Security Blindspots in the Novel Normal with Caitlin Durkovich
Toffler Associates’ Caitlin Durkovich spoke in our recent webinar panel, Security Blindspots in the Novel Normal, discussing how an expanded approach to security will be required across all operations and policies, and how that is being affected by the shift to a work-from-home environment.
Caitlin is a Director at Toffler Associates, and she has an extensive history in security and infrastructure protection. In addition to being a board member at InfraGard National Members Alliance, she also served as Assistant Secretary for Infrastructure Protection with the Department of Homeland Security under President Obama.
With the valuable insights that she provided during the webinar, we’ve published her commentary below for our broader blog audience (you can also watch the entire webinar here).
Hans Davies: As the pandemic continues, what do you see as the greatest risks that companies and organizations should be thinking about as they move through various work-environment transitions?
Caitlin Durkovich: My biggest concerns are complacency and lack of a healthy paranoia. As we started remote work, everybody had their guard up and was careful about controlling their digital footprint and their workspace. The further that we get into this, those practices are going to slip, and people are going to get lazy in their alertness. When you’re tired, you make mistakes.
The other concern is that the bad guys never take a break. Our adversaries range from [hackers] to cyber criminals and even saboteurs. They know that we’re focused on responding to an abnormal situation, and they’re very savvy at taking advantage of our vulnerabilities.
HD: How are we able to communicate and ensure that people understand the real risks associated with a remote work environment? Not just the technology side of the risks, but the process and intangible sides of that risk as well.
CD: I think there’s a lot of opportunity to teach from experience. At Toffler Associates, we think about resilience as a continuous learning and education process. We’ve heard numerous work-from-home stories, and by sharing those examples, memes, and news articles, you can bring your workforce together to discuss their challenges and needs to create a more secure environment.
We also need to drive home individual resilience. Employees are now responsible for making sure that they have internet, electricity, and the many other needs to be able to work. It’s also challenging when you’re in a house with five people who are distance learning and working at the same time. We’ve got to continue to help employees rely on each other and give them the tools to ensure that they’re resilient.
HD: One of the challenges that I’ve experienced working with security organizations is that security tends to be on the wrong side of the ledger. It’s a cost. In all of the roles you’ve played, how do you convince the folks controlling the money that these things are not just a cost, but they’re an investment in resilience and preparation, and could be a revenue driver?
CD: In addition to risk, we have to help them understand the consequences of that vulnerability being exploited and what it means in business terms. When you can put it in business terms, you can speak the language of the executive.
You want to be able to help them understand the consequences could be a loss of service, which means a loss of revenue or loss of orders. Even more importantly, the impact to the brand and reputation is what will get their attention.
HD: I want to put our Toffler Associates Futures Hat on you. We talked a lot about COVID-19 and how the pandemic forced a lot of companies to very quickly adopt a digital strategy, but what enhancements do you see in the Novel Normal? What do you see as the great accelerator in the security world?
CD: I believe that we are going to need to get to a place where a lot of what we’ve traditionally done that requires contact will have to change. We have to reimagine a contactless security environment, or what we call frictionless security.
Included in that now is going to be health and how you leverage the data that comes off your wearables, and many implantables. This is going to create enormous friction with privacy, and we’ll have a debate about health versus privacy over the next 6 to 30 months. Though I think this will definitely accelerate the idea of frictionless security.
HD: How do you deal with the potential employee burnout, and how do you keep the team as a cohesive unit as you move forward?
CD: The collaborative environments are really helpful on this. It helps cut down on emails, with collaboration, and with the sharing of documents. Not everything has to be done over a video conference, and the decision must be made of will it be resolved through chat, a phone call, or if a video is necessary.
People can also go outside and walk around for a change of pace. We’ve done some interesting things here at Toffler where we’ve created a meeting free hour (unless it’s with a client), and we shorten meetings by 5 minutes so that people have an opportunity to take a bio break, get some coffee, etc.
We’ve done a really good job of creating the water cooler environment. For example, we put up a virtual coffee on the calendar. There’s no agenda, it’s not mandatory, and it’s an opportunity to share stories from home and just chat. Lots of creative ideas are being written, and you can see what works for your organization to help give your people a break.
HD: Have you considered liabilities and licensing issues that may occur with remote workers? For example, electrical capacity, privacy from family and friends, pronounced shoulder surfers, et cetera, insurance for slip and fall or repetitive stress disorder syndrome?
CD: We talk about the concentric circles of security from the perimeter of the building and the network into the home. Well, you’ve got concentric circles of liability. These are issues that legal and human capital are going to have to start to deal with if you’re going to permanently move to remote work.
If home becomes my office space, what am I responsible for versus what is my employer responsible for? There isn’t an answer to this question right now, but it’s legitimately on the table.
The biggest challenge is that humans really are your biggest vulnerability. At a house, you may put all of these security controls in place, but people make mistakes. Whether intentional or unintentional, how much responsibility does someone at home bear for that?
HD: I’m going to throw a bonus question out there. When you’re looking to hire a security professional, what do you look for in a candidate to see whether they really have that healthy paranoia?
CD: We’ve interviewed a lot of professionals over the course of Toffler time, and it’s amazing to see people who say things that I’m not thinking about, don’t know, or will be blindsided by. I think that provides a good look into people’s minds.
For any role, but certainly security, I think it’s important to look for their understanding of the need to bring imagination to the role. I’d like to know how they would see routinizing and bureaucratizing imagination into the security process.
HD: Good. Well, I think I want to summarize. It’s important again to remember we talked about it as the Novel Normal, in terms of that, I think you’re highlighting the fact that things aren’t going to be the same, right? There will be a lot of changes, and we’re going to need to give people the space to understand what those changes are.
Other COVID-19 resources:
- Security and Resilience Analysis