April 14, 2021
April 14, 2021
When cybersecurity programs and the controls they implement are rigid, centralized, and hierarchical, they become fragile. Fragile cybersecurity is insufficient to meet the needs of modern corporations and to keep pace with the rate of change in information technology and the business operating environment as a whole. The importance of understanding this has rarely been more evident than over the last year.
In March 2020, as the COVID-19 pandemic set in and politicians sought to balance civil liberties with the management of a public-health crisis, businesses faced similarly difficult decisions and a stark choice: evolve or die. Many companies rose to the challenge and found new ways to build and maintain positive relationships with their customers while maintaining their abilities to deliver goods and services despite the challenges. Some, however, failed to evolve quickly enough, and the list of companies that have filed for bankruptcy as a direct or indirect result of pandemic measures continues to grow.
Corporate information security was similarly forced to evolve. The near-universal move to remote work and increased ecommerce market share coincided with a sharp increase in coronavirus-themed misinformation and phishing attacks designed to prey on anxiety and the desire to be informed. Multiple high-profile response groups, including the World Health Organization and the Centers for Disease Control and Prevention, published advisories warning against such scams. This presented a dangerous alignment of risk factors at a time when many corporations were more vulnerable to the potential disruption that can be caused by a successful cyberattack. There’s never a good time to need to respond to a major incident, but when your business is in the process of rapidly evolving how it operates is, perhaps, the worst.
Cybersecurity teams rose to the challenge, though some struggled more than others. The migration of corporate workstations to home networks was particularly challenging for organizations that relied primarily on a perimeter security model, which seeks to maintain a secure boundary between the corporate network and the Internet and keep adversaries outside of that boundary. In addition to the problems that arise when corporate computing assets move outside that perimeter, this model has been proven insufficient as adversaries continue to gain access to the internal network where they can then easily target the soft underbelly of a company’s cybersecurity. Organizations that had, pre-pandemic, evolved their security models past this point, sometimes adopting names such as “Beyond Corp” or “Zero Trust” for the initiatives, typically fared better over the past 12 months. With workstations already hardened to operate on untrusted networks, strong encryption and risk-based authentication implemented for all corporate web applications, and these applications already accessible over the Internet, it was much less disruptive to applicable businesses’ security for the workforce to suddenly need to work from home.
Now, one year into “15 days to slow the spread,” it’s appearing increasingly likely that many of the risks and evolutions driven by the pandemic will persist. The pandemic and subsequent lockdowns accelerated the pre-existing trends toward ecommerce and workforce mobility. While removing those accelerants is likely to decrease the pressure, the trends will remain. Furthermore, the need to evolve rapidly in the face of sudden external forces is common across business operations, information systems, and cybersecurity. COVID-19 is hardly the last crisis that we will face.
What causes some organizations to survive and thrive in such conditions while others struggle, sometimes to the point of extinction? What has the last year taught the business community about the properties of companies that will continue on through this natural selection chokepoint, and the next one, and the next? The common factor is resilience, which is born of organizational agility. While it’s true that some industries face greater pressure to evolve than others, agility is not exclusive to any one industry, company size, or company age. A culture of agility enables corporations to quickly make necessary changes in all areas of their businesses. In the words of Leon Megginson, often misattributed to Charles Darwin, “It is not the most intellectual of the species that survives; it is not the strongest that survives; but the species that survives is the one that is able best to adapt and adjust to the changing environment in which it finds itself.”
Here are several ways in which corporations can add agility into their cybersecurity programs. Indeed, most of the corporations whose cyber-risk management has thrived over the past year are already implementing these concepts.
The rate of change in cyberspace is unlikely to decrease. And while we may not be able to predict the nature of future crises and how they will impact business, we can take steps now to develop the agility necessary for our cybersecurity programs and companies overall to thrive. Evolve or die.
Sean Malone is the vice president of service delivery and chief information security officer at VisibleRisk.
Join NACD in June for the first part of our new Cybersecurity Continuous Learning Cohort to better understand today’s terrain.
NACD: Tools and resources to help guide you in unpredictable times.