CISOs will have to manage new security challenges in a post-pandemic world. Reconfigured workplaces and employee health considerations, as well as increased threats, have been foisted on organisations just as many security workers are feeling tired and stressed out, according to experts speaking at last week’s RSA Conference.
"When COVID first hit, we jumped in like 'we do insecurity all the time.' We went into firefight mode, and we're good at it, and we practice it," Helen Patton, advisory CISO of Cisco Secure and former CISO at Ohio State University, said. "We're hitting the cadence of this going on for so long. You can feel the stress; you can feel the overworked-ness."
More focus on work-life balance
"We've been running our folks way over 100 per cent for 18 months, and there's no end in sight to that,” Patton continued. “I think we have to get better at planning for the unexpected, which means planning for the team so that we're not burning them out."
The increased workload did have some upsides, Patton said. "I do think that as a result, we saw some good things coming out of it, which is just an appreciation for that work-life balance."
Many organisations stepped up during the pandemic to alleviate the increased workload on their security teams by offering perks and incentives to boost morale.
"We actually allowed people to come back to the office for mental health reasons," Patti Titus, CISO and CPO for Markel, said. "We invested in a product called Cratejoy where [employees working from home with children] got a box full of things for the kids to do. We were really thinking outside the box of how do we keep connected to our people when we're such a connected company, and we truly believe in the stronger together motto."
Laura Deaner, CISO of Northwestern Mutual, agreed that security workers were pushed to the brink but found the sense of community fostered during the crisis to be comforting. "It was great to see everybody coming together," she said.
Greater flexibility on where employees work
Although many employees are returning to brick-and-mortar offices, those spaces are different than they were before. "We did shelter in place and those kinds of things pretty rapidly," Bret Arsenault, corporate vice president and CISO of Microsoft said. "Over 72 hours, you go from a 10% remote workforce to 97 per cent remote. We were very lucky in the tech industry to be able to continue to work through most of the pandemic."
Now, however, health considerations are reshaping the environments that workers remember. "When we bring people back into the workplace, you have to have social distancing, sanitary environments, and all these other things that you didn't plan for," Arsenault said.
"There's more work and switching and changing offices and using technology to go do that and ensuring that you don't have four people sitting in the same office when they come in. We want to make sure to maintain the security and privacy of everybody in that space. It's a very different workplace to come back to."
Now that employees have adapted to work-from-home environments, not everybody will come back to their offices, making meetings and other get-togethers more challenging to organise.
"We're going to see a much more diverse timespan of work," Arsenault said. "People won't just work from home in their local town, they may move two hours away, or they may move closer to family. The idea of what's local, what's not, that whole premise is going to break up."
New requirements for collecting and protecting health data
On top of configuring office environments to accommodate best health practices, organisations will now be collecting a lot of health information from their employees. This data collection will require a new level of security protection and privacy practices that CISOs will have to incorporate into their jobs.
"It has really up-ended expectations about information that employers might expect from their employees," Aaron Charfoos, partner, Paul Hastings LLP, said. “Trying to gather some more information that was traditionally considered private will be something that we're going to need to do for the long-term.
Charfoos noted that the main challenges will be around determining the extent of the information that is truly needed, how best to collect and store it, and how to apply state and local mandates on the reporting of positive test results and contact tracing. “All of those are things we just didn't have to deal with before," he said.
According to Charfoos, 76 per cent of organisations have asked employees to notify their employers if they have been diagnosed with COVID-19, and 53 per cent have asked employees where their personal travel has been. Moreover, 35 per cent of employers have asked about household members' COVID-19 status, while 23 per cent of employers have physically taken employees' temperatures as they walk in the door.
The real question facing employers is to what extent they need to collect or keep all of this information.
"Do you need to be getting that information from your employees? Do you need to keep it? If you are going to keep it, how long are you going to keep it? Because if we're just going to get it and keep it forever, then that in and of itself could cause a number of problems," Charfoos said.
"Making sure that you're paying attention to how you're promising to protect the information is important in addition to [abiding by] the federal laws that deal with health care data [such as HIPAA, the Health Insurance Portability and Accountability Act]."
Threat actors increasing data exfiltration efforts
Ericka Johnson, Senior Associate, Squire Patton Boggs LLP said, the continued prevalence of work from home in a post-pandemic world makes dealing with ransomware attacks and other efforts to steal data more difficult. "COVID-19 has truly increased the cyber incidences we've seen. We're seeing threat actors now doing the two-fold attack: exfiltration of data prior to deployment of a ransomware attack and encrypting your entire data."
Organizations are also now more vulnerable to phishing and social engineering attacks. Johnson said she dealt with a case of a "very highly sophisticated" threat actor posing as the CEO explaining a complex real estate transaction. "This threat actor was able to speak the lingo."
In ordinary circumstances, the victim could walk to the CEO's office and confirm that they want to transfer, say, $5 million. "But because we're in a remote environment, it's just so much easier for these threat actors to exploit us using social engineering attacks."