The pandemic has changed the world, perhaps forever. Employees are working at home using personal and often unsecured devices and networks. For a Chief Information Security Officer (CISO), used to believing that for the corporate network perimeter “inside is safe, outside is unsafe,” now nearly everything is outside and there is no perimeter. New risks and vulnerabilities seem to be arising everywhere on many new types of devices. The threat landscape has expanded — a worrying position for any security leader.
Despite these risks, organisations expect business continuity and a way forward. CISOs must attempt to bring normalcy and predictable functionality to this unprecedented situation. Below are five ways that CISOs can do this successfully – reduce risk based on sound advice and progress through a systematic checklist:
#1 If everything is important, then nothing is important
During a crisis, resources are short and everyone is overloaded with demands. Everything can feel like a priority. For the CISO, the first task is to identify what is only innocent smoke from what is actually a fire. By combining tools like threat intelligence, vulnerability research and probability risk, CISOs can begin to prioritise the most critical vulnerabilities that are now distributed across the expanded enterprise perimeter. Prioritisation focuses resources to the right area, in the right amount and in the right sequence.
#2 Avoid box ticking exercises
In these complex times, CISOs cannot afford to use a generic checklist to scan their extended network, which has now changed beyond earlier recognition. Work at home has meant that employees are now connecting to the network using whatever device is at hand that gets the task done — whether it’s to participate or host a video call; instant chat message with a colleague; access a cloud application; or any other daily task. In short, convenience has overtaken risk as workers struggle to deliver from home. For the CISO in this environment, a risk-based management approach that focuses on actual risks being exploited, not generic lists of potential risks, is most effective. This also avoids overrun of the operating expense (Opex) budget.
#3 You cannot protect what is unknown
One of the biggest challenges for a CISO today is visibility into what is happening in their remote work environment. The organisation’s workers may have had to relocate from their normal home, or even their geo-location. Staff are connecting from multiple private and public networks, using multiple known and unknown devices and at predictable but also unpredictable hours. The CISO needs to understand this activity pattern is now the new normal. To gain complete visibility of the extended enterprise network, CISOs should utilise authenticated agent scans that register and profile all assets being used. This will help the CISO build a unified and complete list of the vulnerabilities that have been created by distributed and remote work at home practices.
#4 The Board wants risk details
The Board of Directors will want to know what risks the organisation is exposed to and what is being done to reduce/address them. By adopting a risk-based approach, CISOs can accurately assess, quantifiably, the level of risk exposure in terms that the Board can understand.
Using a risk-based approach, the CISO can profile the distributed risk across the extended enterprise on the basis of large-scale assets, geolocation, business units and device groups, etc. The Board will be able to evaluate the business impact if any mission-critical areas are exposed compared to the cost to implement controls that reduce the risk.
#5 The trap of instant gratification
In this time of crisis and under pressure from management to deliver security, CISOs might be tempted to purchase additional tools, hoping that a single purchase order may be the key to alleviate the overall risk levels of the organisation to deliver quick results. Unfortunately, a magic bullet simply does not exist. What is more meaningful is to better understand the risk environment and systematically demonstrate reduction of risks based on the prioritisation of vulnerabilities. CISOs could also consider using managed service providers to reduce their day-to-day overheads of monitoring risks and vulnerabilities. They can also consider bringing in professional services to boost the skills capability of their internal teams to use existing tools and be more effective.
CISOs will find that implementing these basic best practices can go a long way towards reducing the risk levels of their organisation in challenging circumstances, including this pandemic.
By Adam Palmer, Chief Cybersecurity Strategist at Tenable