Harrison Lewis is the CIO of Northgate Gonzalez Market. His post originally appeared on LinkedIn.
With an uptick in ransomware attacks and security incidents since the outbreak of COVID-19, the current crisis is shining a light on the gaps within corporate security strategies.
Many organizations have been faced with the dilemma of compromising security for business continuity; relaxing their security posture to keep the business going and enabling employees to work from home. In addition, with the advent of artificial intelligence (AI) and machine learning (ML), attacks on corporate networks have become more sophisticated and once more demonstrate that the old dogma of having your own security appliances onsite and being responsible for patching them is not an effective measure to protect your organization.
I can’t recall the number of times I have spoken to peers who had just experienced a breach or were going through a ransomware attack that was preventable. More often than not, the absence of action can be attributed to a lack of awareness of what is possible today. I strongly believe that the solution to protect our organizations from devastating security incidents is twofold.
First, we need to change the way we think about security breaches; not about if but when they will happen. My secret to driving this cultural shift within an organization, both at the executive level and within the IT organization, is to use the power of storytelling to help people realize and understand the importance of security. Only if you take current examples of incidents and educate your leadership team on why and how this happened and why your organization is or isn’t protected against similar breaches will you change their perception of security over time.
How we see ourselves as executives of an organization also influences how and what we communicate. First and foremost, we are businesspeople with the goal to help our businesses be successful. Each of us has an area of expertise in our own discipline, be it finance, operations, sales, marketing, IT, etc. And within this ecosystem, the CIO bears the responsibility of communicating the importance of fortifying cybersecurity measures to the rest of the leadership team.
A common roadblock to getting the entire team onboard is jargon, or more broadly, the inability to make security seem intertwined with the company’s daily operations to fellow leaders. Storytelling is a great solution to this because it’s a way to make otherwise unfamiliar and complex topics approachable. Stories allow people to relate to a subject and make them shift their perspectives to think ahead. For example, imagine you are driving, and a car passes you. A few minutes later, you see this same car parked on the side of the road after getting into an accident. Seeing such a narrow window, you would naturally start to think “What if I had been that car involved in that accident?” and if you were that car, “Is there anything that I could have done to prevent this accident?” or “How would I respond if I were in that situation?” Similarly, your role as the CIO is to be that person who brings those “what if” considerations to your organization, to get everyone thinking about a potential situation. If you continuously communicate examples of incidents and the impact they have on an organization's business, making security a business discussion, your peers will gain a deeper understanding of the importance of security for the overall business success.
Second, organizations need to invest in hosted cloud-security solutions. The times of procuring, managing, and maintaining security appliances are over. Instead, we need to look at cloud solutions that can scale easily, can leverage massive computing power to apply AI and ML, which is impossible to do in your own data center, can protect all users and applications regardless of their location and are close to the edge to guarantee a fast experience for our users.
By using a hosted service, you can significantly reduce your risk by lessening the latency between the discovery of a new vulnerability and the time at which you are protected against it. A cloud security provider, such as Zscaler, will be informed about a new vulnerability faster and can immediately protect its customers from it without having this trailing effect of your organization identifying an enhancement or patch, communicating it to the right person and hoping this person isn’t busy patching other vulnerabilities. Leveraging a cloud security platform will also help with the skills gap the industry is experiencing. By moving to a cloud security service, your staff can shift its focus to value-adding projects instead of chasing security patches.
I have implemented the Zscaler platform to increase security posture, protecting all our endpoints with the same high level of security at any time and location. For my organization, this meant a significant transition from initially trying to fit Zscaler into our legacy paradigm to now having transformed our network and taking full advantage of the platform.
Making a shift like this means changing the culture of your organization, influencing the way your leadership team thinks about security, and adjusting the roles and responsibilities of your IT team. But with constant, clear, and comprehensible communication and the power of storytelling, you can effectively drive this transformation.
While the pandemic may have been a catalyst for many organizations to rethink the way they approach security, we should not return to our traditional security approach post-COVID-19. Once employees return to their offices and business travel resumes, people will still continue to work outside the “traditional perimeter” as road warriors have for quite some time. It is on us as IT leaders to ensure that we continue to highlight the importance of changing the way we approach security so that the businesses that we serve will not suffer from security incidents but prosper instead.
If you enjoyed this post, you might also enjoy:
A New At-Home Workforce in 48 Hours
by Nitin Agarwal
Going Virtual: Lessons Learned from Scaling to More Than 6,500 Remote Offices
by Craig Williams, CIO of Ciena
How an Outage Prepared CAPTRUST for a Pandemic
by Jon Meyer, CTO, CAPTRUST