Too often organizations play roulette with their legacy systems, which is fine until it’s not. If organizations can’t kick their legacy software habit, they better be prepared to protect it. CISOs will inevitably need more budget to maintain the software and protect the data within it, which may ultimately cost more than the more current version. Given the higher risks and costs, CISOs should just say “no” to legacy software.
Once employees began working remotely, the insider threat moved outside of the network and into homes. Most insider attacks are unintentional, however, CISOs must prepare for and respond quickly to sabotage. CISOs should aspire to have full visibility and control of who in the organization handles sensitive data like financial information and customer records. By doing so, insider risk is somewhat mitigated. CISOs must also ensure the entire workforce is cyber resilient. It’s not enough for employees to know phishing attacks are threat; they must also know how to defend against them.
Supply chain cyberattacks have increased dramatically since the start of the pandemic. To mitigate this risk, CISOs need a vendor risk management strategy that includes knowing which vendors have their data, what type of data they have, and where they store it. A defined patch management strategy also helps CISOs mitigate supply chain risk. If you receive a patch notification from a vendor, you should trust that it’s a good patch. You should, however, test that patch within a secure environment before releasing it into the network. In other words, adopt a trust but verify approach.
New challenges are coming to light as employees return to the office. One near term challenge CISOs must be aware of is balancing a workforce in which some employees work in the office while others remain at home. Some employees fear their careers will stall if they continue to work from home, compared to their in-office coworkers who get daily face time with upper management. Will the fear of not being promoted outweigh the fear of returning to the office? Only time will tell.
Cyber-crime complaints increased 69% from 2019, according to the FBI’s 2020 Internet Crime Report. It’s no surprise therefore that industries are now setting higher standards and requirements, especially in the government sector where a breach could have catastrophic consequences. The Cybersecurity Maturity Model Certification, or CMMC, is a unified standard designed to enhance the protection of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC measures an organization’s ability to protect FCI and CUI and applies to over 300,000 DoD contractors. Requiring CMMC certification is a good first step for setting a security standard, but there is still a lot more organizations can do to protect classified information.
As more working adults receive vaccinations, it’s time for CISOs to create their post-pandemic plans. These plans must address employee concerns about returning to the office, protocols for employees who wish to continue to work remotely, and whether or not the organization will employ out-of-state talent. CISOs must consider these and other important questions as business leaders start to look ahead.
Being an effective leader is difficult during ordinary times, let alone during a global pandemic. Covid completely changed our lives, including the way we work. The best leaders adjusted quickly. CISOs, no strangers to adaption, led this change in many companies. The pandemic’s effects will be felt long after the last person is vaccinated. Business and security leaders therefore must continue to evolve in how they lead and defend their organizations against cyberattacks. Secure remote technologies, beef up security education and awareness for employees, and even mix up daily board briefs. These and other examples keep businesses nimble and responsive. They also keep employees alert and engaged.
The shift to remote work forced organizations to accelerate their digital transformation initiatives, creating significant security risks. While a zero-trust model may mitigate work from home risks, it may not be realistic for smaller organizations. However, there are several steps CISOs can take to improve their security profile as part of a broader digital transformation.
The pandemic has eradicated the traditional 9-to-5 workday. Employees are juggling kids, pets, and family during the day on top of their daily work responsibilities. Some employees handle it better than others. The younger workforce, in fact, has not only adapted to this new work environment, they’ve thrived in it. CISOs and other leadership members must accept this new work environment, including flexible work hours and trust the work will get done. Delegate tasks and give a hard deadline then trust the work will be completed on time. Adapt a trust but verify approach and check in if needed, but otherwise refrain from micromanaging.