Though many organizations have completed the initial phase of transitioning their entire workforce to remote telework and employees are becoming increasingly comfortable with their new reality, CISOs continue to face new challenges presented by maintaining a secure teleworker business model. From redefining their security baseline, or supporting technology enablement for remote workers, to developing detailed policies on which employees have access to what data, CISOs must be nimble and adapt quickly to overcome each new problem that arises.
Four of Fortinet’s Field CISOs – Sonia Arista, Joe Robertson, Courtney Radke, and Alain Sanchez – joined us to discuss these new challenges as a result of the rapid network transformation organizations have undergone. You can read the beginning of this conversation in this blog.
Q: Has there been any unexpected learnings during recent weeks that CISOs should learn from going forward? What one IT security strategy stands out in terms of importance or difference?
Sonia Arista – Obviously, all of the technology enablement for remote workers has been a priority in recent weeks. From a program standpoint, this has meant ensuring that strong authentication, identity, and access management policies are in place work to ensure secure remote connectivity. And given the new parameters of the workforce, monitoring for indicators of compromise or vulnerabilities has become essential, and should include strong analysis of geo-location and asset identification tied to logins, alerting on the use of the same credentials in multiple environments, and a deeper layer of visibility of application downloads .
Joe Robertson – Zero Trust Network Access is another critical strategy. When everybody is out of the office, how can you be sure anybody is who they say they are? In the end, the goal is to protect data and applications against unauthorized access. Two-factor authentication is an important step on the road to secure access, but it also requires well thought-out policies on who has access to what data, and limiting access to any resources to a need-to-use basis.
Q: In this unforeseen context of a crisis that is both sudden and devastating, are existing cybersecurity technologies up to the task or is there a new cyber leap yet to invent?
Alain Sanchez – I would not call for a cybersecurity revolution in such period. Corporations do not have on-site the critical mass of experts to test, deploy, and integrate a brand new technology at this point in time. It would be like adding a new engine in the middle of a Formula 1 race with only the telemetry in place and no mechanics physically present in the box. In fact, before adding anything, the right question is: are we taking full advantage of what we already have in place. Next Generation Firewalls have advanced segmentation capabilities for instance that are easy and fast to deploy to prevent lateral attacks within the organization, remote users profiles can be refined to insure full efficiency and superior authentication. What matters most in such period is the quality of the integration between the various dimensions of the security architecture, and the consistency of the CISO leadership.
Q: How has the role of the CISO changed during recent weeks as companies shift their IT priorities and focus on securing and scaling remote workers?
Courtney Radke – Given the rapid rate at which remote work policies had to be expanded or spun-up for the first time, the CISO mindset must become one of operational “do no harm,” meaning they have to be open to new ways of doing things and abandoning the culture of ‘no’. The CISO needs to be a technology evangelist and effective communicator at all levels of the organization, helping to make sure that collaborative technology is available to the new remote workforce so they can remain productive and connected, without sacrificing essential security policies and practices.
Alain Sanchez – I agree. This pandemic has amplified and accelerated movement in the career of many CISOs. They suddenly find themselves seated at the table and involved in decisions that have become more and more strategic. They are having to coordinate a culture of security throughout all departments of the company, including advising the CEO and the Board.
Sonia Arista – Yes. That’s because CISOs are also deeply involved in business continuity strategies and planning – often in tight coordination with the enterprise emergency response team. As most businesses still work within increments of quarters for planning and revenue projection, executives are looking to their technology leads to reasonably assess productivity of the workforce – this will be critical in assuring confidence from stakeholders and investors of the spend and investment ratios for the coming quarters – and the CISO plays a key role in making that productivity possible.
Alain Sanchez – Recent weeks are bringing the CISO to the front line of decisions, strategies, and communications initiatives. From this perspective, the pandemic has accelerated a security movement that has been growing steadily over the past 18 months. From a business perspective, the famous quote from Shakespeare’s Macbeth has never been so true – “This battle will either secure my reign forever or else topple me from the throne.” Superior security can prevent corporations from toppling, and the CISO plays a keystone role in making that happen.
Learn more about how to maintain business continuity through broad, integrated, and automated Fortinet Teleworker Solutions.