Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

How Security Programs Are Changing After COVID-19: Maximizing Resiliency

When Security is Seen as a Business Enabler We All Win 

When Security is Seen as a Business Enabler We All Win 

The COVID-19 crisis and its associated constraints taught us how to identify priorities based on the most important outcomes. It showed us that many of the activities we considered “priorities” before March are not really priorities. And it further highlighted resiliency as one of the key objectives of security programs to help businesses maintain productivity and drive competitive advantage.

As we progress through this period that will have lasting effects on how we work and live, we must continue to select priorities that allow us to focus on our most important objectives. Assuming a distributed working model needs to become the norm, not the exception, the question we need to answer is how to secure data, processes, and communication irrespective of where employees and third parties are located.  

Security teams are changing where they focus their time, effort, and budget accordingly. McKinsey & Company recently surveyed 250 global CISOs and security professionals and found that, over the next 12 months, large enterprises will spend even more on network security, identity and access management, and messaging security, which are the exact priorities of a distributed workforce and infrastructure. As for cybersecurity vendors, McKinsey identified various opportunities to support customers, including rethinking service delivery and solution deployment models, and creating additional offerings. 

With respect to enterprises, we’ve seen ample evidence of shifting priorities and investments over the last few months, as security teams work in partnership with business leaders to tackle the following longstanding challenges: 

• Accelerate business, securely. The days of security as a barrier to business are gone. The COVID-19 crisis has shown us that security can enable business to move fast and do so securely. Seemingly overnight, projects related to digital transformation, modernizing infrastructure and access, and enabling collaboration happened. And they paid off, improving the bottom line and helping move businesses forward. But we’re just getting started. As we continue with these initiatives, the goal is to build security into those new processes and infrastructure. We will have to disrupt the old ways in which we worked, but we cannot let this stop us. We now know how much is possible when we think of security within the context of enabling the business. 

• Reduce complexity. For years, the go-to option to mitigate risk has been to add another layer of security. So today, most large enterprise security teams are working with dozens of security products that are often poorly integrated. This complexity wastes significant time and resources. It’s becoming evident that, in many cases, the optimal path is to rethink how we’re addressing specific security controls and look for ways to reduce complexity – replacing multiple products with a new category because requirements have changed. Much like the first point, reimagining an entire approach and making decisions might be inconvenient in the short-term, but will help us in the long-term. 

• Build for resiliency. The current environment has cemented the fact that defense is not a binary process. We cannot anticipate all potential attack vectors and scenarios, so we must build resiliency into our security controls and infrastructure. Cyber resiliency is a measure of how well an enterprise can manage a cyberattack or data breach while continuing to operate its business effectively. Again, it comes down to seeing security programs as enablers of business – even when under attack. Now that the initial rush to support a more distributed model is behind us, we have an opportunity to consider what work still needs to be done to further resiliency. Those proactive measures need to be central to any security program. 

Advertisement. Scroll to continue reading.

Intellectually, this all makes sense, but we also know that humans are used to doing things a certain way and our natural tendency is to continue down the same path. When faced with the initial crisis, we were willing to change for a short period of time, but how do we make these changes lasting? KPIs need to change to reflect the importance of resiliency and accelerated digital transformation. CISOs must be able to report to the board how security is enabling specific initiatives – for example, collecting data and storing and analyzing it in the cloud, or monitoring and managing manufacturing processes remotely – to achieve business outcomes and mitigate risk. When CISOs and boards align metrics and incentives with new priorities, they can sustain momentum.  

Finally, technology providers and offerings also need to change to address shifting priorities and the distributed nature of business operations. We’re already seeing an uptick in activity, including:

• Increased ease of deployment, ease of use, and intuitive design. These have traditionally been challenges with enterprise security tools, but we’ve seen improvements in this area in the last few years and COVID-19 has certainly made these hard requirements. 

• Leveraging remote access in transformation projects and delivery of services. In specific operational areas, such as production optimization, contractors who previously provided these services physically now need remote access to relevant equipment to support their contract and keep production lines running smoothly. We should expect this to become the preferred method for interaction, whenever possible, moving forward.

• Re-engaging in cloud discussions with a focus on how cloud-based solutions can be more secure, updated more easily, and new features added more quickly. When resiliency is a key objective, these benefits are highly valued. Given the new reality, solutions that are not cloud-native and don’t allow for easy deployment at scale will become obsolete, as customers demand flexible and secure infrastructure they can expand and upgrade quickly. 

Security programs and technology offerings are indeed changing because of COVID-19, and it’s exciting to see security teams and business leaders build toward a more resilient, distributed future. It’s one of the silver linings of this situation, because when security is seen as a business enabler, as defenders, we all win. 

Written By

Galina Antova is the Co-founder and Chief Business Development Officer at Claroty. Prior to that, she was the Global Head of Industrial Security Services at Siemens, overseeing development of its services that protect industrial customers against cyber-attacks. She was also responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services for industrial control systems operators. Previously, Ms. Antova was with IBM Canada, with roles in the Provisioning and Cloud Solutions business. She holds a BS in Computer Science from York University in Toronto, and an MBA from the International Institute of Management and Development (IMD) in Lausanne, Switzerland.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...