One Year In: Crises Continue to Call for Cyber Resilience

When cybersecurity programs and the controls they implement are rigid, centralized, and hierarchical, they become fragile. Fragile cybersecurity is insufficient to meet the needs of modern corporations and to keep pace with the rate of change in information technology and the business operating environment as a whole. The importance of understanding this has rarely been more evident than over the last year.

In March 2020, as the COVID-19 pandemic set in and politicians sought to balance civil liberties with the management of a public-health crisis, businesses faced similarly difficult decisions and a stark choice: evolve or die. Many companies rose to the challenge and found new ways to build and maintain positive relationships with their customers while maintaining their abilities to deliver goods and services despite the challenges. Some, however, failed to evolve quickly enough, and the list of companies that have filed for bankruptcy as a direct or indirect result of pandemic measures continues to grow.

Corporate information security was similarly forced to evolve. The near-universal move to remote work and increased ecommerce market share coincided with a sharp increase in coronavirus-themed misinformation and phishing attacks designed to prey on anxiety and the desire to be informed. Multiple high-profile response groups, including the World Health Organization and the Centers for Disease Control and Prevention, published advisories warning against such scams. This presented a dangerous alignment of risk factors at a time when many corporations were more vulnerable to the potential disruption that can be caused by a successful cyberattack. There’s never a good time to need to respond to a major incident, but when your business is in the process of rapidly evolving how it operates is, perhaps, the worst.

Cybersecurity teams rose to the challenge, though some struggled more than others. The migration of corporate workstations to home networks was particularly challenging for organizations that relied primarily on a perimeter security model, which seeks to maintain a secure boundary between the corporate network and the Internet and keep adversaries outside of that boundary. In addition to the problems that arise when corporate computing assets move outside that perimeter, this model has been proven insufficient as adversaries continue to gain access to the internal network where they can then easily target the soft underbelly of a company’s cybersecurity. Organizations that had, pre-pandemic, evolved their security models past this point, sometimes adopting names such as “Beyond Corp” or “Zero Trust” for the initiatives, typically fared better over the past 12 months. With workstations already hardened to operate on untrusted networks, strong encryption and risk-based authentication implemented for all corporate web applications, and these applications already accessible over the Internet, it was much less disruptive to applicable businesses’ security for the workforce to suddenly need to work from home.

Now, one year into “15 days to slow the spread,” it’s appearing increasingly likely that many of the risks and evolutions driven by the pandemic will persist. The pandemic and subsequent lockdowns accelerated the pre-existing trends toward ecommerce and workforce mobility. While removing those accelerants is likely to decrease the pressure, the trends will remain. Furthermore, the need to evolve rapidly in the face of sudden external forces is common across business operations, information systems, and cybersecurity. COVID-19 is hardly the last crisis that we will face.

What causes some organizations to survive and thrive in such conditions while others struggle, sometimes to the point of extinction? What has the last year taught the business community about the properties of companies that will continue on through this natural selection chokepoint, and the next one, and the next? The common factor is resilience, which is born of organizational agility. While it’s true that some industries face greater pressure to evolve than others, agility is not exclusive to any one industry, company size, or company age. A culture of agility enables corporations to quickly make necessary changes in all areas of their businesses. In the words of Leon Megginson, often misattributed to Charles Darwin, “It is not the most intellectual of the species that survives; it is not the strongest that survives; but the species that survives is the one that is able best to adapt and adjust to the changing environment in which it finds itself.”

Here are several ways in which corporations can add agility into their cybersecurity programs. Indeed, most of the corporations whose cyber-risk management has thrived over the past year are already implementing these concepts.

1. Elevate cyber-risk management discussions to the executive and board levels. Quantify the financial impact of significant potential cybersecurity incidents and determine the corporation’s risk tolerance in this space. How does that risk tolerance change in times of crisis? When corporate leadership aligns on this ahead of time, it becomes more feasible to rapidly adjust risk-mitigation measures appropriately as the need arises.

2. Set the expectation that the cybersecurity program support business objectives and business leaders incorporate feedback from security and risk leaders into their decisions, even in times of crisis. Building a foundation of mutual trust and respect enables making rapid business decisions while minimizing any increase in risk.

3. Decentralize cybersecurity decision-making and ownership by suggesting that management ask the head of each business unit to present cybersecurity updates for their own team. There will always be a need for corporation-wide oversight by a central security governance, risk management, and compliance team, but control selection and implementation should occur as close to the information-system owners as possible. This allows those controls to be adjusted appropriately and rapidly as conditions on the ground change, so that security can enable the business rather than hinder it.

4. Require that security and information technology leaders promote, measure, and report on their cultures of continuous learning. Every person on these teams should be encouraged to develop competency in an area of knowledge that didn’t exist three years ago. Security changes quickly; if someone performs their job the same way for five years or more, it may imply a rigidity that undermines agility. Continuous learning can help ensure that the organization will not be caught flat-footed when there is a need to pivot quickly to respond to new situations or threats.

The rate of change in cyberspace is unlikely to decrease. And while we may not be able to predict the nature of future crises and how they will impact business, we can take steps now to develop the agility necessary for our cybersecurity programs and companies overall to thrive. Evolve or die.

Sean Malone is the vice president of service delivery and chief information security officer at VisibleRisk.