COVID-19 has impacted the work-life of millions, including cybersecurity professionals. Although good cybersecurity is built on anticipating threats and defending against what could happen, no one expected the total upheaval to everyday work structures. Cybersecurity teams are challenged to protect networks, devices and data accessed remotely while working remotely themselves.
(ISC)2 conducted a survey of cybersecurity professionals to learn how COVID-19 and stay-at-home orders have impacted their work lives, as well as some of the issues in securing a remote workforce.
“The goal of the survey was to take the pulse of the cybersecurity community as many of their organizations began to shift their employee bases and operations to remote setups in March and April,” said (ISC)2 COO Wesley Simpson in a formal statement. In conjunction with the survey results, (ISC)2 released a webinar looking at what has been learned so far from COVID-19 from a security standpoint.
Three-quarters of the 342 respondents said their job has changed since COVID-19 came on the scene, with 35% stating that their cybersecurity job duties changed significantly. One of the biggest changes is the work-from-home mindset, and nearly half of the respondents said that at least some of the change included being moved from some or all of their security tasks to help out with other IT-related tasks such as setting up mobile workstations. Webinar panelist Kris Rosson, IT security manager at Chumash Casino Resort, said the culture of his workplace didn’t encourage a remote workforce in the past, but the virus changed that overnight. They had to scurry to get everyone the equipment they needed and ensure software licenses for these new devices quickly.
While the companies themselves were split surprisingly evenly on a total remote workforce versus a partially remote workforce, the vast majority of security professionals said they are working from home. Those who aren’t tend to be in industries such as health care, where they are considered essential to keep the networks running safely or their tasks have to be done onsite. In some cases, security staff is rotating shifts in the office so there is always someone keeping an eye on things while acknowledging social distancing.
Although there has been some spike in security incidents, most reported the number of incidents has been about the same since work-from-home became the norm. The vast majority of companies view cybersecurity as an essential function right now, but responses are mixed when asked if they have the necessary tools to securely support a remote workforce and if they are able to utilize best practices.
The survey allowed respondents to make comments. One comment pondered on the idea of a new workplace normal after stay-at-home orders are lifted and businesses begin to reopen their doors. “Many staff will continue to be remote even if they can return to the office,” the commenter said. “Many systems were quickly implemented to allow this capacity to work from home. It is not all bad. It will just be different.”
However, webinar panelist and CISO at FXCM Erik von Geldern said he thinks the new work-from-home model has leveled the security playing field. Von Geldern worked remotely before COVID-19. Now, he said, he’s become more accessible to other employees in the organization, who in the past felt they couldn’t approach him because they didn’t have in-person interaction with him. “There’s been a shift in the openness in the conversation,” he said, “because, in communication, we’re all using the same set of tools.”
Another response from the survey pointed out that security professionals are now being looked at as creative problem solvers and risk managers in new ways. John Carnes, an information security architect, said during the webinar that while his company made the transition well, he knew of one company that pushed to get everyone out of their offices quickly. “They had an in-office crash course to get them switched over to VPN and turning firewalls on, and literally making those changes on their own computers and packing them up,” Carnes explained. These professionals can’t do their job on a laptop, so there had to be creative and quick thinking by the security team to be able to allow the employees to keep working on their regular work computers.
But when you move so fast, you forget a lot, too, Carnes added, so that has required some creative thinking. Moving quickly and moving methodically doesn’t have to be mutually exclusive. It’s a matter of stepping through things and getting answers quickly, but it is important to follow good practices and procedures.
COVID-19 is nowhere near contained and the cybersecurity pros understand this remote work model is going to go on for a while. To get the most from this experience, keep a diary and take notes about what is working and what isn’t working. Learn from the crisis to see how to better improve work-from-home security and be prepared for these sudden shifts between the office and home. When we return to somewhat normal, let’s learn where we landed and where we came from to keep employees and data safe and secure.