How Security Programs Are Changing After COVID-19: Maximizing Resiliency
When Security is Seen as a Business Enabler We All Win
The COVID-19 crisis and its associated constraints taught us how to identify priorities based on the most important outcomes. It showed us that many of the activities we considered “priorities” before March are not really priorities. And it further highlighted resiliency as one of the key objectives of security programs to help businesses maintain productivity and drive competitive advantage.
As we progress through this period that will have lasting effects on how we work and live, we must continue to select priorities that allow us to focus on our most important objectives. Assuming a distributed working model needs to become the norm, not the exception, the question we need to answer is how to secure data, processes, and communication irrespective of where employees and third parties are located.
Security teams are changing where they focus their time, effort, and budget accordingly. McKinsey & Company recently surveyed 250 global CISOs and security professionals and found that, over the next 12 months, large enterprises will spend even more on network security, identity and access management, and messaging security, which are the exact priorities of a distributed workforce and infrastructure. As for cybersecurity vendors, McKinsey identified various opportunities to support customers, including rethinking service delivery and solution deployment models, and creating additional offerings.
With respect to enterprises, we’ve seen ample evidence of shifting priorities and investments over the last few months, as security teams work in partnership with business leaders to tackle the following longstanding challenges:
• Accelerate business, securely. The days of security as a barrier to business are gone. The COVID-19 crisis has shown us that security can enable business to move fast and do so securely. Seemingly overnight, projects related to digital transformation, modernizing infrastructure and access, and enabling collaboration happened. And they paid off, improving the bottom line and helping move businesses forward. But we’re just getting started. As we continue with these initiatives, the goal is to build security into those new processes and infrastructure. We will have to disrupt the old ways in which we worked, but we cannot let this stop us. We now know how much is possible when we think of security within the context of enabling the business.
• Reduce complexity. For years, the go-to option to mitigate risk has been to add another layer of security. So today, most large enterprise security teams are working with dozens of security products that are often poorly integrated. This complexity wastes significant time and resources. It’s becoming evident that, in many cases, the optimal path is to rethink how we’re addressing specific security controls and look for ways to reduce complexity – replacing multiple products with a new category because requirements have changed. Much like the first point, reimagining an entire approach and making decisions might be inconvenient in the short-term, but will help us in the long-term.
• Build for resiliency. The current environment has cemented the fact that defense is not a binary process. We cannot anticipate all potential attack vectors and scenarios, so we must build resiliency into our security controls and infrastructure. Cyber resiliency is a measure of how well an enterprise can manage a cyberattack or data breach while continuing to operate its business effectively. Again, it comes down to seeing security programs as enablers of business – even when under attack. Now that the initial rush to support a more distributed model is behind us, we have an opportunity to consider what work still needs to be done to further resiliency. Those proactive measures need to be central to any security program.
Intellectually, this all makes sense, but we also know that humans are used to doing things a certain way and our natural tendency is to continue down the same path. When faced with the initial crisis, we were willing to change for a short period of time, but how do we make these changes lasting? KPIs need to change to reflect the importance of resiliency and accelerated digital transformation. CISOs must be able to report to the board how security is enabling specific initiatives – for example, collecting data and storing and analyzing it in the cloud, or monitoring and managing manufacturing processes remotely – to achieve business outcomes and mitigate risk. When CISOs and boards align metrics and incentives with new priorities, they can sustain momentum.
Finally, technology providers and offerings also need to change to address shifting priorities and the distributed nature of business operations. We’re already seeing an uptick in activity, including:
• Increased ease of deployment, ease of use, and intuitive design. These have traditionally been challenges with enterprise security tools, but we’ve seen improvements in this area in the last few years and COVID-19 has certainly made these hard requirements.
• Leveraging remote access in transformation projects and delivery of services. In specific operational areas, such as production optimization, contractors who previously provided these services physically now need remote access to relevant equipment to support their contract and keep production lines running smoothly. We should expect this to become the preferred method for interaction, whenever possible, moving forward.
• Re-engaging in cloud discussions with a focus on how cloud-based solutions can be more secure, updated more easily, and new features added more quickly. When resiliency is a key objective, these benefits are highly valued. Given the new reality, solutions that are not cloud-native and don’t allow for easy deployment at scale will become obsolete, as customers demand flexible and secure infrastructure they can expand and upgrade quickly.
Security programs and technology offerings are indeed changing because of COVID-19, and it’s exciting to see security teams and business leaders build toward a more resilient, distributed future. It’s one of the silver linings of this situation, because when security is seen as a business enabler, as defenders, we all win.