The COVID-19 crisis ushered in a new era, filled with challenges for IT security teams. While the world battled a global health crisis, CISOs were fighting off an unprecedented number of cyberattacks and looking for ways to secure a remote workforce most weren’t prepared to support.
The pandemic was the catalyst for many new and more destructive ransomware tactics, COVID-themed phishing scams, and targeted cyberattacks against healthcare and other critical infrastructure sectors.
But not all of the new challenges CISOs have had to navigate during the pandemic were cybercrime-related. Accelerated digital transformation and exponentially higher volumes of data being generated have had many CISOs scrambling to update business continuity and data protection strategies to accommodate and secure new technology and infrastructure needs.
Which Cybersecurity Priorities Should CISOs Focus On in 2021 and Beyond?
As businesses tentatively move into the post-COVID era, there is no sign that cyberattacks, digital transformation initiatives, or explosive data growth are slowing. To keep pace, CISOs must re-evaluate their pre-pandemic priorities to ensure they are aligned with today’s business and cyberthreat realities.
To maximize cybersecurity and data protection in 2021 and beyond, CISOs and IT security teams must focus on five key capabilities:
Securing Cloud-Based Tools and Solutions
Whether the cloud is secure has long been a topic of debate. But in 2020, the lockdown and subsequent mass pivot to remote work pushed the topic out of debate mode and into trial by fire.
In fact, when Microsoft CEO Satya Nadella presented the company’s first COVID-era quarterly earnings report to Wall Street, he commented on the rapid rate of cloud adoption and digital transformation:
“We’ve seen two years’ worth of digital transformation in two months. From remote teamwork and learning, to sales and customer service, to critical cloud infrastructure and security—we are working alongside customers every day to help them adapt and stay open for business in a world of remote everything.”
The big cloud-services providers have almost endless resources available to ensure that their portion of shared responsibility for cloud security is covered. The weak point, as it turns out, is the user base.
Gartner estimates that by the end of 2025, 99 percent of cloud security failures will be the customer’s fault. With that in mind, CISOs need to stop asking whether the cloud is secure and start looking internally to determine whether cloud security best practices are being followed.
Employees are going to make mistakes (more on that below), so your cloud security efforts must include robust backup and data protection strategies to minimize risk.
Frequent, complete, and well-tested backups are a business imperative as organizations move their operations and employee productivity and collaboration solutions to the cloud. In today’s cloud-driven business environment, the traditional 3-2-1 backup strategy doesn’t offer adequate protection. IT teams are now adding immutable storage and adopting a 3-2-1-1 approach that includes an air-gapped copy of the company’s data off-site and offline.
Many organizations are also opting to protect their cloud with the cloud. Data protection as a service (DPaaS) is a subscription service that combines secure backup, storage, and disaster recovery into one cloud-based solution. DPaaS provides a scalable, cost-effective way to ensure data protection, network security, and disaster recovery capabilities are all covered.
Creating a Culture of Cybersecurity
Today’s businesses are fending off threats from every direction—email, the cloud, mobile devices …
Now that many teams are part of a fully remote or hybrid workplace, it is harder than ever for CISOs to create an effective security perimeter. In this age of highly distributed teams and heightened security threats, CISOs must prioritize building and nurturing a company-wide culture of cybersecurity.
A culture can’t be established overnight, but there are immediate steps you can take to get everyone in the company involved and invested in cybersecurity.
Security awareness training is essential for turning employees from liabilities into the first line of defense against cyberattacks. When you pair education about common threats with realistic phishing trainings to test user knowledge, your organization’s cyber hygiene should radically improve.
Creating and enforcing a cybersecurity policy is another effective way to create a more secure workforce while building cybersecurity into the culture. The company cybersecurity policy should set standards for behavior, including email encryption, personal device usage, and social media access. It is also important to clearly define each employee’s role and responsibilities in protecting the company's IT systems, network, and data—and the consequences of not adhering to the policy.
Aligning Cybersecurity with the Business
Although CISOs are technically members of the C-suite, it isn’t always easy to get buy-in from their peers on cybersecurity and data protection initiatives. Much of this apprehension arises from non-technical executives not understanding or choosing to minimize cybersecurity’s role in privacy protection, risk mitigation, and data loss prevention.
The best way to get the C-suite invested in cybersecurity initiatives is to make it about them. More specifically, illustrate how cybersecurity—or the lack thereof—impacts specific business objectives and even the company’s revenue and growth potential.
To ensure everyone is starting from the same place, create a cohesive definition of what cybersecurity means for the company. Use specific risks that apply to your organization and explain real tactics hackers can use to target known vulnerabilities.
If the organization recently fended off a potential attack, share that. Also, recap recent attacks in the news that affected businesses similar to yours. Keep in mind that the goal here is to educate leaders, not make them panic. Once they have a better idea of the current threat landscape, explain how your current cybersecurity strategy is handling threats and how specific upgrades can protect the company even more.
It can also help your case to connect cybersecurity objectives to qualitative requirements, such as risk management, as well as quantitative business requirements, such as the cost of mitigation versus prevention.
Creating a Robust Security Infrastructure for a Remote Workforce
When COVID-19 sent millions of employees home to work indefinitely, few CISOs were prepared to defend a suddenly perimeter-less IT environment.
Now that we are no longer at the height of the pandemic, many organizations have chosen to continue the remote workplace or offer a hybrid work option. This new way of working means CISOs need to prioritize the creation of an IT infrastructure that can withstand the added security threats introduced by remote workers and the risks introduced by movement between environments.
With many employees located outside of the company firewall, security teams are using identity management and strict permission policies to make people the perimeter.
Preventing unauthorized users from accessing, encrypting, and exfiltrating sensitive data or mission-critical files requires CISOs to implement and enforce several key best practices:
- Identity and access management: A framework of business processes, policies, and technologies designed to identify, authenticate, and authorize users so only the right people have access to the right resources at the right time.
- Zero trust frameworks: A security framework that works on the assumption that no one—inside or outside the organization’s perimeter—can be trusted. Anyone can be compromised, so everyone and everything must be verified to access the network.
- Encryption: Data should be encrypted at rest and in transit so it is protected where it’s stored—computer, mobile device, the cloud—and as it moves between locations.
Focusing on Cyber Resilience, Not Just Cybersecurity
Cybersecurity tools are essential to protect your organization’s IT systems, networks, and data. However, in today’s threat environment, simply focusing on cybersecurity is shortsighted and dangerous.
Cybersecurity solutions help mitigate the risk of breaches by identifying and detecting threats and, ideally, preventing them from entering your systems. But many security experts now consider ransomware and other types of cyberattacks almost inevitable, which makes cyber resilience an equally important priority for CISOs.
Cyber resilience refers to an organization’s ability to respond to and recover from an attack with minimal downtime, loss of data, and reputational damage. For maximum risk mitigation, CISOs can implement a resilience trifecta that integrates cybersecurity, data protection, and immutable backups.
The resilience trifecta helps CISOs achieve three core objectives:
- Identify and detect threats.
- Manage and protect data.
- Respond to and recover from a disaster or unplanned outage.
What’s Next for CISOs in the Post-COVID Business Environment?
Navigating the post-pandemic threat landscape in 2021 and beyond means CISOs will need to keep looking for new and innovative ways to create a security strategy that fits our new normal. Re-evaluating and prioritizing a few core capabilities is an essential step in securing business-critical data and systems and facilitating new digital transformation initiatives.
Download The 2020 Data Attack Surface Report to learn how today’s explosive data growth will continue to impact security and why CISOs can’t ignore the growing ransomware threat.