2021 Global Top 100 LinkedIn Live Panel Discussion – North America

Securing Remote Organizations

One of the biggest changes the corporate world has had to adjust to in the wake of the global COVID-19 pandemic has been the shift to remote work.

This move was a unique challenge for security professionals globally, who had to work quickly to ensure cyber protections would remain in place for staff that were moving outside of the trusted office network. New processes that enabled that shift also needed to be deemed secure.

The work went beyond expanding the security services that were required for remote teams. Training and education played a major role in emergent security strategies, and driving awareness of remote-work specific threats was another important task for CISOs and their peers.

During our recent North America LinkedIn Live session with members from the Business of InfoSec Global Top 100 Leaders in Information Security, our panel share some of their lessons from the transition and offer advice on embracing the change successfully.

Learnings from Rapid Transition

Chris Lugo, the global Chief Information Security Officer for science, medical and technology product development organization Danaher says COVID-19 highlighted how publicly visible some of the business units within the organization were, which changed how his team looked at digital risk.

“It really upped the ante for us in taking a harder, longer look in some different areas of our brand and our brand reputation and what we look like from an attacker's point of view,” Lugo says. “We took a long look at what our priorities were and we made some adjustments and updates.

Harvard University Director of Information Security, Education & Consulting, Sandy Silk, says that while the university is very cloud-first in many parts of its infrastructure, some adjustment was naturally required.

“We were in a good situation but some things we just hadn't anticipated, like teaching faculty how to use various video conferencing and video learning platforms [and establishing] identity and access management for people outside of our immediate community,” Silk says.

“When you're collaborating with researchers at external locations and external organizations, how do we get them onto the trusted network remotely?” she adds.

Deneen DeFiore, Vice President and Chief Information Security Officer with United Airlines, says COVID-19 fundamentally changed business models and the way the organization interacts with its employees and customers.

“We quickly realized that our attack surface was now everybody's home network or wherever they were connecting from,” DeFiore says.

DeFiore’s team needed to develop a security model that enabled protected new digital systems and allowed their employees to work securely wherever from anywhere.

“[We were] leaning into digital transformation with contact lists, travel experiences, or self-service options that weren't available before to make sure that we were securing those processes and those business outcomes appropriately,” she says.

Creating Remote Cybersecurity Culture

The panel were quickly successful in switching on the technical aspects of their remote security strategies, such as software and services. But how did they go about instilling the security mindset and cultural changes required for home-bound employees?

“We tried to deliver as much upfront communication around not only how to use tools like Microsoft teams and some of the other collaboration suites, but how to do it in a secure way and also how to leverage other available offerings,” says Danaher’s Chris Lugo.

“We also really doubled down our efforts on data security and what it means to classify data, what the impetus of classifying data is, what data can be shared and with whom, including what platforms should be used to share that data with different external parties, knowing that everyone was working in a different way.”

Gary Gooden, Chief Technology and Security Officer at Seattle Children’s, says the organization pivoted quickly to remote work (aside from the clinical health care providers who are required on site) and led with security all the way. For Gooden, a guiding principle around rolling out those changes is the user experience.

“The other thing that we have been focusing on is really taking this opportunity to work on what I refer to as the ‘True North Star’, which is the end-user experience. Applying security in such a way that what you are really doing is having the right security controls, whether it be BYOD or not, while removing friction.

“The ‘True North Star’ is the end-user experience. The whole idea of computing and being able to get to anything from anywhere, anytime with the right security controls in place. That's been foundational to what we've been trying to do. And it's all predicated on our zero-trust framework.”

Pentest-as-a-Service platform Cobalt.io’s Chief Information Security Officer, Ray Espinoza, says instilling security responsibility in the minds of staff was heavily invested in from the outset of the company.

“We're a security vendor. We're held to a little bit of a higher standard when it comes to security as a cloud provider,” he says.

“With that, the extension of the security team really is everybody within the organization. All we asked is for folks to lean in and we would drive education and provide a safe place for them to be able to come and learn and ask questions.

“We did that a number of different ways, which resonated really well and continues to serve us well especially during the pandemic. We do security NPS to get a good understanding of, rather than would they recommend us to a friend, are they confident that us as a security organization are doing the right thing at the right time? Are they empowered and do they feel supported in their role? We drive a lot of education to them and security office hours where we do lightning talks.”

It is encouraging to hear from security experts that are passionate about ensuring their colleagues across the whole organization have what they need, know who to seek help from and comprehend the importance of cybersecurity today. Of course, security leaders won’t get far in rolling out an extensive and ambitious strategy without the backing of management.

Marian Reed, Founder and President of SecurRisks Consulting, says executives need to understand their business and the risks associated with the kind of services they provide, and then have the ability to translate those risks for an executive audience.

“When you're able to do that, it's easier to get the buy-in,” she says. “It's easier to get the budget dollars that you need to really mitigate those risks. “It's really important that you understand the business. You can't identify a risk and you can't go in front of an executive board and request funding for a project if you can't really explain the risk and understand what that impact is to the overall business.”