Why People, Processes, and Technology Cannot Change in Isolation

Since 2004, October has been designated by the National Cybersecurity Alliance as National Cybersecurity Awareness Month (NCSAM). Immediately, the mind wanders to supercomputers creating unbreakable algorithms against adversaries with unlimited compute power. This virtual landscape is happening today, and the arms race on both sides is something that we will have to grapple with for the foreseeable future. Before I get too cute with this article, do understand that it is important that the good guys forever try to create technologies and friction ahead of the bad guys. 

However, coronavirus has retaught us one fundamental—in cybersecurity people, processes, and technology must develop in parallel. 

Think of what happened: there was a mass stay-gration as workers, students, and administrators who usually went to offices and schools were suddenly forced to conduct activities from home. Obviously, this affected people, processes, and technologies. From a technology perspective, many outcomes were immediate—because they had to be. Companies were forced to build connectivity platforms, including video conferencing. VPN became an on-premises at-work construct to now include computers at home and offsite. Identity and access management became more important than ever. And cybersecurity teams had to have immediate visibility over a new disaggregated network. A concerted movement into digital transformation was hastened out of necessity. 

Processes also changed. In the cybersecurity center, often one professional could talk directly with an adjacent department, over a cubicle wall perhaps, but that intimacy has been eliminated. In many office environments, the IT staff did everything from the ethernet cabling and enabling password access to creating firewall rules. In the new world, even transporting on-premises IT processes to the cloud or moving IT from a physical location to a virtual one required new tools and procedures. Companies acquired tools for specific use cases but may not have had the proper training in implementing them. Any new processes still had to pass muster with regulators, protect customers and employees, and avoid creating new exposures for an adversary to compromise.

The danger of the human element

The most interesting element of this transformation has been the “people” aspect. Professionals who rarely did their jobs remotely had to learn to be productive at their homes. And because this evolution was happening during a pandemic, the family unit was confined to the house 24/7, often with each person sharing and fighting for bandwidth.

The human element is also potentially the most dangerous vulnerability. Think about it: a person who worked at an office may have had little opportunity or incentive to leave the VPN, but now must mix business and personal workflow. Often an employee needing to access something that is being blocked will turn off the VPN and create a workaround. A new announcement about a COVID-19 treatment prompts the same person to seek information, often misemplopying their business PC. 

The pandemic has also yielded other good learnings. This is what we are finding out:

1. Companies typically thought of IT, operations, cybersecurity, compliance, and risk separately. The pandemic has forced them to realize that these areas are inextricably tied together and to streamline tools and processes.
2. As a corollary, if security, risk, and operational technology are viewed as a singular business continuum, an additional benefit is realized. If a company can standardize as much as possible on common platforms, it gains economies of scale. Fragmented processes such as patch management, new firewall rules, and IT/security workflow mitigate the mean-time-to-detect and mean-time-to-respond to alerts and incidents. 
3. Processes have to be portable and easy to replicate. From the standpoint of security, incident triage has to lead directly into a playbook, and the playbook has to lead into a defined workflow and a measurable outcome. 
4. Understanding risk is the required of all disciplines. Obviously, certain assets are more valuable than others. Personally identifiable information (PII) has to be protected at all costs because the liability incurred has legal ramifications as well as the potential to incur a great loss of reputation. Companies have to consider ingress/egress, identity, and the value of the data protected in the same fell swoop and continuously.

Perhaps the most important lesson may be this: Despite all good intentions, plans fall apart. High level board meetings are disrupted by screaming kids and barking dogs; access to business links are cutoff from reasons ranging from lack of bandwidth to power outages to application unavailability; and productive workers are stymied by network protocols. The great gift of empathy, always evident from afar, is now needed more than ever.   

Want to learn more about the changing environment? Download the new SolarWinds sponsored IDC research: Accelerating Transformation with Security and Operations Collaboration Best Practices

Chris Kissel is IDC Research Director, Worldwide Security & Trust Products