At last, I went to a grocery shop with enough precautions after using multiple online delivery services for weeks. And I found that most people are following health advice and keeping safe distances, although it makes it hard to recognize anyone wearing a mask. This was, and still is, an unusual experience for everyone. COVID-19 is the biggest challenge that we face today. The COVID-19 pandemic has forced us to stay home to save lives and has given us time to rethink our actions and prepare for a healthier future.
By Hemanta Swain, Global Head of Information Security, II-VI Inc.
Through my personal experiences and learning from COVID-19, I realize that this pandemic resonates closely with my Infosec professional life. This may not be new for cybersecurity professionals, but I will outline a few of my experiences here. In the minds of many people, this transition from physical to digital is inevitable, unstoppable, and irrevocable, even though cash is still used for most retail purchases globally (COVID-19 influence aside).
1. Basic (Health/Security) Hygiene: The pandemic has reminded us all that the most basic of hygiene strategies, handwashing, first to be discovered to be effective against spreading disease in the 1850s, is still one of the most important ways to stop the spread of diseases in 2020.
As for cybersecurity, we should be reminded that basics cannot be ignored in our industry either. It’s not uncommon to see security professionals lagging behind in the adoption of the latest technologies that address challenges (advanced threats) and support business priorities. We are also reminded of the number of breaches that happen because of haphazard patching and other basic requirements not being met. Just like with handwashing, all cybersecurity professionals know that keeping up to date with patches is key to protecting the organization from easily avoided breaches. Moreover, we tend to overlook the basic health of our infrastructure, systems, and applications. This becomes evident during a security breach.
In my view, both are needed, but there should be a continuous effort to keep basic security hygiene intact. This is essential to build a sustainable security posture. One can and should follow CIS top 20 controls and OWASP top 10 list with secure access using multi-factor-authentication, regular patching, vendor risk assessment, email security, and endpoint security protection. But basic security hygiene is the key.
2. Segmentation (Shelter-in-place and Isolation): During this pandemic, we’ve seen, perhaps for the first time, the entire world sheltering in place simultaneously. We’ve seen how isolating people from their networks of friends and extended family drastically helps contain infection rates.
The parallels in cybersecurity are obvious: understand your business, infrastructure, applications, and the most valuable assets. Appropriately segment your network, systems, and applications to allow access to only those who require it. This is beneficial to minimize impact during a crisis, allowing you to contain any breaches and will be a foundation for your zero-trust framework.
3. Security (Health) Leadership and Culture: If this pandemic has taught us anything, it’s that when health leaders, politicians, and local culture are in line with best practices for limiting the spread of the disease, the effects of COVID-19 are minimized more quickly and with fewer deaths. When messaging to the public is unclear, valuable time is lost and local culture doesn’t shift quickly enough to impact results.
For cybersecurity, it’s imperative to clearly define roles and responsibilities to take appropriate action in a timely manner, especially during a crisis. Security leadership helps to build a security-aware culture, which is essential to reduce risk and costs related to security. Yes, there is no infinite budget, and this will impact your bottom line and resource requirements, but it is crucial to present the risks with impacts to senior leadership and come to agreements on the next steps.
Security professionals recommend options based on the risks they discover, but if senior management cannot make quick decisions, there can be significant impacts on handling crises. Security leadership reporting is very important, not only to enable a quick decision-making process but to build a security-aware culture. Employees will follow not only the CISO but also senior management because they highlight the importance of security. To be successful, create an executive security leadership council consisting of business and IT senior executives for business alignment and continuous risk management to build a security-aware culture.
4. Quick Action and Communication: Infectious disease experts have long known that quick action at the first sign of a pandemic is key to mitigating its impact. In order to act quickly, adaptable plans must be in place and teams must be trained and kept on standby in the case of a crisis. Attempting to piece together an ad-hoc plan in the middle of active pandemic wastes critical time. Having plans in place allows leaders to accurately communicate to the public what steps have been taken, what they should expect next, and what they need to do to avoid infection. Communicating on the progress of the response to the pandemic and successes and failures in a transparent way is very important to ensure public compliance with any measures they are being asked to take.
It’s obvious that this is just as true in cybersecurity. Processes should be in place to facilitate quick action in a timely manner. Security councils, senior leadership, and Boards of Directors communication protocols should be in place. Upper management must make quick decisions to minimize the impact based on security leadership recommendations. Unfortunately, security breaches are unavoidable and security professionals should be prepared to handle breaches when they occur.
The most important action while handling a breach is communication. Communication with customers, partners, and supply chain networks should be considered in the planning process. Additional help from industry experts inside and outside the company should be called in to help during a crisis.
5. Quick Recovery: We’ve seen successful and botched re-openings around the world and the difference between the successes and failures seems to be how much planning and data went into each decision to re-open. Those locations that rush to re-open in order to get back to business have risked more infections and more deaths, which further hamper economic recovery. A balance must be struck in order to ensure that any re-opening is safe and appropriate for the level of recovery of the state or country.
In a breach or other cyber incident, business continuity and service recovery are extremely important to minimize the impact and return business back to normal. However, rushing to get back to business can have similar effects if the incident has not been properly remediated or fully understood. Continuously review your preparedness, including the current disaster recovery plan, and backup and restore capabilities. Have frequent tabletop exercises with stimulated security breach situations to test your recovery plan.
This story first appeared in the August 2020 issue of CISO MAG. Subscribe now!
About the Author
Hemanta Swain is the Global Head of Information Security, II-VI Inc. Hemanta has 24+ years of IT experience including 18+ years of Cybersecurity & Risk Management expertise. Hemanta performed various security technical leadership roles for companies like GE, Wipro & a few early-stage startups. Hemanta holds multiple Industry-standard technology certifications including CISM and CISSP.
The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.