The sudden move to telework this year imbued the word “challenge” with new meaning for security executives. Within a matter of days and weeks, many of these leaders had to figure out how they could rework their employers’ security policies in such a way that supported a massive shift to working from home. This period required significant ingenuity and unprecedented forward thinking, not to mention a deep understanding of their employers’ overall security needs.
We at Cisco wanted to find out the types of adjustments that security executives made in the wake of this challenge, as well as how these changes ultimately panned out for them. To get an idea of all this, we spoke to more than a dozen security leaders about their individual experiences. Here’s what some of them had to say.
Table of Contents
Mick Jenkins MBE | Chief Information Security Officer at Brunel University London
Having dealt in risk management all my life, often in life and death situations, the mantras came at me like a flood over the last few months: ‘Never let a good crisis go to waste,’ ‘Act early, move fast, and stay low,’ ‘Improvise, adapt, overcome.’ But there was only one mantra
that I knew would stand the test of an enduring campaign – a mantra often cited by my long-time mentor: ‘Always keep a half pint of goodwill with your people, you’ll never know when you’ll need to call upon it in a crisis.’
Crises are all about people and how people can react smartly to reduce any potential damage and harm. That’s why ‘train hard, fight easy’ was always a core principle for me, throughout a career full of crises.
We needed to do three major things: 1) Equip staff and students with the appropriate work tools, 2) overlay sensible security measures, and 3) train the workforce on the threats, then message them again and again. Engagement was key – a gentle ‘drip, drip’ of solid and sensible advice to keep their homes cyber safe.
Our story wasn’t a story of petals and roses, there have been some serious difficulties and lots of frustration – but if you work that well, and ‘hog the pain,’ it eventually leads to the fog lifting and people making a critical difference.
With great teamwork, and great leadership, magnificent things can happen. Never let fear get in the way of your dreams.
Sandy Dunn | Chief Information Security Officer, Large Insurance Provider, Idaho
@subzer0girl | (LinkedIn)
The unknown for our organization working remotely was a cultural concern instead of a technical readiness concern. Our organization has had the technical ability to work remotely in place for a while, but since we are a smaller, single state entity, the culture was accustomed to having meetings and serious discussions in person.
Prior to 2020, it was very common for people outside of IT to not even sign into a messaging client. You were forced to call, email, or walk to their desk to get a simple answer to a simple question. Working remotely has encouraged people who weren’t as familiar or comfortable with messaging and group chats to grow their technical acumen and adopt different communication practices.
Looking back, I don’t really have anything I think we should have done differently, but I am trying to navigate ongoing concerns with not being able to be with people in person.
Individuals all process high stress / high uncertainty differently, and since I’m not able to connect with my team in person, I’m not able to really “see” how everyone is doing. To remediate being unable to observe people in person, the team is making an extra effort to do mental health check-ins with each other, watching each other for symptoms of burnout or high stress, and adding video to our online meetings.
Quentyn Taylor | Director of Information Security at Canon for EMEA
@quentynblog | (LinkedIn)
I think the main thing to remember is that whilst this way of working feels new, it is only the volume of “home work” that is new. Many companies have always had people working from home from different locations and from on the road, and so to believe that this “new” way is totally different to how you were working before is probably wrong.
With that being said, there are two kinds of companies at this moment in time: those that have their email and collaboration tools in the cloud and those that are frantically trying to get the email and collaboration tools in the cloud.
So, my practical advice would be to ensure that you focus on getting the basics right. That means making sure that you have multi-factor authentication implemented to control access to all of your cloud resources. Making sure that you understand what your perimeter looks like. With everyone now working from home, your perimeter just got a lot bigger. Ensure that you have a way of patching your client machines even though they’re not on your network anymore. Alternatively, design your working practices so that you don’t need to worry about machines at the other end and whether they are patched.
Angus Macrae | Head of Cyber Security
From a technology perspective, whilst cloud services were pretty much born for this remote work world, most organizations are still in a hybrid way of doing things and will still run legacy, in-house services and systems traditionally accessed on-premise only. As few would have anticipated needing to grant large-scale remote access to such services at short notice, few would have had all the tools and capacity ready to do so both reliably and securely. This requires thinking on one’s feet and rapid, high-pressured upgrading and rearchitecting of various components and processes.
From a people perspective, not everyone has been fortunate enough to have optimal home environments to work from during the lockdown, and few companies will have had a chance to truly consider all of the mental and physical health implications of their dispersed and sometimes isolated workers. On a wider societal note, it further accentuates the digital divide often talked about between the digital ‘haves’ and ‘have nots’ and those whose work simply has to carry on in the physical world despite the health risks it currently entails.
Gabriel Gumbs | Chief Innovation Officer at Spirion
We decided early on that having a well-defined collaboration and communication strategy was key for the transition to remote work. That also meant ensuring we had a process for communicating early and often with our people. Our employees and managers made a more conscious effort to clarify roles and expectations as well as discuss progress with remote employees. Additionally, allowing employees to use equipment that they had access to in the office allowed for a smoother transition.
Efforts to centralize all pertinent company knowledge in one accessible library is also key to work-from-home success. Spirion’s CEO has done an excellent job taking the time to update employees on what actions the company is taking on a regular basis. And then, there are the fun social activities to bring everyone together online and keep morale up, such as after-hours trivia and virtual hangouts.
Andy Rose | Chief Security Officer at Vocalink
The need for 24/7 support of services had already driven the enablement of remote working at Vocalink, which is a part of the critical national infrastructure of the United Kingdom. The crisis therefore did not represent a large technical challenge. Staff fell into new working practices quite easily, and productivity remained consistent. Our parent company, Mastercard, had invested in increased VPN capacity and bandwidth as the crisis developed, so connectivity was available and stable.
Like many firms, our expectations of collaboration had been too focused on ‘in the office, in the room,’ and this new remote working model undermined that somewhat. The traditional voice conferencing facilities and instant messaging only partially met the requirements, so we had to rush to adapt and develop our online collaboration capabilities, introducing improved video conferencing capabilities and virtual white-boarding.
The reality is that we will never go back to the way we worked before. This digital transformation has been forced on all industries, and it’s highlighted how different work patterns can be equally effective. Time spent commuting long distances, for instance, could be better used by the firm to further improve productivity.
Ian Thornton-Trump | Chief Information Security Officer at Cyjax Limited
@phat_hobbit | (LinkedIn)
Try to be at peace with yourself and balance realism, optimism, and the achievable in your thinking. Above all, be patient with yourself and others. Take some time – a break in the middle of the day – to distract from the chaos that is permeating nearly every aspect of our days and nights.
I’m into exercising and gardening, and I just finished a book on the Templar Knights in the UK. (I’m planning an epic trip to visit as many of these ancient Templar sites as possible.) Stay in touch with your close friends and family, and be compassionate about folks in rougher circumstances than your own.
Ultimately, treat these extraordinary times as an opportunity to reflect on your life choices and career. As I look back on 25+ years in the industry, I know what I need to do next. I need to turn my knowledge into wisdom and create as many opportunities for the next generation of IT professionals as I can.
Michael Ball | Virtual Chief Information Security Officer at TeamCISO
@Unix_Guru | (LinkedIn)
After COVID-19 hit, it took us a little bit of time to adjust to having our workforce not in the office and being able to work from home. This abrupt change in work policy meant configuring our VPN and adding licensing for a significant portion of our workforce that had never required VPN access in the past.
We quickly scrambled to get the VPN clients configured and pushed out to allow the employees to take their devices home with them. There were issues immediately in training end users to use the VPN client from home as well as an issue with excessive permissions allowed on the VPN groups from the beginning. (Convenience and speed trumps security yet again!)
Another issue that we found and hadn’t anticipated was that many of the employees were able to conduct their daily work without ever connecting their VPN back to the company. Things like Office 365, Salesforce and other SaaS applications allowed them to conduct their daily business (email, etc.) without connectivity to our office. That unfortunately put us in a position where we lost visibility to those devices. We had not considered forcing the VPN connectivity so that we could ensure that updates and endpoint protection were updated and appropriate, and that device monitoring wasn’t completely missing.
We had to send out an email and request that each individual send their device back into the office. We then scrambled to develop a procedure by which to accept the devices, refresh them, and send them back safely to allow us to reconfigure and force VPN connectivity at least periodically.
Shelly Blackburn | Vice President, Global Cyber Security Systems Engineering at Cisco
Cisco is a bit unique. Due to years of driving remote work internally, Cisco strategy is not solely driven from a small, homogenous, geographically centralized team. We have a truly global team and hire from a diverse candidate pool.
Strategic Take-Away #1: Get your leadership excited about the value to your organization. Remote work environments enable innovation, opportunity, and drive growth.
In response to the pandemic, we moved customers from 100% face-to-face work to remote work very quickly. Some moves were done in a matter of days, and this worked surprisingly well. Due to the shift to social online tools in our personal lives, colleges, government entities, and businesses adjusted to video calls and collaborative online tools fairly seamlessly.
Strategic Take-Away #2: Don’t be afraid to make the move to remote work quickly. With the right tools and a secure remote environment, the company and worker satisfaction with remote work can be extremely high.
Thom Langford | Founder of (TL)2 Security Ltd.
What’s worked well for me remote working during lockdown? Well, actually, I’ve always been sort of a remote worker, even back during my full employment days. I was able to work wherever and whenever I wanted to mainly because the services that supported me (IT services) were based in the cloud and not fixed at one location.
I’ve carried on that model in my own business. So, it doesn’t matter where I am, although right now it’s obviously one single place. I can use whatever I need wherever I need it. That includes Office 365, Adobe, and even my pension and payroll services. They’re all managed through the cloud.
The one thing I wish I had done better actually was to prepare more for videoconferencing when it comes to face-to-face meetings. I’m someone who likes to travel to meet people, to have business lunches, and even better, business dinners with somebody, because that’s how I like to connect… That’s how we get to know and build a relationship with each other.
Now, of course, is very different. We have to use videoconferencing. It’s easy for me in a sense because the Office 365 package provides all of that for me. But I find it difficult to create an initial rapport. So, for me, the biggest change and the biggest thing that I wish I had done sooner was that cultural change, that one of actually being able to adopt to video conferencing quicker. I’m used to it now, and I’ve always liked video conferencing when there was no alternative, but it feels very forced, or at least it did when all of this first kicked off.
I’m spending the time, as much as I can, learning and picking up on things whilst I’m in lockdown. I’m trying not to waste any of the time whatsoever on superfluous activities.
Brad Arkin | SVP, Chief Security & Trust Officer at Cisco
@BradArkin | (LinkedIn)
Business has transformed virtually overnight to a greater emphasis on working remotely and collaborating virtually. We at Cisco are in a fortunate position to work effectively and securely in a remote environment, and have seamlessly transitioned 95 percent of our global workforce to work from home. Additionally, as the largest security company in the world, Cisco has protected millions of users since the roll-out of our free security offerings to support customers as they transitioned workforces to remote work.
This situation is a reminder that we need to be planful, agile, and constantly reinvent ourselves to keep pace with the needs of today and the future, as well as to anticipate the unexpected and unknown. The speed by which this situation arose and altered our approach to work, most likely forever, shows how important it is to be able to see around corners, to plan, prepare, and adjust for whatever may come.
We’ve all been forced to adapt these past months. Some of us found ourselves working from home for the first time. You can hear more about security leaders’ remote working experiences and advice in the clip below:
For additional perspectives on how employees can make the most of remote work, download Cisco’s eBook:
Adjusting to Extraordinary Times: Tips from Cybersecurity Leaders Around the World
Share:
Leave a Reply