Organizations worldwide have undergone one of the most massive and comprehensive network changes in history. It has required literally millions of workers to transition from their traditional on-premises work environment to remote telework. IT teams have put in countless hours to make sure everyone had access to the corporate network from whatever device was available to them. And they also had to ensure that critical resources and applications were now available remotely. And in the rush to make this transition, the CISO had to ensure that, from a security perspective, nothing fell through the crack.
Part of the challenge is that we have seen a tremendous spike in criminal activity aimed directly at this new remote worker environment, searching for inadvertent security gaps and looking to exploit novice teleworkers. Of course, the first priority of the CISO has been to ensure business continuity. But now that the help desks have started to cool off and workers are back online and collaborating at a safe distance, it is time to reassess what the next steps ought to be.
We recently sat down with four of Fortinet’s Field CISOs – Sonia Arista, Joe Robertson, Courtney Radke, and Alain Sanchez – to discuss the challenges their CISO customers are facing now that the initial phase is over. These CISOs, working in regions around the world, have spent the last few weeks on the front lines helping their customers make this business transition without sacrificing security in the process.
Q: What problems are CISOs trying to solve now, given that remote telework is up and in motion in most places?
Sonia Arista – I would have to say that maintaining a consistent, strong security posture in the midst of varying asset profiles related to BYOD usage is the top priority of the CISOs I have talked with. For security teams trying to absorb the latest threat intel and assess what risks are applicable to the enterprise, the rapid introduction of personal computer assets over the last several weeks associated with the pivot to remote workers has exacerbated the problem considerably. CISOs managing a largely remote workforce are rightly concerned with enterprise intellectual property (IP) and customer data moving onto storage repositories or being downloaded onto assets that are not protected or owned by the enterprise.
Joe Robertson – I would have to agree. Initial connectivity for remote workers was necessary but, in most cases, not sufficient. We’re already hearing from CISOs that the rush to provide access has resulted in security gaps that make them feel very uncomfortable. This is especially the case for staff that are using their home computers for access. This is no different from previous BYOD situations, except the scale has grown, sometimes exponentially. So CISOs are looking to find ways to secure endpoints, provide effective network access control, and ensure that data and applications are accessed only on a need-to-access basis.
Sonia Arista – Yes, if investments have not been previously made in implementation of data loss prevention (DLP) tools or cloud access security brokerage (CASB) solutions, they are most likely considering these now as a mechanism to maintain visibility.
Alain Sanchez – The trick is to ensure that everyone is on board with understanding the risks of this new teleworking model. Rallying the entire corporation to the security cause is becoming all the more crucial. The challenge is that when every department is focused on keeping efficiency and productivity on, CISOs become the guardians of the data galaxy. They have to hold the line on never trading security for speed, never compromising on data integrity – especially as lines open through Telcos and home wireless networks that were never designed for such an explosion of confidential traffic, and never give up on visibility as people exchange and store vital documents over shared applications and on home devices.
Courtney Radke – Yes, but it’s not entirely business as usual. A sometimes overlooked issue is that work is no longer confined to normal business hours. With everything going on, remote workers are keeping more irregular working schedules – meaning your previous baselines of user behavior need to be adjusted. To echo earlier comments, now that more data, and more types of data, are traversing networks, both inbound and outbound, data security policies must also be adjusted to ensure work can be performed fluidly while also avoiding negative impact to a company’s security posture.
Alain Sanchez – In such a new and light-speed-evolving context, a holistic vision of security has never been so crucial. Teleworking brings the security challenge to a next level. I see CISOs addressing these challenges by taking a unified approach to cybersecurity – where native integration of all security components, even third party solutions, need to work together to serve the very dynamic needs of the company during this time.
Q: What are some best practices you would give CISOs at this stage of securing their infrastructure – beyond the initial “securing remote workers?”
Joe Robertson – What this crisis of confinement has clearly illustrated is the importance of securing the endpoint. Companies with great defenses in the data center and on-site in the headquarters and major offices suddenly find hundreds or thousands of weak links in employees’ homes. The computers they use have access to the DC via the VPN (which IT controls) as well as direct access to the internet (which it doesn’t). Endpoint protection often needs to be beefed up substantially. So if you haven’t dusted off your Business Continuity/Disaster Recovery (BCDR) plan yet, get it out now. And if you don’t have one, put that near the top of your to-do list once the initial crisis has been dealt with.
Courtney Radke – Also make sure you have defined your new ‘security baseline.’ As I mentioned before, the where and when of work has changed dramatically over the last 90 days. While you may have had a good idea of where your users were accessing your protected networks from previously, and even what device they were using, you may need to reevaluate your policy to ensure users are not being denied access – though you have probably already heard about that from the help desk team. But there is also an aspect to this that you may not have heard about, and that is the potential influx of non-legitimate traffic attempts over denied ports or from nefarious locations. It is important to understand your new traffic patterns, set new baselines, and build new alerting and reporting guidelines.
Alain Sanchez – I see this as having three parts. The first is to federate your workers. Compensate for social distancing by regular, action-oriented e-meetings and by relentlessly reminding the teams – and that includes the executive team – of healthy security practices. Do not give up on training in times of crisis.
Next, unify your security systems. This is a good moment to rationalize the design and the enforcement of a unified security policy. Remote worker status should not be an exception to any of the fundamental security rules that serve the company. Review and deploy application prioritization, and make sure the different classes of remote users actually correspond to the needs of the business. Consider access rights in the light of this new environment as well. Remote resources should not be the weak link in your security strategy.
Finally, integrate innovation into your transition. If you have the opportunity, replace old solutions and technologies with new ones that can bring your digital innovation to the next level of security.