Customer insights: Security in the new normal – a CISO's perspective
Skybox Blog Team December 14th, 2020
CISOs are under pressure. Not only have organizations had to shift to remote working, but they are also facing increased demands from energized threat actors. Gidi Cohen, our CEO and founder, recently sat down with customer Dr. Rebecca Wynn, Global Chief Information Security Officer and Chief Privacy Officer at 7.ai, to better understand the challenges felt by CISOs over the last year and determine what lies ahead for enterprise security.
Organizations faced major challenges during the first lockdown. What was the biggest challenge for you and how did you overcome it?
Dr. Rebecca Wynn: The biggest challenge was maintaining security while moving a global workforce of over 10,000 people to remote working almost overnight. We met with the security team to ensure they had the bandwidth and capability to continue to support the company. We also checked that we still had physical access to our data centers across the world despite national lockdowns. We had to provide workers with the proper tools to work effectively from home and ensure those who had never worked remotely had adequate training to deliver sound business continuity. We also asked our vendors for more security equipment urgently and checked with our procurement teams that the sellers would be paid on time.
What are the essential cybersecurity principles for the distributed workforce?
Dr. Rebecca Wynn: The core principle is Security and Privacy by Design and Default. This is true whether you are working from the office or home, but there is far more to consider with a distributed workforce. This year, many organizations realized their employees were not as 'cybersecurity aware' as they should have been. It is up to security leaders to protect them in this environment. For example, they should review file access permissions and ensure workers only connect to secure Wi-Fi networks.
Also, security officers should not be naïve to the fact that workers are using corporate systems for personal use. They need to create usage policies to reduce opportunities for cybercriminals to infiltrate the network.
CISOs must also carry out regular employee security training to protect the entire attack surface and establish a clear expectation setting. They need to make clear that every worker asks themselves: "Who is a trusted person in my home? What is a 'need to know' there?"
On top of all this, CISOs must check if the security they are running will protect their people and networks. These must be holistic and able to adapt to rapid change.
Security has become infinitely more complex in the last six months. What can security leaders do to manage program support staff and improve security management?
Dr. Rebecca Wynn: For most organizations, profits have taken a hit and security budgets have been constrained at a time they need to protect more. Security leaders have to partner with companies they trust to understand what to secure and have that intelligence faster. These vendors also need to train staff for on-premise tools to work in the cloud and see things from a SaaS perspective. They also need to hire technically minded people who take a proactive security approach and can hit the ground running.
How has the perception of security changed in your role?
Dr. Rebecca Wynn: It is a lot more about collaboration now. People forget security is the enabler of the business. If you are not looking at security and compliance risk as to the enabler, you're not looking at it right. Business leaders now recognize that whatever the project, security has to be built-in.
Report – Cybersecurity in the new normal: securing the distributed workforce
Skybox recently surveyed executives to investigate what security practitioners worldwide think about implications surrounding the distributed workforce. Read the report now.
Dr. Rebecca Wynn is the Global Chief Information Security Officer and Chief Privacy Officer at 7.ai. Connect with her on Linkedin to explore the future of cybersecurity, compliance, privacy and risk management.