Cyber risk is adaptive. As you reconfigure operations to function with much of your staff resources working remotely, your risk footprint, vulnerabilities, and threat vectors adjust too, and realign right along. So, the question becomes how adroitly will your defenses, detection capabilities, recovery, and remediation strategies address these risk opportunities? Cybersecurity employs numerous technical components. Those alone will not define nor enable a cybersecurity program capable of preserving security continuity throughout the shift to a largely working-from-home or elsewhere workforce. Businesses need a strategy to imbed cyber risk management and cybersecurity into their operating practices, methods, behavior. Cyber awareness must be instilled as a core component of risk management’s foundation. It needs to become part of the business culture, particularly in a remote operational environment.
Aligned Cyber Risk & Security Operations For A Remote Business
Redistributing staff resources has likely not altered your core business mission in a dramatic way. Operational execution has changed. Cyber risk management and security need to create and sustain a hand-in-hand partnership with your new operating methods, while supporting the product, administrative, and service operations of your business. That’s not resolved just by placing these programs in the hands of IT departments under a CIO/CTO. If you are a service company your service processes need to incorporate cyber risk and security best practices imbedded in your training, and where appropriate, your customer awareness messaging. A software company needs to engage cyber considerations in product planning and development from the onset, not, as has often been the case, as a bolt-on afterthought of minimal or questionable effectiveness. Cyber risk expertise needs to be positioned to influence those core areas within your company. That’s a key part of alignment—avoiding a communication vacuum in a critical area. It’s an organizational design requirement. Cyber resources need to participate as equal, active players to establish and sustain influence. Two-way communication is vital. The good news is that all of this is not hindered by a remote workforce operational model.
What is necessary is the immediate alignment of critical operating resource access; putting people in ready reach of the tools, data, communications, and other staff needed to perform business critical functions. Remote staff need to interact, from afar, with boots-on-the-ground services such as transport, shipping & receiving, inventory, or any third parties contributing critical components to core operations. [Third party risk management (TPRM) becomes most critical in a remote operation. Look to past blogs for more detailed specifics.] The communications infrastructure afforded by a near ubiquitous wireless internet capacity helps speed this transformation. Portable hardware, such as tablets, notebook computers, and smart phones add to the capabilities. Often this becomes a mix of personal and company devices. Some specific actions to support the migration to remote operation include:
- Expansion of any mobile device management software possibly in place, or the acquisition of such software for enterprises of over 100 remote devices
- Assignment of specific resources to be accessed through VPN
Expansion of VPN resource capacity
- Tuning and configuring infrastructure monitoring technology to scan the extended perimeter and activities resulting from increased volume and nature of remote access activity; leverage any cloud-based security operations center (SOC) services you may have
- Select and implement/expand staff communication methods using COTS based conferencing and collaboration tools
- Assure remote technical support for email, messaging, conferencing, and mobile devices
- Create a help desk specifically for remote working support for staff
- Enable remote support for clients and customers
- Leverage social media to promote all you are doing to support your staff and your clients/customers
- Communicate regularly to staff, client, customers, and partners; be transparent about challenges, timelines, delays, and efforts to provide services
- Leverage online video and collaboration sessions to deliver end user training and security awareness throughout extended remote operation. Follow-up with exercises and testing to measure learning
- Develop and implement a work-from-home policy detailing best practices for device security hygiene and maintenance, including implementation of mobile device management (MDM) security solutions
- Migrate technology resources, data, history, SOC, perimeter monitoring and threat detection to the cloud
Acquire, configure, and distribute company managed hardware to key operating staff to support turn-key remote operation on demand
- Establish ongoing staff training to inform policies, remote operating practices, tools, resources, and methods; continue to leverage online video and collaboration sessions to deliver end user and security awareness training on a regular basis
- Strengthen authentication practices to incorporate multifactor authentication for users and devices
- Migration of key backup resources to the cloud
Don’t Forget The People
Beyond collaboration tools, be sure to have regular online gatherings to evaluate successes, failures, challenges, and opportunities to improve and sustain remote collaboration towards the achievement of business needs. Use these and other meetings to gather and recognize achievements, celebrate accomplishments, and foster community. Build confidence in remote working, and identify key influencers to promote operational and security best practices.
Another aspect, of equal importance to influence, is building incentive, even in these times of remote operation, and depressed economy. This can also become a means to reinforce influence. You need the staff responsible for operating performance, whatever it might be, to want to involve, inform, and collaborate about new practices with cyber risk and security staff in whatever they are doing. This is not a technical challenge, but one of organizational development; a people opportunity. Building cooperation towards collaboration may take some effort. It’s useful to include incentives that encourage this behavior. Incorporating cyber risk and security too, making remote operating behavior and results reflect that bond reinforces senior management commitment to these practices. The critical outcome to be achieved is to ensure cyber risk and security are not operating in a vacuum, but enabling and reinforcing your remote operating practices.
Capitalize On Your Assets: Data and Human
Operating metrics, regulatory evaluations, audits, risk assessments, past incident root cause and remediation analyses, client/customer surveys and whatever else your company might gather all provide a rich but ever-growing data pile. You’ve likely spent a good deal of financial and human capital to refine the processes that produce these data and hone their validity, accuracy, and reliability, creating a very valuable asset. Using quality data analysis processes, tools, and methods should help you automate the identification and validation of strengths and weaknesses in your cyber security “armor”. Automation brings speed to processes, and reliable repeatability. Access by and to both is a key remote operational requirement. Great people and excellent data both fail to deliver results in the face of broken access management and communications. This is particularly true for cyber security. Companies considered leaders in cybersecurity are ones that are fastest in identifying breaches and remediating their impact. Extending your data analysis skills to enterprise monitoring and detection positions you to elevate your success and standing among cybersecurity and risk management peers and competitors. In a remote working environment, it’s particularly important. That’s a competitive advantage potentially yielding increased market share and revenue in reward.
People are arguably your greatest asset. Informed people are in the best position to maximize their talents and skills, generating the most value to your organization. The security and risk data analyzed into actionable information using a GRC solution delivers important nourishment to your skilled personnel. But in itself it’s not a completely balanced diet. Your cyber and security professionals, your IT staff, line and management personnel, as well as executive management must all be on the same page to assure resources are focused upon what’s important. Awareness training, new operating methods, realigned security operations and support all come together to provide input, experience, and new data to absorb. Use your remote collaboration and meeting tools to avoid silos and promote transparency across disciples and operations.
Also, remember to educate your remote staff about securing documents, handling, storing, and destroying any remotely printed confidential material, securing memory sticks or other peripheral storage devices, and other seemly traditional work practices that expose your data to inadvertent disclosure, leakage, or loss. Outside the confines of secure office spaces, and within the presumed space of one’s home, it’s easy to become lax and discard “scrap or work paper” or misplace convenient portable storage devices that might otherwise have been locked away or shredded.
Your data assets also contribute to your program governance is ways similar to their support for risk identification, and remediation management. If your assessment and related data helped determine which threats and risks most significantly peril your strategic goals and mission, they may also assist your leadership executives in governance. Tools can also point out which control practices are not being applied or weakly followed. What projects are being prioritized, where resources are allocated, and monitoring the progress of new initiatives as well as making certain the ones already mature remain robust and effective are all governance actions supported by the data from an integrated GRC platform.
Effective governance is an important component of strategic cyber risk management. Without it, there is no assurance the most important matters, not the simplest, or least expensive to address, are made a priority. Industry leaders work hard to preserve their foundational investments in awareness training, detection and preventative technologies, and compliance. Build upon your foundation to support new remote services. Leverage experience and knowledge in remote practices wherever you have achieved them.
Having the right information, readily available to support whatever action may be needed to strengthen a process or control, refine a detection method, or monitor recovery efforts; these activities can be directly supported through comprehensive and integrated platforms such as SOC, GRC, MDM, and ERM. Cloud based infrastructures add the flexibility to be independent of specific facilities and geographies. Conferencing, messaging, and mobile communications tools bind people together to assure opportunity for information exchange, distribution, transparency and clarity. This sustains remote operating companies. How does your company practice them today? How will you prepare to effectively manage remote services, including security, throughout 2020, and beyond? Embrace change. It always creates opportunity. Make it become a positive one for your company.
 INNOVATE FOR CYBER RESILIENCE: Lessons From Leaders To Master Cybersecurity Execution; Accenture; February 2020
“For instance, leaders were four times more likely than non-leaders to detect a breach in less than one day (88% vs. 22%). And when defenses fail, nearly all (96%) of the leaders fixed breaches in 15 days or less, on average, whereas nearly two-thirds (64%) of non-leaders took 16 days or longer to remediate a breach — with nearly half of those taking more than a month.”
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.