The impact of COVID and 2017’s NotPetya attack would appear to be completely different. NotPetya was devastating to Windows domains and systems in companies that were impacted. Domain controllers were down. Exchange, SharePoint and individual machines stopped responding and locked up with a request for ransom that couldn’t be paid. Without servers, business processes halted, and everything from manufacturing to services to support was impacted. Impacts were long-lasting, with recovery taking weeks and months. During recovery, organizations discovered systems that simply couldn’t be salvaged. Several organizations stepped back after a few months and stopped trying to recover some legacy systems and processes.
COVID itself has impacted zero servers, no domain controllers and no specific machines. The impact on individuals has been long-lasting, and sometimes devastating. Economic impact has been greatest in industries that depend on face-to-face interaction, or that require people to be in specific physical locations, like classified government work, meat processing and manufacturing. The impact of COVID has been felt more broadly than NotPetya, affecting people, businesses, economies and society across the globe.
COVID has accelerated digital transformation, focusing organizations on their need to become more modern and prepare for future competition. Initially, COVID pushed teams into remote work. By and large, underlying business processes systems weren’t really changed. Rather, organizations simply set up massive use of VPN-like technologies. Mostly this was a procedural change. Washing hands, wearing masks, putting up plexiglass dividers, checking temperatures and standing six feet apart hasn’t really changed most business processes. Some teams, like certain financial services, needed regulatory waivers and new controls to access applications that had been designed for specific business processes and physical locations, such as offices, data centers and production facilities.
Now, COVID has created a before and after inflection point. Before, many organizations were operating with an accepted level of risk. Note that cyber-professionals debate how well business leaders understood the prior level of cyber-risk being accepted. Shifting to remote work added a significant level of cyber-risk. Besides expanding the perimeter, remote work put more information outside corporate buildings and co-located with information from other businesses (think roommates and significant others sharing apartments, houses and networks).
With digital transformation, significant new cyber-risk and a long, slow recovery from the impacts of COVID on professional and social interactions, now is the time to re-think deployment of limited resources against accumulated and future cyber-risk. It is time to turn the focus of cybersecurity efforts toward reducing future cyber-risk. Use the organizations’ investments in digital transformation to deprecate legacy systems and reduce accumulated cyber-risk.
Cybersecurity leaders should begin pushing their technology and business counterparts to start thinking about the future. Moves to the cloud for infrastructure, platforms and services are accelerating. New pressures from remote work, social distancing and business process changes are real issues and show few signs of going away. The time is ripe for a forward-looking cybersecurity transformation.
Based on three pillars: working remotely, shifting workloads and processes to the cloud, and transforming businesses, today’s cybersecurity thought leaders must focus resources on future needs, fixing legacy systems only when those systems are critical, long-term business assets. Implementing this transformation follows five common themes.
· Partnership. Leaders get pushed and pulled in many directions; CISOs need to reach across organizational boundaries and engage mixed teams to do something new. CISOs and their teams must engage digital transformation leaders in IT and business, partnering to integrate security throughout transformation projects. Cyber-risk management and metrics have to be integral to every transformation effort, or else teams will keep piling up cyber-technical debt.
· DevSecOps (and application security). CISOs need to invest in building security into applications, including threat modeling, static and dynamic testing, fuzz testing and more—integrating security into Agile sprints, and other development processes. With every company’s future dependent on cloud-based applications, the CISO’s resources and team capabilities are critical tools for future risk reduction. Investment has to find multiplying effects through partnership, tools, processes and training. Together, developers and security can enable business, reducing and better managing cyber-risk.
· Build versus buy. The long tail associated with building your own applications gets bigger, thicker and longer with cloud-based applications. From both a security and business perspective, organizations should revisit their competitive advantages, carefully considering the impact of deciding to build applications.
· Cloud platform security. The CISO’s team needs to understand the security options, implications and solutions for each application and solution platform. Understanding security is equally true for IaaS, PaaS and SaaS solutions. It’s especially true for private and dedicated cloud solutions specific to individual companies. Cloud’s shared responsibility model means every aspect of security operations has to update existing processes and incident response playbooks to cover anticipated issues. Security and resiliency can be enhanced in the cloud, if investments, choices and solutions are well documented and tracked.
· Automation. Most aspects of security in cloud services should be automated. Scripts should enforce new instantiations to follow prescribed guidelines for creating administrative roles and configuring security options. Automated compilation incorporates sensors for application feeds, logging and other data delivery to security operations for easy monitoring and detection. Early investment in building processes and documentation that automate security will have long-term payoffs, as these solutions are built-in to new applications.
· Reporting. The CISO, team and partners need to anticipate and build reporting that shows the value of these investments. Metrics should show the risk reduction, speed to market, business value and other aspects that demonstrate return on investment from supporting transformation with security. Shifting to transformation-focused security brings the metrics and reporting discussion to the front, then designing and building new systems with the end (measurable value and risk reduction) clearly in mind.
Focusing on critical business systems was a critical lesson of NotPetya’s widespread impact inside affected organizations. COVID is an opportunity to apply that lesson to digital transformation and security investment. By focusing on critical business systems, cybersecurity teams and investment can reduce future business risk and demonstrate the value of their work.