Our CISO Live, US expert panel discusses battling the changing cybersecurity landscape and how to emerge stronger after the pandemic
- Bernd Huber, CISO, SC Johnson
- David Monahan, SVP, BISO, Bank of America Merrill Lynch
- Grant Sewell, Head of Information Security & Privacy, Safelite Group
- Sandy Silk, former Director, Information Security Education & Consulting, Harvard University
The Cybersecurity Challenge
Almost every information security professional experienced similar challenges in 2020. As a result of the global Covid-19 pandemic, which necessitated an unprecedented shift to mass remote working, organizations of all shapes and sizes were forced to rethink their approach to cybersecurity.
Not only did businesses have to work quickly to drive awareness of remote-work-specific threats, but they had to ensure that cyber protections remained in place for those that were moving outside of the trusted office network. For many, this saw the acceleration of digital transformation projects, and for others, the unexpected shift to homeworking has even enabled them to improve the diversity of their cybersecurity teams.
During our recent CISO US Live session, our panel discussion looked at information security roles across a variety of industries, including training and education for non-security employees and how the global pandemic could help teams to become more diverse.
For Bernd Huber, CISO at SC Johnson, an American manufacturer of household cleaning supplies, the coronavirus pandemic was one of the biggest challenges his company has ever faced.
“It has really driven a lot of change through the organization,” Huber says. “We have a traditional network, and we’ve switched from mainly in-office work to working from home. How do you make that seamless, effective, and how do you make it work without affecting the user experience? That was a big challenge for us.”
While Safelite Group, a provider of vehicle glass repair services, was already a largely mobile workforce due to the nature of the automotive industry, Grant Sewell, Head of Information Security and Privacy at the firm, said they also had to undergo the challenging task of transforming parts of the business from office-based to fully remote.
“Our business is extremely mobile for the most part. However, we also operate call centers, and we had to figure out how to do that securely from home and with personally-owned devices,” Sewell says. “We also saw supply chain impacts. I personally turned in my laptop so it could be given to our most essential workers, and I became a BYOD user.”
While Bank of America faced a similar challenge in fully mobilizing its workforce, particularly given the highly regulated nature of the industry, it also faced another unexpected issue as a result of the pandemic.
David Monahan, SVP ofBank of America, explains: “One of the biggest challenges we faced was our data center projects. We needed people in locations to install equipment, but people weren’t able to leave their houses, so there were a few projects that had to be very carefully managed in time. When you don’t have those hands on the racks, it was a very large unexpected challenge for us.”
Sandy Silk, former Director of Information Security Education and Consulting at Harvard University, says that while academia has been the target of an increasing number of security threats during the pandemic, her organization was well-placed when the pandemic struck.
“We were in good shape already,” Silk says. “Our systems have been put to the cloud, and we had two-factor authentication already in place, so we were in a good place for remote work. However, we had never anticipated going fully remote for classes, and attending class became virtual for everyone – faculty included. We also did the last few things we hadn’t digitized yet – such as the paperwork for international students.”
For many organizations, the Covid-19 pandemic has been a major accelerator for digital transformation projects. SC Johnson, for example, used the crisis as an opportunity to push ahead with several projects – and even found its approach to business has changed as a result.
“From our perspective, Covid has been an accelerator and a good opportunity,” says Huber. “It allowed us to deploy digital security capabilities on the mobile endpoints, so for us, it was a good way to enable numerous initiatives. It also helped us to change some previous behaviors to be more disruptive and try different ways to drive outcomes.”
For Sewell, his company accelerated its in-house cybersecurity training, to ensure employees across all parts of the business knew how to spot the risks while working remotely.
“The biggest thing we accelerated was educating our workforce about how to work from home securely, and the scams they should be aware of,” Sewell says. “We saw lots of email security issues, and we accelerated a lot of different initiatives about this.”
Monahan also accelerated employee training as a result of the pandemic. Not only has this ensured that workers are aware of all of the required regulations – but it’s also made them more internet-savvy when outside of work.
“Being a regulated unit, there’s also a significant amount of required training: it’s online, it goes into their profile every quarter, and you have to complete it,” Monahan said. “Every one of those 15-25 minute snippets has a test at the end, and we track that very precisely. It’s very regimented in the financial industry.
“98% of people that we polled found that the training they receive at work helps them to be better internet citizens at home,” Monahan concludes. “And that helps us in the business justify the spend.”
Not only have workforces become more cyber-aware as a result of the pandemic, but they’re also becoming more diverse. Our panel believes diversity is critical to ensuring an effective cybersecurity team, but all think there’s still plenty more work yet to be done.
Silk believes that to promote diversity, employers should be less concerned about qualifications and more focused on enthusiasm and willingness to learn.
“I think to ask someone to have a particular piece of paper is not the same as asking them to have skills in a particular environment. You have to have communication and cooperation skills because it’s a team sport. I would love to see less focus on degrees, let skills be the focus.”
Safelite’s Grant Hewell agrees: “I couldn’t care less about education formally, I want people that are enthusiastic and have diversity of thought. I want to see people that are going after certifications because they want to prove themselves and learn more – there’s a good value in certifications, but they’re not everything. The best teams I’ve had have been diverse teams because they challenge each other.”
Monahan adds: “The remote workforce is here to stay, and if you don’t have your program adjusted accordingly, you need to make sure you can accommodate that. People want to be remote now – it not only gives them a lot more life flexibility, and it gives the business the flexibility to hire a workforce that they wouldn’t have had access to previously.”