Securing Accelerated Transformation

The past few months have seen a dramatic change in the way we do business.  Some verticals, like hospitality and travel, have all but ceased normal operations in favor of activities that fundamentally keep business running, preparing for a hopeful return to normal operations. Ultimately, we’ve been thrust into a digital transformation, even though it may not have been a part of our business strategy prior to the pandemic response activities. How do we continue to satisfy our due care and due diligence responsibilities when this transformation is accelerated? If you couple that with negative revenue impact, negative talent impact (perhaps as a result of a necessary reduction in workforce), and the restricted ability to travel to locations where work must be performed, we quickly end up in a scenario where success seems unlikely at worst and a significant challenge at best.  The net-net is a reduced budget, a reduced workforce, and increased technology debt.

What can we do?

The basic tenets of security haven’t changed, but our operating landscape has. In a recent IBM Security Work from Home Study*, it was determined that more than half of the new remote workers haven’t been given any new security policy related to working remotely. It was also determined that over 50% of remote workers were using personal computing devices to perform their work. Even with these alarming poll results, more than 90% of the remote workers were confident in the organization’s ability to keep their PII secure. As we sometimes say in the backwoods of North Georgia, “That math don’t work.” 

So, how do we keep up with this accelerated transformation?

Firstly, we consider how our visibility has been impacted. Have we unknowingly, or even purposefully, created visibility gaps in our environments?  The context of our business has changed, as well as the devices being utilized to perform work, so the short answer is, “most likely.”  In some cases, what once was a single ingress/egress point in and out of our business is now multiple Internet connections across our entire employee base, serving each home office, and attached to multiple unknown and unmanaged devices on a common flat network. This is the type of environment that creates security nightmares . Thankfully, there are a number of solutions aimed at collecting and managing configuration data and correlating that to threat data, so we can better understand our risks in the context of our rapidly changing technology footprint.  But, even with the visibility, that leads to the second significant challenge.

How do we manage the output?

There’s a well-known workforce shortage in the cybersecurity space. Couple an already existing shortage with the challenges of remote work, and the fact that many organizations have gone through a recent force reduction, you could end up in a scenario that makes it difficult to manage the cybersecurity workload at best and simply untenable at worst. The answer to this issue is complex, no doubt. But, if you navigate a few potential options, it’s possible to obtain a solid operations capability. Obviously, this effort begins with ensuring the information output is high-fidelity and actionable. This goes back to business context. It doesn’t make sense to review Windows patches and vulnerabilities if all you have is a Linux footprint, and would be considered a blatant waste of time, especially in a situation where the workload already outpaces our ability to action on that same workload. Thankfully, there are solutions that wade through this data very efficiently and can help stack rank those items we would find most interesting, allowing for an appropriate work prioritization. Orchestration and automation are other options to help save time. Those repeatable and mundane tasks are the items that we generally spend most of our time on, and this family of solutions quickly becomes feasible in a remote worker environment. But now that we’ve increased our visibility and we’ve invested in orchestration –

What about money?

Negative impact to revenue has a negative impact to the security budget.  There’s no way around that. COVID-19 had a profound negative impact on almost every vertical and has forced many businesses to step back and reassess cash management. Considering the primary question has changed from, “How do we achieve x growth, year over year?” to “How do we keep the doors open until this thing passes?”  That compounded risk of increase in malicious activity, especially in the realm of nation-state sponsored efforts and the daily risk to revenue and cashflow, has many organizations walking a proverbial tightrope. The good news is that we know, with some reasonable degree of confidence, we only have to sustain the current situation for a finite amount of time. Although, we don’t want to outlay considerable amount of cash, we can, however, investigate and leverage creative finance options with those business partners willing to accommodate. This allows us to manage some degree of accumulated technical debt while not introducing significant risks to the going concern of our business.

In closing, if you’ve reserved yourself to a holding pattern, as it relates to security solutions, I would urge you to consider the risks introduced as a result of the current accelerated transformation to remote work, and balance that against fiscally responsible investments in those solutions, which increase visibility and reduce workload. Approach the use case. Solve the business problem. Take a risk-based approach to security and quantify your efforts in terms of dollars and cents.