In the pre-pandemic days, security solutions could be more basic. Securing the perimeter could be likened to locking the door of your house. But with remote workers taking devices off premises and sometimes using their own, securing the workplace requires a new approach. Sophisticated threats come in from every angle, and preparing a complete defense is vital.
We are in an environment of constant change and unexpected events. Just when many people started thinking we might be in a post-pandemic world, cases started rising again, and the need to apply proper controls, governance, education, and tools for remote workers has once more become top of mind for many cybersecurity leaders.
For CISOs and their teams, the challenge is to build a culture that facilitates the ability to adapt to change on an ongoing, continuous basis. This requires a new mindset in securing all users—remote users in particular. It also means evolving your approach so that cybersecurity is no longer viewed by business management as a cost center, but rather as a means of competitive differentiation and innovation for the organization.
In my view, there are three critical aspects to changing the culture and mindset to adapt to current and future cybersecurity challenges, particularly as remote work becomes more deeply ingrained as a business requirement.
Develop a deep understanding of every aspect of your organization and spend a lot of time and attention on education—for everyone, whether they are on your security teams, in your executive suite, front-line workers on-premises, remote workers, or anywhere else in your ecosystem.
Even in some larger organizations, basic technologies such as multi-factor authentication or secure VPN are not given the priority necessary to allow remote workers to operate in a more controlled environment. It is important to have the basics under control before adding innovations such as Zero Trust.
Procedures and practices
It is vital to maintain a philosophy of ongoing education along with continuous evaluation of the technology your organization is using or, in some cases, not using. From a procedural perspective, you have to understand everything in your environment. Once you understand it, you can assess and address its impact on your current risk and overall risk profile.
1. Leveraging education to secure remote workers
The reason education tops my list is that over 80% of cybersecurity events are people-related. Everyone needs to truly understand what cybersecurity is—and know that it’s not just a password or two-factor authentication. Cybersecurity is an approach, a mechanism. It’s how you go about conducting work. Achieving a strong cybersecurity posture takes cultural change, behavioral change, and constant learning.
When users were largely on-premises, most organizations could compensate for potentially dangerous behavior by having multiple controls to help protect them. However, when those same people go remote, there’s a bit of a loss of control and governance. There are technologies to help cover user behavior, but it is better when the behavior doesn’t exist in the first place.
This means that we have to educate folks on cyber hygiene, making sure they understand that the steps they take at work may not be the steps they take when they are working remotely or from home. This is especially critical in this very open-ended environment, when a user’s device may be used by other people in the home.
2. Leveraging technology to secure remote workers
Strong foundations are also important from a technology perspective. You must make sure you have controls, processes, and governance for multi-factor authentication and secure VPN. It’s those things that pave the way for Zero Trust.
My best advice is to approach everything from the bottom up, understanding not just your inventory but every single behavior that takes place from a public-facing standpoint. This is especially important for remote workers. A good place to start is by asking yourself and your team key questions:
- Do we know what our environment actually contains?
- Are we aware of all the devices and services running in our environment?
- Do we have an inventory of all of our IoT devices?
- Do we understand the needs and potential risks of all of our users?
- Do we know the needs of each application and user based on key criteria such as performance, availability, resilience, data usage, and, of course, security?
Fundamentally, you need technology tools that are able to exist on your network and can identify all connected devices. I’m talking about tools that are able to actually interrogate the network, understand packets, capture specific metadata for insight into the imprint of each device, and how it lives on the network.
3. Leveraging procedures and practices to secure remote workers
If you haven’t figured it out by now, I’m a huge stickler for inventory. From a process standpoint, you have to understand what your inventory is, what it means, why it matters, and what its impact is on your business as well as your security posture.
So, from a procedure standpoint, you need something in place that is able to identify what you have in your environment. Then you have to relate and correlate that information to any situation, to the point where you can say about any device: “This device is connected to this application that lives here and does that.”
From there you can build a configuration management database (CMDB) approach to really understand your environment and have processes in place to integrate with your ITSM tool so you can execute the specific actions you need to take.
Maintaining ongoing processes also relates back to my first point: education. CISOs need to ensure training and education are continuing when people work from home or remote locations, and they need to have tests, controls, processes, and governance to continuously identify and correct non-malicious but potentially dangerous behavior. Quick hit trainings without repetition rarely are effective.
My advice for CISOs and other cyber leaders
If I could leave CISOs and other cybersecurity leaders with a key takeaway from this article, it would be this: Every CISO should figure out how to balance the business operations of their organization with a security mindset that is not destructive to the business but is, in fact, built into the fabric of the business. In order to do that, I urge all security professionals to take the time to understand as much as they can about the business in which they work.
Note the emphasis on the business, not cybersecurity. Most security professionals know security exceptionally well. But if they don’t have an equally exceptional understanding of their business or organizational needs, they are potentially setting themselves and their organizations up for failure.
Whether you are the CISO or anyone on the security team, you need to be able to go to the people in any department and have detailed conversations with them related to their protection and their business needs. It may start with something simple: “We saw that you have these devices. They are not in compliance with our security posture and we need to take this action or we will be forced to put it offline.”
Of course, the immediate reaction will be: “You can’t do that!” And the response is: “Yes, we know. That’s why we have to fix the problem.” A solution-focused and service-focused mindset is key.
The opportunity ahead
Remote work is here to stay. To make it successful, you have to make it secure. Cybersecurity leaders and their teams have an opportunity to make huge contributions to their organizations over the next few years by developing cyber-aware cultures that are both agile and responsive to the changing needs of their organizations.
By focusing on the fundamentals, CISOs can prepare themselves, their teams, and their organizations to be ready for whatever comes next. As we’ve learned all too well over the past few years, the only constant in cybersecurity is change. Be ready.
Christian Aboujaoude is Chief Technology Officer at Keck Medicine of USC, the University of Southern California’s medical enterprise.