Cyber culture in the time of COVID06 April 2020
The shock, the dance and the new normal.
It may not have been the virus that they planned for. But CISOs around the world have certainly risen to the challenge of the coronavirus crisis. And this is a crisis with an over-abundance of challenge.
There have been the immediate triage efforts: minimising disruption, assuring continuity and securing a vastly expanded remote working infrastructure. Then there are the third parties to be assessed for WFH readiness, SOCs to be appropriately staffed and SIEMs to be reconfigured.
But amid all that frenetic pivoting, who has time to worry about culture?
Well, it seems that you do.
One of the many surprises for us over these first few weeks of lockdown and workforce dispersal has been how quickly the CISO community has prioritised the people side of information resilience. Requests for help with training, awareness and comms to deal with the new working from home reality have soared at TSC.
Today’s CISO is evidently deeply aware of how critical staff really are in supporting organisational resilience in the face of cyber threats. And the rapid flip to working from home has seen those threats rocket. Attack surfaces have broadened massively, while threat actors have swarmed to newly opened opportunities for exploitation.
Whether it’s phishing, smishing, vishing or watering holes, cybercriminals are playing hard on fears and insecurities around the virus, to good effect. Once again, they’ve demonstrated their own adeptness in working to an agile business model. Adapt and thrive, indeed.
An immediate response from the cybersecurity team may have been desperately needed at the outset. But, as we’ve so often been reminded over the last couple of weeks, we’re in it for the long haul. And at the end of all this, it seems unlikely we’ll be ‘getting back to normal’. Instead, we’ll most likely be trying on ‘new normal’ for size.
Our cybersecurity culture will probably never be the same again.
The journey from ‘here’ to ‘there’ can seem clouded by the fog of immediate crisis, so perhaps it would be helpful to break our evolving cyber culture journey – and ideas around how to best to support it – into three phases:
The shock. The dance. And the new normal.
The shock: relocation dislocation
There’s no doubt the sudden eviction of staff from corporate office to the home sofa has been a shock. It’s undermining of the founding layers of Maslow’s hierarchy of needs – especially when it comes to safety and our physiological needs. Some have even seen the need to add a new founding layer to that hierarchy.
Your staff, right now, are desperately trying to regain a measure of control over their sense of personal and family security, even as they’ve become cut off from the huge source of belonging centred on their place of work.
The effect has often been almost as traumatic as a bereavement. And, just as with the sudden loss of a loved one, there’s a rollercoaster ride of potential emotions. Shock, denial, depression and confusion for some. Acceptance, bursts of energy, even a kind of exhilaration at handling life in an emergency, for others.
Understanding this emotional landscape matters. Because what staff will be looking for most from the organisation is reassurance. Shoring up their sense of security. So, while it’s vital they are made aware of the potential new threats, and of the importance of secure WFH behaviours, the tone of such messaging is of huge importance.
Try to leaven the talk of rising threats with pragmatic steps and tools to help staff overcome them. Make sure you provide them with ample opportunity to connect to the information security team and give your security champions plenty of support. They are coming into their own now that coffee machine chats with the office ‘security bod’ are no longer an option.
It may also be worth thinking about whether this is a good time to run simulated phishing. With levels of stress high, and staff feeling disorientated, adding the burden of your own phishing tests may be a nudge too far. At the very least, communications and interventions for such campaigns must be sensitive to the high levels of stress staff are under.
Above all, make your language supportive and not overly prescriptive. Helping staff to adapt, to become grounded, showing them how to work safely in the home environment – all of this will build up those resources of trust so crucial for the long haul.
The dance: flattening the curve of cyber risk
There has been much talk of the current lockdown ‘flattening the curve’ when it comes to managing the risks of COVID-19. But experts reckon that, after the first peak recedes, there will be an extended period of relaxing and then reinstated social distancing measures. A dance, if you will.
We could be in a dance with coronavirus curves for many months after the current global lockdowns are eased somewhat. This means planning for cultural adaptation to our new working practices should be an expectation for much of 2020.
But we can’t adapt until we understand. We need to quickly measure how these revised ways of working are embedding and rapidly identify novel patterns of risk around personal behaviour. This is where agile cultural intelligence will be critical.
Fast track mini-surveys to sample behavioural risk among high-risk groups. Run remote focus groups and dip-sample interviewing to reveal areas staff concern. Use these to drive evidence-based reworkings of the policies and technologies that help support secure remote-working.
Above all, with organisations facing critical challenges to their business and operational models, it’s vital to get across the message that cybersecurity is foundational to surviving the corona transition.
That messaging, though – especially with the senior leadership team – needs to be carefully calibrated. Yesterday’s worries about cyber impacts from fraud or concerns about data privacy may be brushed aside when the business is in the midst of a crisis.
What matters to every organisation in this phase is maintaining that vital thread of continuity. And that relies, more than ever before, on protecting and preserving operational resilience. If you can explain to the board the potential for malware to bring down the VPN – crippling secure access to core information assets –you’re sure to get their full attention.
The new normal
It’s often said that alongside the mortal threat, within each crisis can be found the seeds of opportunity.
The danger to us all – as individuals, families and organisations – has been made viscerally real. But in dealing successfully with that danger, it’s already becoming apparent that opportunities are also opening up. The organisations that survive the dance with the coronavirus crisis will be those whose organisational culture allows them not only to adapt to the change, but to define and thrive in it.
Some will require a radical reworking of their business model in order to survive. Some will be well placed to double down on existing approaches. Unfortunately, some will fall.
But perhaps most fundamental to the post-virus world will be a recognition that it’s not the buildings, facilities or systems that define organisations. It’s the people. And the golden thread that will run through the new normal will be how to socially bind those people into networked groups. Forming agile groups that can work adeptly to solve new problems.
Cybersecurity will become even more critical in this regard, assuring resilience and protecting that network of golden threads. The new challenge will be for the cybersecurity community to take the lead on this fundamental cultural shift.
The good news is that the opening rounds of the coronavirus crisis show that CISOs are already taking that lead.