There will be no flattening of the cybersecurity curve after COVID-19.
As corporate boards and CEO’s fight the battle of their lives to keep their companies alive amongst the COVID-19 crisis, they’ve also had to stiffen their lines of defense against hackers who look to take advantage of the situation.
Cybersecurity risk is on the rise, defenses are being challenged, and weaknesses are being exposed through widespread work-from-home practices. Like a General whose army is fighting too many battles on multiple fronts, this is stretching, and challenging leadership, management, employees, and cybersecurity teams like never before.
The gap between cybersecurity risk and defensive effectiveness is as wide as it’s ever been for most companies. Unfortunately, it won’t get easier once the pandemic subsides; it could get much worse.
I recently had the opportunity to interview Kelly Bissell, Global Senior Managing Director at Accenture Security, to get his insights on what he’s seeing.
Zukis: What’s the most important cybersecurity lesson corporate leaders are learning through COVID-19?
Bissell: It’s really brought into focus how critical it is for organizations to have real-time capability and adaptability of their cybersecurity defenses. Hackers looked for ways to take advantage of the COVID-19 situation immediately, as organizations had to implement work-from-home mandates in short order at a scale and scope not experienced before.
CIOs and CISOs have been on the frontlines of keeping businesses safely functioning during these times. It’s highlighted both the importance of the real-time nature of effective cybersecurity, how difficult it truly is, and the strengths as well as the weaknesses of many organization’s cybersecurity practices for senior leadership.
Has there been a particular insight that sticks out that you’ve had or seen from a CEO or corporate board during these times?
There’s a big one that’s emerging. It’s the connection between what’s occurring with the pandemic and how leaders view cybersecurity and their entire digital business system.
Business leaders are getting a daily lesson in large scale systemic failure during the COVID-19 crisis. They see and read daily how COVID-19 quickly spread around the world and how it is impacting economic, social, political, and their business systems.
It’s a wake-up call in the complexity that exists throughout the world and a realization that CEOs and directors need to have a deeper understanding of how these complex systems work, including the digital business and the cybersecurity health of the entire organization.
Is this helping with their cybersecurity efforts?
It’s helping significantly in a few ways, but there’s one big issue looming.
It’s been an enormous help in getting CEOs, corporate directors, and the entire C-suite a lot more engaged, focused, and informed about what’s happening with cybersecurity and their digital business system. As everyone moved to work-from-home models, these issues were at the forefront. Phishing attacks using COVID and threat actors targeting remote work vulnerabilities are widespread.
I think it’s also really helped business leaders understand the enormity of the job that their CIOs and CISOs face and the importance that these functions have on their business. For many organizations, their business runs off their digital capabilities — if the digital capabilities are not available, business cannot operate. These functions have never been more vital or more appreciated by leadership.
What’s the big issue that’s looming?
CEO’s and boards need to start to think beyond the pandemic, and some are.
But that’s the issue. Business leaders are seeing how many of their systems failed and beginning to see that they need major structural reform. They don’t think going back to what they had makes much sense; they see an opportunity for massive levels of change and improvement. And many are realizing this won’t be their choice, it will be dictated by changes in consumer and public behavior, regulation, competitive shifts, you name it. The external forces of change will force a massive wave of disruption.
This is an opportunity but also a big risk for them. Many of them know their digital business system is vital to helping them navigate this change.
But periods of disruption, whether driven by good or bad circumstances, present opportunities for hackers. So that cybersecurity risk gap I talked about earlier between threats and defensibility isn’t going to close naturally; that curve isn’t flattening. New cybersecurity risks are going to continue to emerge, and defensive capabilities have to continue to try to stay ahead.
A common question that a lot of board members ask, is “Are we spending the right amount on cybersecurity?” That’s the wrong question. The right question is, “What do we need to protect, what’s the value of what we are trying to protect, and how secure is it for what we’re spending?”
That’s their challenge heading into what could be massive waves of systemic change. The business value that their digital business systems drive is only increasing, and the threats to that value are only going to go up. It’s a really tough curve to flatten in this situation.
Any final words of advice for a CEO or Corporate Director?
A couple of vital ones. First, digital success and failure starts at the top. The boardroom has an incredibly important role to play in every company’s survival during this crisis. They also have a critical role to play in every company’s digital future, including protecting it.
In every organization, the digital and cybersecurity tone at the top matters, a lot.
So make sure you have corporate directors and a C-suite that understands what needs to be prioritized and can support in getting it done. Get new directors who understand the breadth of complexity within digital business systems, including cybersecurity. They are out there, and it’s a growing pool as many technology and cybersecurity executives are willing and more than able to join corporate boards. And train all of your board members and executive teams on these issues — help them, help you.
Finally, don’t let up. Double down on the realization of how vital the CIO and CISO functions are to your organization. You’ve realized that these functions are critical in helping your organization get through this crisis. They are even more vital in helping you safely and successfully navigate its aftermath and prepare for the future.
Thank you Kelly.
The latest data from IDC shows that worldwide IT spending globally is expected to decline by 2.1% in 2020, down from an expected growth rate of 5.1% from January 2020.
An OpsRamp survey on April 1st of senior IT leaders indicated that 61% expect to accelerate their digital transformation initiatives as a result of the crisis. And leading the pack in funding prioritization by a fairly wide margin, 62% indicated that information security and compliance funding would increase.
COVID-19 has infected most of the world’s humanmade systems. The only silver lining in such a colossal systemic failure may be that systemic change offers a second chance — a chance to reboot and rebuild the systems that have failed us.
Unfortunately, protecting the increasing amount of digital value that will be created won’t get any easier.
