During our recent panel webinar, Security Blindspots in the Novel Normal, Skeet Spillane of Pillar Technology Partners, LLC reflected on how security has become an integral part of every job function due to the shift to the work from home environment.
As the acting Chief Information Security Officer for multiple organizations where he’s been leading the pandemic response, Skeet is an excellent resource for a wide range of business leaders looking to manage through the novel normal we’re all facing.
Given the continued relevance of Skeet’s remarks, we are publishing his commentary below for our broader blog audience. For the sake of brevity, we’ve condensed certain sections of the conversation. For the discussion in full, you can also watch the entire webinar here.
Toffler Associates’ Director, Hans Davies, moderated the conversation excerpted below:
———————————————————————————————————
Hans Davies: As the pandemic incident lead at a number of organizations, what common challenges have you seen in those places and how would you frame those challenges?
Skeet Spillane: As we’ve moved out to the remote workforce, we’ve seen that there’s reduced visibility into the actions of users. We don’t know exactly what’s going on around them; whereas we actually had controls, such as cameras and remote device access, to monitor their actions in a traditional office setting.
We’ve also recognized that simple things like endpoint support, patching, vulnerability analysis, and remote device access have been taken for granted as we struggle with them now.
In addition, there’s been a lot of issues related to an increase in cloud usage. People have started adopting those cloud services, and there are many security issues that arise when you put those services under load. These vulnerabilities have caused us to have to address the types of skills and priorities we should focus on.
How do we actually give a clear set of clean rules of the road to all the users now that are working in a different environment? How do you configure your wi-fi? How do you make sure that people aren’t accessing your device when you’re away from it?
We’ve seen these questions and scenarios consistently across multiple organizations, so I know everyone is experiencing some level of this.
HD: Skeet, we talk about the issue of the cyber threat surface. Talk to us a little bit about how this particular incident or crisis has really changed or expanded an organization’s cyber threat surface.
SS: What we saw was an exponential increase in the threat surface. Before, traditional organizations may have had a subset of users that worked remotely, but now that we’ve moved an entire workforce to remote working, each endpoint has now become an attack vector.
This is one of the biggest challenges we’ve seen as not all organizations have capabilities to monitor those devices.
The other challenge that I mentioned before was in the cloud spectrum. The concept that the cloud takes care of your security is a misnomer. Understanding where your data is and how it’s flowing is critical, so I think there’s a new level of importance on how your teams are able to identify threats and resolve them quickly in this much larger footprint.
HD: How are we able to communicate and ensure that people understand the real risks associated with a remote work environment? Not just the technology side of the risks, but the people and the process for those intangible sides of that risk as well.
SS: One thing that became very apparent to us is that the traditional security awareness programs are no longer relevant. That model doesn’t really sink in with people. The cyber actors are very good at leveraging fear and uncertainty, and they’re turning that into very targeted and sophisticated attacks.
Making sure that our users are educated on what the best practices are, as well as communicating to them what the threats are and how they impact them is a priority. We need to teach them how they’re part of the machine that needs to be protecting the assets under our protection. It’s a changing dynamic that we need to stay in front of.
HD: One of the challenges that I’ve experienced working with security organizations is that security tends to be on the wrong side of the ledger. It’s a cost. In all of the roles you’ve played, how do you convince the folks controlling the money that these things are not just a cost, but they’re an investment in resilience and preparation, and could be a revenue driver?
SS: I think the most important thing is to stick to a risk management protocol. You’ve got to identify what you’re actually protecting and then understand what the threats are so that you can actually quantify to the executives why these are important projects.
You then have to prioritize them based on the threats that focus on those critical aspects. If you can get the projects prioritized and ask for money to protect a critical asset, I’ve found executives to be fairly reasonable.
HD: Yeah, security needs to actually have a voice rather than just a seat at the table. I think in return what we’ve been learning is that security needs to understand the business as well and know how to communicate with the executives.
When we’re talking about a remote environment, we’re now mixing cyber and physical risks, and a human operating becomes not only a risk but a potential issue. This is no longer just about checking a box. The security voice needs to be listened to, not just heard.
SS: The timing of building that voice is important as well. You need to be building that business voice along the path, and not just at the point of incident, so that you become their trusted advisor.
HD: I want to put our Toffler Associates Future Hat on you. We talked a lot about COVID-19 and how the pandemic forced a lot of companies to very quickly adopt a digital strategy, but what enhancements do you see in the Novel Normal? What do you see as the great acceleration in this security world?
SS: I think the move will be a better definition of what you’re protecting and a move to protect that asset. Traditionally, security has been focused out of an infrastructure type of view of the world. From my perspective, people are starting to recognize that instead, the protection is around the asset itself.
I also think that data loss prevention (DLP) tools – tools where you can better classify your data and understand its flow through the organization – are going to get a significant bump coming out of the backside of this.
HD: How do you deal with the potential employee burnout, and how do you keep the team as a cohesive unit as you move forward?
SS: There are two aspects that I would address. One is how do you collaborate with your team? The use of tools like Slack or Teams allows for more consistent, real-time communication as opposed to a meeting or an email and creates a more fluid type of engagement.
The second is that there’s a change in the trust model for your employees. Once a task is handed off, there’s got to be a level of trust that it’s going to be executed and managed appropriately. You’ve got to be more effective as a delegator in a leadership role and divide that work out to people that you can trust to execute it.
HD: Has the value proposition for a business changed in the new normal, and does that change the security landscape?
SS: The value proposition absolutely changes. From a security perspective, the challenges that we’re going to run into as we move forward are that the vulnerabilities, hygiene, and basic day-to-day actives haven’t changed. Instead, the way that we execute them has changed.
We still have the responsibility of protecting assets under our protection, so we need to look at how we structure our architectures, define our policies, and how we train our teams to make sure that they’re realizing the value proposition of security in that space. The fundamental process of security is still to identify the risks and identify and mitigate the threats.
HD: Can you expand more on risks to the cloud that many organizations are relying on today? What should you be expecting from your cloud or SaaS provider versus what you’re needing to take on yourself?
SS: I start at the vendor risk assessment. There’s a lot of things that need to be thought through when you’re doing a risk assessment of a vendor, and assuming that they’re doing things doesn’t end up with a good outcome.
You need to assess risks and develop plans for how you’re going to mitigate them as you’re deploying that cloud tool. The challenge we’ve seen is that clients will move to the cloud and make those assumptions that things are being done, and they won’t develop a plan against that in the cloud the way they would if it were an internal application.
It’s even something as simple as how you conduct incident investigations. You’re now crossing over and modifying your acceptable use policies and making sure that you’ve got the rights to be able to investigate within that environment. We have to be able to investigate cyber incidents, and if it’s in someone’s home, then that’s a significant complicating factor.
HD: That’s exactly right. What’s the best way for an organization to decide what IP needs to be on-premises versus portable?
SS: I think this goes back to your data classification policy and where you want that data to flow. It could be intellectual property, classified information, or any multitude of sensitive-protected data. The deployment of tools that help categorize and classify that data are critical to being successful.
HD: I’m going to throw a bonus question out there. What do you look for in a candidate, whether it’s security position or otherwise, to see whether they really have that healthy paranoia? What’s the question you would ask?
SS: I think I would ask the question on how they view themselves as part of the organization. Do they view themselves as a critical function of the organization so that they’re there to protect that asset?
HD: I like that. Well, I think I want to summarize. It’s important again to remember we talked about it as the Novel Normal, in terms of that, I think you’re highlig
About the Authors
