A CISOs guide to cybersecurity planning in 2020 and beyond

Q: In the first half of 2020, cybercriminals continued to exploit the global pandemic through phishing schemes. What are CISOs doing differently to protect against these threats?
Tarun – More emphasis is being placed on education and awareness for end users to ensure they know how to spot a phishy email and malicious links. Many organisations are starting to phish-test their employees to measure how prepared they are when they come face to face with these social engineering attacks. CISOs are leveraging network segmentation and network access control to maintain visibility and to limit the access that these devices have within the network.

Robertson – Companies need to use a three-pronged attack to protect themselves. First is educating and sensitising general and technical staff. The second is using converged network and security technology to contain threats that do get in; leveraging segmentation and micro-segmentation combined with artificial intelligence to detect and contain malware and keep it from propagating. Finally, a close examination of what is going on at the level of the end device with endpoint detection and response (EDR) systems.

Radke – Training and awareness have been top of mind for CISOs for some time now. Phishing awareness training, in particular, has always been an easy sell for value proposition and ROI. Email security features such as URL click protection, isolation and sandboxing help protect internal users from compromise and features such as anti-impersonation and non-repudiation techniques help protect internal and external users alike.

Q: The 2020 Remote Workforce Cybersecurity Report reveals that 30 per cent of organisations expect half of their workforce to continue teleworking full-time after the pandemic. What does this long-term shift to telework mean for CISOs?

Tarun – CISOs need to ensure that they have automated protection, detection, and response capabilities incorporated into their toolkits to address the risks associated with this new operating paradigm. They will need to be more concerned with visibility and control within their infrastructures, including protecting endpoints, mitigating insider threats, and ensuring secure access to applications and data regardless of if it resides on-prem or in the cloud. In addition, to address the influx of network logs and events, CISOs need to leverage AI-based security operations to include event correlation with SIEM and automate orchestration and response with SOAR capabilities.

Robertson – One of the biggest tasks ahead of CISOs in the coming months and years is going to be to work closely with other parts of the organisation to instill a real culture of security. This means working even closer with the networking and application development teams to ensure a real convergence of networking and security, as well as getting serious about adding the “Sec” to DevSecOps. CISOs are going to need to spend time persuading and training every part of the organisation on what it means to be “security aware.”

Radke – CISOs need to have greater adaptability and keep an open mind when it comes to the changing dynamic that remote work brings. Regardless of when businesses get the “all clear” to return to the office, many are now asking the question “do we need to / should we”. There is a good chance that many businesses will maintain a hybrid/blended working model for quite some time, and some may never return to a traditional office model. CISOs must be ready for what this means for their overall security posture long-term and how to continue to protect their customers, their business and their employees. The key to doing this? Adaptability and an open mind.

Q: Recent Fortinet research examines the key investments that organisations are making in the next two years to secure telework long-term. What strategies are you seeing CISOs invest in? What are they prioritising?

Tarun – Some organisations were unprepared to have their entire workforces work remotely. After realising that telework is becoming the new norm for operations and not just a temporary solution in a short-term crisis, many organisations are looking to revamp their telework technologies to make them more robust and secure, especially as many organisations are faced with network performance issues. This also includes putting branch-like solutions, such as a next-generation firewall (NGFW) with SD-WAN capabilities, into the home offices of employees with high levels of access to data and the network, such as IT admins and executives. In addition, many CISO are also investing in Zero-trust network access.

Robertson – Every organisation that I have dealt with recently was in a different state of readiness for a black swan event like the COVID-19 pandemic. Some had to scramble to put in place plans they had already war-gamed, but most were blindsided and really suffered. So the priorities of each organisation are different, but they all fall into a few broad categories. First is to understand which employees are connected to the network and protect them.

Radke – I still see some companies struggling to provide even the most basic remote work functionalities. Scalable and adaptable VPN connectivity was often an afterthought which created challenges when the flocks of remote workers started to access internal resources in mass; many for the first time. The downstream effects are many and very impactful. To account for changes in behaviour and the location of remote workforces (which is anywhere and everywhere), top of mind for CISOs are ZTNA (Zero-Trust Network Access) and SASE (Secure Access Service Edge), which are foundational to securing remote work long-term, critical to protecting businesses from increased risk for IoT, and should be integrated into CISOs risk mitigation plans as part of the overall security maturity strategy.