CISO on CISO Perspectives
This year, CISOs have witnessed unprecedented shifts in both work paradigms and threat activity. Because of this rapidly evolving threat landscape, it has been increasingly difficult to prepare for the year ahead. Fortunately, Fortinet CISOs Renee Tarun, Joe Robertson, and Courtney Radke joined us for a virtual conversation about cybersecurity planning for the remainder of 2020 and beyond—including where to start, what to prioritize, and what to expect moving forward.
Q: In the first half of 2020, cybercriminals continued to exploit the global pandemic through phishing schemes. What are CISOs doing differently to protect against these threats?
Renee – For phishing schemes, more emphasis is being placed on education and awareness for end users to ensure they know how to spot a phishy email and malicious links. Many organizations are starting to phish test their employees to measure how prepared they are when they come face to face with these social engineering attacks. In regards to IoT devices, these headless devices are often built without security in mind and are often implemented without the knowledge of the IT/security teams. Adversaries know full well that these devices create an exploitable vulnerability within the infrastructure. To combat these threats, CISOs are leveraging network segmentation and network access control to maintain visibility and to limit the access that these devices have within the network.
Joe – Phishing is the unfortunate gift that keeps on giving and it has gotten more sophisticated. You cannot count on poor grammar or misspellings to give them away, so companies need to use a three-pronged attack to protect themselves. First is educating and sensitizing general and technical staff. General cybersecurity hygiene like that offered at no charge with the Fortinet Network Security Expert program is a good start, but you really want to keep staff in practice with internal educational phishing campaigns. The second prong is using converged network and security technology to contain threats that do get in: leveraging segmentation and micro-segmentation combined with artificial intelligence to detect and contain malware and keep it from propagating. Finally, a close examination of what is going on at the level of the end device with endpoint detection and response (EDR) systems such as FortiEDR allows you to see and stop unusual activity such as an unusual number of writes to disk, which could indicate a ransomware trying to encrypt files.
Courtney – Training and awareness have been top of mind for CISOs for some time now. Phishing awareness training, in particular, has always been an easy sell for value proposition and ROI. Having employees click an educational phishing link 10 times (or 100) and suffer the inevitable ribbing from the IT team and fellow employees is seen as a worthwhile effort as these awareness campaigns are always an opportunity to learn and the risk of not doing so may come at an extreme financial cost or irreparable brand damage. Now, this is not to say that CISOs haven’t bolstered their security effectiveness in kind; to the contrary in fact. Email security features such as URL click protection, isolation and sandboxing help protect internal users from compromise and features such as anti-impersonation and non-repudiation techniques help protect internal and external users alike. Add to this the increased use of segmentation and micro-segmentation as part of zero-trust access model and businesses are much better positioned to combat threats that come from the ever increasing contingent of IoT devices between the four walls of the office and now employees’ homes.
Q: The 2020 Remote Workforce Cybersecurity Report reveals that 30% of organizations expect half of their workforce to continue teleworking full-time after the pandemic. What does this long-term shift to telework mean for CISOs?
Renee – 75% of IT professionals believe that the risk of a data breach is higher for remote workers, according to the Data Protection Report 2019. This means that CISOs need to ensure that they have automated protection, detection, and response capabilities incorporated into their toolkits to address the risks associated with this new operating paradigm. They will need to be more concerned with visibility and control within their infrastructures, including protecting endpoints, mitigating insider threats, and ensuring secure access to applications and data regardless of if it resides on-prem or in the cloud. In addition, to address the influx of network logs and events, CISOs need to leverage AI-based security operations to include event correlation with SIEM and automate orchestration and response with SOAR capabilities.
Joe – It goes without saying that when so much of your workforce is suddenly accessing corporate resources remotely, your security posture has suddenly gotten a lot more complicated. This isn’t news to CISOs, but it can be to many other executives. One of the biggest tasks ahead of CISOs in the coming months and years is going to be to work closely with other parts of the organization to instill a real culture of security. Of course, this means working even closer with the networking and application development teams to ensure a real convergence of networking and security, as well as getting serious about adding the “Sec” to DevSecOps. It also means putting in place new tools and measures that may take other departments out of their comfort zones. Salespeople who are on the road may be accustomed to remote access security tools like VPNs and multi-factor authentication, but the operations or accounting departments may not be. CISOs are going to need to spend time persuading and training every part of the organization on what it means to be “security aware.” In many cases, this includes the executive suite and the board room.
Courtney – CISOs need to have greater adaptability and keep an open mind when it comes to the changing dynamic that remote work brings. Security controls must be adaptable to account for shifting access methodologies, work schedules, and business models while still maintaining the ability to identify and react to security events in real-time; something that has become more complicated due to higher volume and irregularity from the previous baselines. Now is the time for baselines to be reevaluated and changed to support the new reality of remote work. Likewise, to deal with the influx of traffic and to help separate the anomalies and false-positives from the real threats and impacting events, CISOs must adopt an “integrate, orchestrate, and automate” approach, leveraging EDR (Endpoint Detection & Response) and SOAR technologies (Security Orchestration, Automation and Response) with higher regularity than ever.
Regardless of when businesses get the “all clear” to return to the office, many are now asking the question “do we need to / should we”. There is a good chance that many businesses will maintain a hybrid/blended working model for quite some time, and some may never return to a traditional office model. CISOs must be ready for what this means for their overall security posture long-term and how to continue to protect their customers, their business and their employees. The key to doing this? Adaptability and an open mind.
Q: Recent Fortinet research examines the key investments that organizations are making in the next two years to secure telework long-term. What strategies are you seeing CISOs invest in? What are they prioritizing?
Renee – Some organizations were unprepared to have their entire workforces work remotely. Many had to put interim solutions in place, often held together with duct tape and band aids. After realizing that telework is becoming the new norm for operations and not just a temporary solution in a short-term crisis, many organizations are looking to revamp their telework technologies to make them more robust and secure, especially as many organizations are faced with network performance issues. This also includes putting branch-like solutions, such as a next-generation firewall (NGFW) with SD-WAN capabilities, into the home offices of employees with high levels of access to data and the network, such as IT admins and executives. In addition, many CISO are investing in zero-trust network access. The growth of insecure or unknown devices attaching to the network, along with a host of breaches due to stolen credentials, has stretched trust beyond the breaking point. Network administrators must adopt a zero-trust approach to network access so they can see and control all devices and users across the entire network. With proactive protection, organizations can ensure their networks are secure from the latest threats.
Joe – Every organization that I have dealt with recently was in a different state of readiness for a black swan event like the COVID-19 pandemic. Some had to scramble to put in place plans they had already war-gamed, but most were blindsided and really suffered. So the priorities of each organization are different, but they all fall into a few broad categories. First is to understand which employees are connected to the network and protect them, because of this, investments in endpoint protection and endpoint detection and response are high on most CISOs’ lists. Because of the new traffic patterns that remote working entails, User and Entity Behavior Analysis (UEBA) is also showing up on many lists. What many organizations have seen, too, is that flexible secure access is essential as people move to full-time or part-time remote. I am seeing a lot of interest in combining SD-WAN solutions for branch offices with SASE (Secure Access Services Edge) cloud-delivered access. There is no one-size-fits-all in security, but these trends are not going to go away soon.
Courtney – I still see some companies struggling to provide even the most basic remote work functionalities. Scalable and adaptable VPN connectivity was often an afterthought which created challenges when the flocks of remote workers started to access internal resources in mass; many for the first time. The downstream effects are many and very impactful. While this is a relatively easy problem to solve it is also the first one that needed to be solved. With a robust and scalable access methodology in place, backed by secure SD-WAN, CISOs were then able to implement adaptable security policies to protect their remote workers accessing sensitive data and resources. However, to account for changes in behavior and the location of remote workforces (which is anywhere and everywhere), top of mind for CISOs are ZTNA (Zero-Trust Network Access) and SASE (Secure Access Service Edge), most likely in tandem as they are complementary technologies. ZTNA and SASE are foundational to securing remote work long-term, critical to protecting businesses from increased risk for IoT, and should be integrated into CISOs risk mitigation plans as part of the overall security maturity strategy.
Discover how Fortinet Teleworker Solutions enable secure remote access at scale to support employees with a wide array of access requirements.