how clinical operations are affected and on the data they’re trying to secure.
Dave McKnight: In financial services and banking, I think CISOs will need to focus on accelerating solution and infrastructure changes that have immediate or short-term return on investment rather than a delayed, longer-term return. For example, data lakes and big data were common pursuits in late 2019, but most of the clients I’m aware of have paused these big-ticket items due to the expected lag time to return value or generate a profit.
Big-ticket items that are likely to continue moving forward are initiatives for cloud infrastructure such as Amazon Web Services, Microsoft™ Azure™, Office 365™ (now Microsoft 365™), Teams™, and SharePoint™. CISOs could embrace global risk and compliance tools that various departments might have purchased so that they can further automate processes. Finally, of course, through all this, the risks and threat actors have increased, so CISOs should be careful not to cut or reduce controls they know are working, such as anti-malware, anti-spam, firewalls, and so forth.
Mike Del Giudice: When thinking about the things public sector organizations need to worry about most right now, the security of home networks is right there at the top of the list. With many employees using home networks to access business systems, CISOs urgently need to know what they have on those home networks. What risks do they have locally that could potentially impact corporate assets? Are they up to date in terms of patches and vulnerability management? Is the security team able to access those separate networks if necessary to manage security issues, deploy solutions, and then test them to be sure they are configured the way they need to be?
And then, in terms of just troubleshooting an incident, in the past it might have been relatively simple to get physical access to devices. Now it might be much more difficult to get to a remote machine and physically do something with it. To be honest, a lot of clients haven’t had time to start thinking about some of those things yet, but there’s clearly a lot to be done.
I’m talking to clients about how they want to do better in securing remote access. Again, personal devices just are not the way to go. And RDP is not the way to go. They will need to build resilience, too, so that in the event they have to do this again, people will already be prepared to work from a secure solution.
Chris Wilkinson: There’s one other point that I want to touch on. If, back in January, the majority of the CISOs that we work with were asked to identify their top threats, they all could probably have given a pretty good answer. And I would bet that at least nine out of 10 would have mentioned employee actions or vulnerabilities of some sort as one of those top threats, whether it was phishing schemes, misuse of assets, or something else. Employees introduce risk to the organization that often is difficult to mitigate.
And now, six months later, although the threats might look a lot different, I don’t think that’s changed fundamentally. What’s changed is how those employees now access the resources and tools they use on a day-to-day basis, such as online collaboration tools that have been rapidly implemented. These shifts are changing where information or sensitive data is stored and how it’s being accessed. Everything was done in such a rapid fashion that CISOs need to go back and take a look to see if they made all the right decisions about both security and privacy as the architecture was rolled out.