How the role of the CISO and corporate security controls need to expand after the pandemic 

Marc Lueck, CISO EMEA at Zscaler

Many large businesses have already made it clear that even after the acute COVID-19 situation has abated, the world of work will no longer be the same. Business and finance heavy-hitters, including Barclays and WPP, are already predicting that large offices may be a thing of the past, and the remote working future has arrived faster than originally forecast. 

Such a permanent change in working habits raises a number of interesting questions for IT. One of them is the role security will need to play in a business landscape with an increasingly disparate workforce. As we’ve all likely experienced during the past few months, an extended period of at-home work has blurred the lines between the corporate IT environment and our own private lives, with technology-enabled security controls and processes sometimes getting lost along the way. Who amongst us is not guilty of using their corporate devices for personal internet browsing recently or allowing their children to access their favourite apps from your business laptop? 

As long as staff have been working from the office, corporate security controls have provided an overall layer of security for accessing applications, the internet, and, now, practically everything in the cloud. But the question we now face is…how are enterprises going to keep the same level of security when their staff has moved out of the range of these controls? Not only does this situation require a reconsideration of the security layers at play, but also a reassessment of incident response plans. It also brings up another question—where does the security responsibility rest in this new work environment?

Rethinking home office tech

Applying the same levels of security controls to office-based staff as remote workers is simple enough. Zero trust network access (ZTNA), as part of the secure access service edge (SASE) framework developed by Gartner, can ensure that workers have the same level of protection when accessing the internet and work applications no matter where they are or which device they use. The idea behind the SASE framework is that information traffic is secured throughout its journey from a user to an application, regardless of where the user is or where the application is hosted. Thus, the edge of the traditional perimeter is moved to every single user. Working more regularly from home, however, is a far larger cultural shift than most technologies can surmount as there are broader considerations and additional layers of security to take into account.

Even before the current crisis, Zscaler research had shown there has been a huge uptick in shadow IoT devices connected through the corporate network. With the new workplace encompassing users’ own homes, an even broader array of often unsecured devices, from intelligent home TVs to internet-connected refrigerators or HVAC systems, should now be considered potential threats. That means, a whole lot more than just a laptop and smartphone need to be secured when your employees are working from home. And security includes more than just ensuring the remote employee’s connection to the corporate network. However, in this new normal, do employers need to rethink what constitutes the corporate network? Are employees’ own homes now an extension of the corporate network, and if so, do employers have to look at the wider threats in the home environment as much as they would in the corporate network and include homes in their vulnerability management programmes?

The psychology of the office

A second, less tangible (but still important) aspect of security that needs to be considered is the cultural one. The mindset of working at home differs considerably from the office environment. A work laptop, when it comes home, can easily become a home laptop that is used for personal browsing. Even the rest of the family might be tempted to use this laptop for homework or social interaction with friends. This is where the boundary starts getting even more blurred and encourages additional risk factors that are difficult to secure remotely for traditional hardware-based infrastructures. Additionally, employers may need to look at ways for securing or segregating home office environments in new, non-technical ways.

Similarly, another non-technological security threat lies in a more relaxed security posture. In the office, there exists collaborative security processes that are weakened through remote working. Natural practices, such as locking one’s screen when leaving the office desk or ensuring confidential meetings or phone calls are kept private, without others in earshot, will often fall by the wayside when outside of the corporate environment. This may seem paranoid, but cybercrime does not always take place in a digital space. And, with kids often present in a home office setting, accidents can happen. Social engineering is a key attack vector for bad actors, and with psychological restraints somewhat lifted through remote working, employees are inevitably an easier target for manipulation. 

Dr. Jessica Barker, co-CEO and Socio-Technical Lead at Cygenta and Chair of ClubCISO points out, that security awareness and culture hast o take a new role in the working from home scenario: “In the last couple of months, many organisations have undergone a more radical digital transformation than they may have undertaken over the last few years. For many, there was no longer a choice about whether they would move data to the cloud, or enable remote working at a large scale, it was a necessity for business survival. As much as we recognise the impact that these changes have had on our relationship (and dependence) on technology, we also need to address what it means for cyber security awareness, behaviour and culture. It is vital that organisations consider the impact of working from home, rather than the office, on the security mindset for individuals and teams. Address the impact this could have on security behaviours, such as whether people know how to report a suspected security incident, and whether they understand that it is still crucial that they do so. At the same time as this huge shift in working patterns, social engineering attacks are attempting to exploit the anxiety, stress and fear which has been caused by COVID-19; awareness, behaviour and culture is more important than ever before.”

 

Assessing a new level of risk

The psychological factors introduced by the home working situation, in particular, go beyond the security assessment parameters of security stakeholders in the corporate environment. These new risk factors are outside of corporate control. This opens up a new layer of risk assessment within an organisation. Which employees could potentially share confidential data within their own homes, and how does a company mitigate that risk? If this remote working situation does indeed become the new normal, what steps do companies need to take to ensure a safer work environment? 

What this all boils down to is…if additional measures must be put into place, who within the company is responsible for them? Traditionally, some of these activities would fall under the remit of 

HR or the data privacy officer. Realistically, however, is HR set up to perform these kinds of risk assessments and mitigation processes?

The CISO’s role, in my opinion, should be responsible for the shepherding of corporate data, in all its possible forms. As the risks to corporate data broaden through extended remote working practices and it becomes more difficult to maintain existing corporate security posture, the CISO’s responsibilities will need to broaden to match the new level of risk of a home office culture. The CISO function must learn rapidly and shine a light on the new risks unleashed by the new work environment and establish a new security culture. Only if a company is alert to a risk can it be assessed and included into an updated risk framework.

By Marc Lueck, CISO EMEA at Zscaler