Only 46% of senior business leaders felt their business continuity plans were effective during shutdowns caused by the pandemic, according to a recent MIT Technology Review Insights survey. Is that surprising? Not really, because IT wasn’t around during the last global pandemic.
Now, companies are sharing valuable lessons learned about IT resilience, risk and security. And these insights may prove essential for confronting future challenges and supporting ongoing digital transformation.
“With the pandemic, it wasn't enough to plan for critical staff working from an alternate location or from home for a period of time,” said Angela Weinman, head of global governance, risk and compliance at VMware. “Those who could pivot fastest last year were the ones who had the broadest plans or who could mitigate [risk] by being furthest along their digital transformation journey.”
Weinman made her observation during the opening keynote session of RSA Conference 2021, “Telling Hard Truths to Impact Change in Cybersecurity.” She was joined by Jimmy Sanders, head of information security at Netflix DVD and a director for the Information Systems Security Association (ISSA).
Weinman and Sanders encouraged IT security professionals to “zoom out, throw out and reach out” to build greater resilience.
Hard Truth 1: The Security Risk Picture Is Out of Focus
Ultimately, if companies can’t accurately determine risk, it’s difficult for them to recover quickly. This is true of direct security threats, like the recent rash of ransomware attacks. Additionally, unforeseen events, like a pandemic, open organizations to new and different threats.
Risk must drive everything in cybersecurity because security is just one big risk management program. But if COVID-19 taught organizations anything, it’s that the current risk picture is out of focus. An inaccurate—or blurry—risk picture can lead organizations on a wild goose chase. Security pros end up initiating the wrong projects or investing resources in the wrong priorities.
“Our desire as security professionals to be accurate can cause us to be too conservative when predicting impacts and necessary treatment,” Weinman said.
Rather than focusing directly on a risk scenario and its impact, organizations should zoom out and think in terms of a spectrum of possible impacts. Sanders described how many security professionals, when assessing risk and planning for business continuity, determine who in the organization is “critical” when building their plan.
When COVID-19 hit, for many organizations, that meant everyone. Virtually no one anticipated the impact correctly: that the business need would be for almost everyone to work remotely for a year or more, not just a handful of people working remotely for a couple months.
Zooming out to get a more accurate risk picture requires engaging different parts of the enterprise. It can’t fall solely on the IT security team. The CISO’s office needs to be involved, naturally, but so do other executives, risk committees and board audit committees.
“Let the business drive agreement of where on the spectrum predicted impacts should go,” Weinman said, “just as similar dialogs drive risk posture positions today.”
And in expanding views, organizations can better prioritize security efforts. This means that perhaps not all environments will be protected equally.
“Focus is a matter of deciding what things you're not going to do,” said Sanders. “In chess-speak, we must see the entire board. We must ensure we build resilience into our environments so the taking of a symbolic pawn doesn't mean it's game over.”
Hard Truth 2: Legacy Security Practices Are Slowing Things Down
The same way organizations need to zoom out to assess risk, including more points of view will drive better risk management practices.
“Create an environment where the best ideas win, and this improves our security posture overall,” Sanders said. “These diverse thoughts stem from allowing competing ideas and viewpoints to be voiced without the fear of ridicule and condemnation.”
At Netflix DVD, Sanders encourages his team to begin a regular process of presenting a proof-of-concept tool or technique every month. The result was an information security team with a resilient and nimble mindset, said Sanders—one that wasn’t easily rattled by change because it was always thinking outside the box.
For many security organizations, a need to appear “mature” leads them to automate many processes and build layer upon layer. “Like a geological formation,” Weinman said. “Hard and inflexible, weighing us down along with the business units we work with. How many things exist so that we can check a box for some long-forgotten reason?”
In the current landscape, as companies go wide angle to consider a spectrum of security threats, everything should be on the table. All security practices should be open to challenge and, if appropriate, be thrown aside. As long as an organization can map a security practice back to a business goal or a cyber-hygiene fundamental, it can validate its decisions. If it can’t, it needs to be open to new ideas, which often come from its newest employees.
“It’s not just a good idea to throw things out, it’s a survival tactic,” said Weinman.
To scale and remain agile, organizations must constantly challenge the “how” of cybersecurity, as well as the “why.”
Hard Truth 3: Security Is Not a Solo Sport
No single group or organization can stem the tide of security threats. Put simply, we’re all in this together. The security community must make best practices available to everyone. It’s one thing to lead the security team inside an organization and champion the tools that will protect the network and allow it to pass a security audit. It’s another thing to learn from others.
Sanders said his career began by enthusiastically doing the former, but really took off when he engaged outside organizations in doing the latter.
“Shared accountability, increased diversity and embracing innovative techniques together will allow us to make amazing progress,” Sanders said.
Weinman called it “community resilience,” in which the security community works together to solve problems.
“Throw out those old ways of doing things and reach out,” she concluded. “We're more resilient and better at security when we leverage our relationships and collective knowledge.”