What does a brave new world, post-pandemic, mean for the CISO and their strategies? Clare Ward, Transformation, Security and Aviation Specialist; Joe Voje, CISO, Oregon Health and Science University; Dan Bowden, VP & CISO, Sentara Healthcare; Alejandro Becerra, Group CISO, Telefonica; and Jim Shook, Director of Cybersecurity and Compliance Practice, Dell Technologies.
Security in a crisis
“It’s been an unprecedented time for us in healthcare, in the US,” reported Dan Bowden. “We changed our model to adapt to the current state of affairs, converting to telehealth-only work for at least two months in non-urgent, non-COVID-19 related cases. That really stressed our digital and security capabilities.
“We looked hard at the controls we had to manage remote access effectively,” he continued. “We already had two-factor authentication, authorization and privileged access management across all endpoints, so our main objective was to review and test our capabilities so we would be comfortable with remote working in the medium to long term.”
Sentara Health had to work these through within a cloud environment alongside a far higher proportion of businesses than before—all because of the pandemic. It was an additional layer of tension. “We suddenly knew what cloud server disruption was like and we had to reconcile that downtime with the business needs, with executive management…”
Another healthcare provider, Oregon Health and Science University, had also expanded its digital and telehealth services much before the crisis, and benefited from the robust, mature security program they had put in place alongside. What surprised its security lead, Joe Voje, was cultural.
“We saw far more willingness across the organization to cooperate with us,” said Voje, “and my aim is to maintain that level into day-to-day operations. The second thing I noticed is that we were far more comfortable with accepting more risk. I think it was because we knew we were directly saving people’s lives with our decisions.”
Head start for early adopters
From Telefonica’s perspective, even though they don’t form part of a pandemic’s first line of defense like a healthcare provider, its infrastructure is vital in the everyday running of society. According to its CISO, it “had no downtime” and much of that can be attributed to the global business already incredibly digitized.
“Almost every part of the business has experience with remote working,” explained Alejandro Becerra, “which made any cultural transition to mass remote working all that much easier. Of course, this year presented some specific challenges but we had a head start, if you like”
The questions CISOs should be asking themselves then is what next? This year has undoubtedly encouraged businesses they can move at speed when pushed and their CISOs are well equipped to match that pace. Claire Ward has much experience in the currently beleaguered sector of aviation and put some of these considerations to the group.
“‘What can you do with fewer people?’” she began, “‘How will you do things differently? Can you collaborate more, can you buy in [new technologies] instead of DIY, can you do more with less?’ These are some of the big questions CISOs are getting and the answers won’t be simple.”