By Christian Aboujaoude, chief technology officer at Keck Medicine, USC
In the pre-pandemic days, security solutions could be more basic. Securing the perimeter could be likened to locking the door of your house. But with remote workers taking devices off premises and sometimes using their own, securing the workplace requires a new approach. Sophisticated threats come from every angle, and preparing a complete defense is vital.
We are in an environment of constant change and unexpected events. Just when many people began welcoming a post-pandemic world, cases started rising again, and the need to apply proper controls, governance, education, and tools for remote workers once more became top of mind for many cybersecurity leaders.
For CISOs and their teams, the challenge is to build a culture that facilitates the ability to adapt to change on an ongoing, continuous basis. This requires a new mindset in securing all users — remote users, in particular. It also means evolving your approach so that cybersecurity is no longer viewed by business management as a cost center, but rather as a means of competitive differentiation and innovation for the organization.
In my view, there are three critical aspects to changing the culture and mindset to adapt to current and future cybersecurity challenges, particularly as remote work becomes more deeply ingrained as a business requirement:
1. Education: Develop a deep understanding of every aspect of your organization and spend a lot of time and attention on education – for everyone, whether they are on your security teams, in your executive suite, front-line workers on-premises, remote workers, or anywhere else in your ecosystem.
2. Technology: Even in some larger organizations, basic technologies – such as multi-factor authentication or secure VPN – are not given the priority necessary to allow remote workers to operate in a more controlled environment. It is important to have the basics under control before adding innovations, such as Zero Trust.
3. Procedures and practices: It is vital to maintain a philosophy of ongoing education along with continuous evaluation of the technology your organization is using or, in some cases, not using. From a procedural perspective, you must understand everything in your environment. Once you understand it, you can assess and address its impact on your current risk and overall risk profile.
1. Leveraging education to secure remote workers
The reason education tops my list is that over 80% of cybersecurity events relate to people. Everyone needs to truly understand what cybersecurity is — and that it’s not just a password or two-factor authentication. Cybersecurity is an approach — a mechanism. It’s how you go about conducting work. Achieving a strong cybersecurity posture takes cultural change, behavioral change, and constant learning.
When users were largely on premises, most organizations could compensate for potentially dangerous behavior by having multiple controls to help protect them. However, when those same people go remote, there’s a bit of a loss of control and governance. There are technologies to help cover user behavior, but it is better when the behavior doesn’t exist in the first place.
This means that we must educate folks on cyber hygiene, making sure they understand that the steps they take at work may not be the steps they take when they are working remotely or from home. This is especially critical in this very open-ended environment, where a user’s device may be used by other people in the home.
2. Leveraging technology to secure remote workers
Strong foundations are also important from a technological perspective. You must make sure you have controls, processes, and governance for multi-factor authentication and secure VPN. It’s those things that pave the way for Zero Trust.
My best advice is to approach everything from the bottom up, understanding not just your inventory but every single behavior that takes place from a public-facing standpoint. This is especially important for remote workers. I good place to start is by asking yourself and your team key questions:
Do we know what our environment actually contains?Are we aware of all the devices and services running in our environment?Do we have an inventory of all of our IoT devices?Do we understand the needs and potential risks of all of our users?Do we know the needs of each application and user based on key criteria such as performance, availability, resilience, data usage, and, of course, security?
Fundamentally, you need technology tools that can exist on your network and identify all connected devices. I’m talking about tools that are able to actually interrogate the network, understand packets, and capture specific metadata for each device to determine how it lives on the network.
3. Leveraging procedures and practices to secure remote workers
If you haven’t figured it out by now, I’m a huge stickler for inventory. From a process standpoint, you must understand your inventory: what it is, what it means, and why it matters — as well as its impact on your business and your security posture.
So, from a procedure standpoint, you need something in place that is able to identify what you have in your environment. Then you must relate and correlate that information to any situation, to the point where you can say about any device: “This device is connected to this application that lives here and does that.”
From there, you can build a configuration management database (CMDB) approach to really understand your environment and have processes in place to integrate with your ITSM tool so you can execute the specific actions you need to take.
Maintaining ongoing processes also relates back to my first point: education. CISOs need to ensure training and education are continuing when people work from home or remote locations, and they need to have tests, controls, processes, and governance to continuously identify and correct non-malicious but potentially dangerous behavior. Quick-hit training without repetition rarely are effective.
If I could leave CISOs and other cybersecurity leaders with a key takeaway from this article, it would be this: Every CISO should figure out how to balance the business operations of their organization with a security mindset that is not destructive to the business but is, in fact, built into the fabric of the business. In order to do that, I urge all security professionals to take the time to understand as much as they can about the business in which they work.
Note the emphasis on the business, not cybersecurity. Most security professionals know security exceptionally well. But if they don’t have an equally exceptional understanding of their business or organizational needs, they are potentially setting themselves — and their organizations — up for failure.
Whether you are the CISO or anyone on the security team, you need to be able to go to the people in any department and have detailed conversations with them related to their protection and their business needs. It may start with something simple: “We saw that you have these devices. They are not in compliance with our security posture, and we need to take this action or we will be forced to put it offline.”
Of course, the immediate reaction will be: “You can’t do that!” And the response is: “Yes, we know. That’s why we have to fix the problem.” A solution-focused and service-focused mindset is key.
The opportunity ahead
Remote work is here to stay. To make it successful, you have to make it secure. Cybersecurity leaders and their teams have an opportunity to make huge contributions to their organizations over the next few years by developing cyber-aware cultures that are both agile and responsive to the changing needs of their organizations.
By focusing on the fundamentals, CISOs can prepare themselves, their teams, and their organizations to be ready for whatever comes next. As we’ve learned all too well over the past few years, change is the only constant in cybersecurity. Be ready.
For more perspectives on cybersecurity, visit us online.
About the author:
Security Roundtable author, Christian Aboujaoude, is the chief technology officer at Keck Medicine, USC.
Data and Information Security, IT Leadership