Businesses have been moving towards automation and remote work over the past few years, but digital transformation has been greatly accelerated due to COVID-19. As Microsoft CEO Satya Nadella recently put it, “We have seen two years’ worth of digital transformation in two months.”
As working remotely becomes the norm for organizations worldwide, it’s important to keep in mind that just four months ago, companies made fast, overnight decisions to shift to a remote and virtual environment. What might have seemed like temporary changes to get through difficult times are now processes that should be well thought out and implemented, prioritizing security during accelerated digital transformation efforts. While business strategies take new forms to accommodate the new virtual economy, it’s on security leaders, particularly an organization’s CISO, to ensure information assets and technologies are adequately protected.
A Shift in Priorities
The CISO has likely been working tirelessly throughout the pandemic to help secure a new, remote workforce. Moving forward, CISOs will need to ensure that the proper security protections are in place for many different types of software, applications and devices, as well as how they are accessed. It is their responsibility to ensure response measures that were put in place quickly are now robust and enterprise-grade. This will likely require a shift in prioritization — let’s explore:
Prioritize Popular Workplace Software
The software employees rely on the most differs based on their working location. For example, when an employee is remote, virtual meeting software is being used daily to communicate with co-workers. There are now heightened concerns about meetings taking place online which used to be protected by four walls and a door. Ensuring that virtual meeting platforms are secure from a network and software aspect is necessary.
Prioritize Cloud Computing Infrastructure
Employees need secure access to information, especially when outside of the office. Another change that will be essential for business continuity is the adoption of cloud-based infrastructure that is accessible from anywhere. Many organizations are realizing the potential of cloud to rapidly scale and also deploy new services, particularly in terms of remote working. Yet, according to KPMG and Oracle’s third-annual Cloud Threat Report, 92% of IT and security professionals do not trust that their organization is well prepared to secure public cloud services. The adoption of cloud computing requires a company to prioritize implementing a strong security framework and foundation in order to protect business assets stored online from theft, leakage, and deletion.
Prioritize Communication of Key Policies
Procedures and policies need to be clearly communicated from the CISO, now more than ever before. One area that will get a lot of attention in the post-pandemic virtual economy is associated with data at-rest and data in-transit policies. With virtual work, determining what is and isn’t acceptable must be clearly articulated for employees and developers alike. Unless this is clearly defined and communicated to virtual workers, there will be a significant risk of data being compromised due to insecure transit or storage practices. A successful defense for corporate and private networks depends on good policies, education and the following of the individual and enforcing these policies permanently.
Security is in Everyone’s Job Description
Shifting back to in-person office work environments will be one of the last things to return and many employees are likely to take a hybrid approach to office work, meaning they will mix working from home with being in an office week to week. All employees should be well trained on software-related security concerns and what is expected from them in both the office and at home. One way to mitigate employee risk is to provide special training for developers and security staff, and take the time to address the root cause of many software-related security issues: security awareness. This can be achieved in a few ways, but one of the most effective tactics is to ramp up secure coding education programs. Utilize interactive, gamified components to keep employees engaged and entertained, and deliver lessons in short, frequent bursts to keep security top-of-mind in their daily operations. More broadly, address security throughout the entire organization, pointing to security best practices for staying safe while remote. At the end of the day, security is everyone’s job, not just that of a few individuals.
The pandemic has taught us that software is essential as we adapt to new ways of working and living. While mandated work from home was necessary in the Spring, software platforms provided the only means in which businesses could continue functioning. Software, on both the web and mobile, have allowed the world to continue to operate in a somewhat familiar capacity – we continued to work, to school, to shop, and to be entertained online. Many are seeing this shift to remote work and a virtual lifestyle as the new normal. With this cultural shift comes an increased dependency on software and heightens the critical need to ensure these platforms are trustworthy and secure. Without secure software, business and social activity would come to a halt. It is the CISOs responsibility to recognize that digital transformation efforts are not temporary solutions, but the future of work.
About the Author
Matt Rose is the Global Director of Application Security Strategy at Checkmarx, a software security company. Matt has over 18 years of software development, sales engineering management and consulting experience. During this time, Matt has helped some of the largest organizations in the world in a variety of industries, regions, and technical environments implement secure software development life cycles utilizing static analysis. Matt’s extensive background in application security, object-oriented programming, multi-tier architecture design/implementation, and internet/intranet development has been key to many speaking engagements for organizations like OWASP, ISSA, and ISACA.