What Should CISOs Do in the Post-COVID Era? 

The COVID-19 pandemic has created new opportunities for bad actors, whether we’re talking about rogue states, organized cybercriminals or even internal threats. Ransomware, malware, social engineering, phishing and other cyberthreats have taken their toll on organizations, communities and individuals, and we would be foolhardy to assume that the attacks will stop.

Recently, I talked about lessons learned and some predictions for business leaders and board members. But, of course, chief information security officers and their security professionals on the front lines need to become even more strategic in their thinking and vigilant in defending the digital fortress.

Factors Influencing CISO Action

One of the most accurate predictors of an organization’s ability to withstand cyberattacks is the relationship between the chief information security officer and the chief information officer. In recent years, the trend has been moving in the direction of the CISO and CIO becoming peers, instead of the CISO reporting to the CIO. Ideally, the CISO and CIO have become trusted allies in the fight against cyberattacks, effectively collaborating to use technology, tools, people and processes in a smart way.

Before COVID-19, we saw that CISOs and CIOs were often pretty well aligned in terms of risk appetite and assessment. Cloud computing is a great example: They saw the ascendancy of cloud coming and knew that they had to develop an overarching plan for cloud security.

But COVID-19 has really shaken things up for everyone and the CISO and CIO now may find themselves out of alignment. Understandably, the pandemic’s detrimental impact on business activities put organizational emphasis on business continuity, often putting other initiatives—including cybersecurity—on the back burner. Scale and capacity become paramount for organizational operations, and we have seen the CISO and CIO start to drift apart a bit. Obviously, things like working from home, using personal devices and leveraging “unofficial” cloud services became essential for many workforces, but those things have real impact on cybersecurity if not properly planned and accounted for.

I believe CISOs and CIOs need to quickly move to a new phase of cybersecurity in the COVID-19 era—one of adaptation. In this phase, we will see re-evaluation and re-architecting of IT in general and cybersecurity, with a strong focus on consolidating vendors, assets and costs. For CISOs and CIOs, adaptation will likely be messy and uncomfortable. If the CISO and CIO have developed a sense of teamwork and trust, these qualities will be essential to addressing the twin challenges of availability and security, such as in the cloud. Ultimately, in the long term, CIOs and CISOs will need to partner closely to remove any frictions in their approach to the cloud due to a differing appetite for risk. 

Today, it is important for CISOs to draw upon their business skills to reinforce a strategic view of risk reduction in conversations in the boardroom and the corner office. Fortunately, many business leaders and boards have elevated cybersecurity to critical status and have given the CISO more “air time” to talk about cybersecurity from a business perspective, rather than a technical one. CISOs now are in a stronger position to offer their guidance about how cybersecurity drives and aligns with business goals, so they have to think and act more as business visionaries than as purveyors of technical advice.

Four Ideas for Your Security Strategy

Setting the right cybersecurity strategy is always essential, but it has never been more important as we move through and emerge from the pandemic. Creating, implementing and evaluating strategy requires discipline, innovation and more than a little bit of daring. Here are four ideas I’d like you to think about for your cybersecurity strategy going forward:

1. Rebalance your priorities. Certainly, CISOs and other cybersecurity experts must constantly evaluate cybersecurity priorities. But you need to do more—you actually need to commit to a rebalancing of priorities based on the new realities of work and cyber risk. Automation, in particular, must be a major priority for CISOs for two reasons: the lack of sufficient manpower resources and the increasing innovation displayed by cyber attackers. Even if you could hire armies of security engineers, that approach doesn’t scale to the magnitude necessary to match the bad guys’ efforts. Doing things the way you always did no longer makes sense, because things have changed, and will continue to change, dramatically.
2. Review your organization’s risk model. As organizations transition from a new work model based on a dramatic acceleration of the shift away from headquarters-based work, the risk model must change accordingly. We have all written about, talked about and experienced what happens with remote work operations, in terms of infrastructure resilience and risk related to home networks, shared devices and personal cloud services. Your employees will continue to be targeted, and they must be educated about risk as well.
3. Rethink your relationship with the board of directors. Not long ago, many CISOs were thrilled just to be invited to speak to a board meeting. Now, we expect to be an integral part of meetings and board communications. But the CISO’s relationship with the board must shift from “informing the board” to “educating the board,” and eventually “leading the board “ on risk assessment and mitigation.
4. Reset your technology mind frame. As you reassess risk in the context of business strategy, undoubtedly you will need to modernize and even transform your cybersecurity technology approach. One thing to consider is jettisoning the traditional best-of-breed approach in favor of a more integrated, platform-based approach to cybersecurity defenses. Cyber risk, and the technologies needed to address that risk, is becoming more complicated and diverse than ever. Managing dozens or even hundreds of cybersecurity tools across the enterprise—and the escalating number of technology suppliers associated with it—is no longer efficient. You’ll need more cybersecurity functionality in the post-COVID era, not less…but that doesn’t necessarily mean you need to buy more products from more vendors. Instead, focus on integrated functionality at a platform level from a smaller number of strategic, proven and innovative partners.

Technology certainly will become more important in identifying, preventing and remediating cybersecurity threats, both during the pandemic and beyond. CISOs and CIOs will need to work closely now more than ever to ensure that their business evolves but with the right level of risk exposure.  

Haider Pasha is Chief Security Officer, North/East Europe and Middle East and Africa, for Palo Alto Networks.