Chief Information Security Officers from energy, finance, and retail sectors reflect on new security challenges–and CISO burnout.
The COVID-19 pandemic turned out to be a security executive’s worst nightmare. CISOs speaking at last week’s New Jersey’s SECON 2022, said they were caught off guard when the majority of the world’s workforce went fully remote to prioritize health and safety.
In an already demanding role, CISOs have had to take the reins of their organizations in an effort to combat ever growing cybersecurity threats, further exacerbated by the shift to an almost complete remote workforce. Their message: CISO burnout is real.
The three executives were speaking as part of a discussion at SECON, “The Remote Workforce Paradigm Shift – Security Challenges and Benefits.” The panel included Gurdeep Kuar, CISO at the energy firm PSE&G, Sharon Kelley, CISO at Hudson Group, a major retailer; and Sofia Kokolis, CISO at Freedom Mortgage.
Moderated by ReversingLabs Director of Product Marketing for Malware Analysis and Threat Hunting, Debra Price, the panel outlined several areas of change for CISOs brought on by the COVID pandemic, as they managed the security practices of a newly changed remote workforce.
A lack of security control
One of the most difficult challenges for CISOs and their teams once industries shifted to remote work in the early months of 2020 was the loss of control they had in securing their organization’s operations. Conditions that were taken for granted, such as employees all using the same, secure wifi network, or attending in-person only meetings were lost once workers were forced to turn their homes into offices. That shift increased the attack surface for cybercriminals, giving security teams a harder job of managing the security threats to their organizations.
Without control from the top, employees were forced to take measures into their own hands with a heightened expectation to follow security best practices in their day-to-day work. Freedom Mortgage CISO Sofia Kokolis stressed this same expectation that was set for her employees.
CISOs had to bring their employees up to speed, needing to turn the “workforce into quasi-technicians,” she said. Security teams were also forced to consider early-on how employees at their own organizations could be posing significant security threats. The insider threat is one that these CISOs all agreed was an area of concern, in which the typical employee may accidentally click a malicious link or attachment, opening an organization up to cyber threats. Therefore, CISOs were dealt the heavy task early on in the pandemic of assessing their workforce’s technological capabilities, as well as their security shortcomings, in an effort to best figure out how to standardize secure practices across the board.“It’s major that they understand their requirements to protect the data that they have access to.”
— Freedom Mortgage CISO Sofia Kokolis
Crisis communication (and collaboration)
As in other areas of pandemic life, the absence of face to face communication made the job of communicating best security practices more complicated. As Hudson Group CISO Sharon Kelley pointed out: “when you’re not face to face with people ... you’re making assumptions.” For example, newly remote employees at the beginning of the pandemic worked alone in their homes, most likely unsure of what the expectations were for how to work remotely in a secure fashion. It was then up to CISOs, their teams, and IT departments in general to stop making assumptions about their employees' security knowledge, and instead communicate expectations for best security practices clearly.
Good communication from the top-down was essential for CISOs at moments of crisis. Kokolis highlighted the emergence of the Log4j vulnerability as an example of this. Kokolis said that she and her team had to firmly communicate with her company that this newly found vulnerability was now a top-priority, given the threat it posed to her company. “The day after (its discovery), I sent out a note to the executives saying, ‘we’re taking over,” Kokolis recalled.
PSE&G CISO Gurdeep Kaur also took a firm communication approach early on in the pandemic, in order to manage her company’s security practices.
“When we started working remotely, I became one of the most hated persons in my organization. They got a lot of ‘no’s’ from me.”
—PSE&G CISO Gurdeep Kuar
As CISO, Kaur became the advocate for security; managing the operations of her entire company in an effort to comply with best practices. She learned early on that her team needed to constantly communicate security rights and wrongs, as well as check the security knowledge of her company’s employees.
Third party risk: Get it in writing
When the pandemic forced organizations of all kinds to move their workforces online, it greatly increased the outside threat. Organizations quickly began to realize that whatever outside entity they work with, whether it be a vendor or a partner, they must be monitored for security reasons. CISOs were then tasked, on top of all of their internal company priorities, to ensure best security practices among their company’s vendors and partners as well.
Kaur made it clear that any outside entity doing business with her company should be held to a high standard: “If they are getting our data, if they are getting connected to our network, if they are getting access to anything that is of value to my organization,” then these entities must be clear with her company that they are complying with security guidelines. Kelley also stressed this same approach, in which she and her team provide contractual guidelines that include security practices for any entities they work with to abide by.
Without contracts that bind vendors and partners into being transparent about their security practices, it’s not certain that these entities will do their part in communicating this critical information, Kokolis said. Speaking of the Log4j vulnerability, Kokolis said that, contractually, her company’s vendors and partners were not bound to respond to security requests and questions from her organization. New mandates between business entities to ensure best security practices are a change fueled by the pandemic and the growth in remote work.
Time flies when you’re a CISO
Based on the testimonials of these three CISOs at SECON, it’s safe to say that the past two years of almost complete remote work have caused a number of security challenges: solidifying best practices, communicating expectations clearly, as well as managing the security of outside partnerships. While remote work did bring on more challenges for CISOs, it also forced them and their teams to strengthen the security postures of their organizations.
These three CISOs, all coming from different industries, agreed that the COVID-19 pandemic raised the bar for cybersecurity. While many cybersecurity threats were exacerbated by the pandemic, making a CISO’s job more difficult, they all agree that it has yielded immense progress for security, helping the industry in the long run. CISOs during this paradigm shift have gone the extra mile to look at not just their organizations, but also at what’s best for the cybersecurity industry as a whole.
“It’s not just about my company… it’s an entire supply chain.”
—PSE&G CISO Gurdeep Kaur