CISO says, “Post-COVID Security” Advice Posted by Jon Howell | 10/07/2020 In the first of a new series of articles, Tech Trailblazers is proud to welcome Keri Lewis, one of our Trailblazing judges, on board sharing his vast experience as a CISO. In this first piece he grapples with the nebulous issue of groping for a prediction of the future, given how COVID-19 has turned the world upside down. Warning: The views in this column are those of the author, and are not intended to represent the company that the author is employed by. What is clear is that there will be significant changes for all organisations. Additional pressure for working from home and flexibility is here to stay, and this brings major challenges that are much discussed in the realm of complexity and in the increase in attack surface that the “multi-hybrid-cloud, work from home every piece of data accessible from anywhere” scenarios in the press at the moment. I’d like to apply a different filter.. here’s the headline. “Post COVID Recession leads to an investment crunch” Most of the predictions for the economy post-COVID are for a dramatic contraction. There is high likelihood that a lot of companies are going to be in a tough financial position. This means that the focus of the business management will be getting back to a position of financial stability. There may be delayed tax bills, rent arrears, customers to reacquire and so forth. How will that impact a CISO or CIO? How best to “play the game” and get the company through that transition. I’d like to pick three themes, and make some obvious predictions.. well I’d like the predictions to be right.. so they would need to be obvious, but it’s not going to be a smooth road to tech-nirvana. Business Case Alignment Budgets for investment will need to align to these new realities, any business case will have to readjust to the tighter purse strings. Clear benefit will be needed to be shown in cost-saving or in enabling a specific business objective through process or technology. In the reality of an organisation under budget stress, the temptation to cut back is often more appealing than the need to invest. Similarly, given the “we loosened a bunch of controls and nothing bad happened” arguments that are commonplace, the risk appetite of organisations may shift to tolerating higher risks.. at least until there is a high-profile breach. Predictions Cost-savings and short-term investment window – if it costs new money it needs this year payback.. a lot of inhouse scripts etc. as quick paybackShort-term loosening of risk appetite statements with higher potential for “CISO defenestration” due to looser controls. “It was OK during COVID” being the excuseOperational Resilience – how to survive a shock – will be the key to IT and Security in the short-term. Supplier Consolidation The Post-COVID period will be tough for the smaller suppliers. The basic economics of the cost of a sales team mean that the larger companies will run lower overheads per unit of sale. From the buyer’s side, there will be pressure to ensure few vendors are added as each vendor has a set of costs in contracts, vendor management and procurement cycle etc. Fewer, bigger relationships is a likely strategy for discount leverage and lower cost per procurement unit. Predictions “New and Shiny” loses out to “part-of-a-suite” – a chance for “nearly as good” to winTough times for niche-players/specialists that don’t have strong implementation partners on existing corporate supplier listsSAAS – but at added complexity and attack surface risk instead of project risk Automation and Orchestration will grow in importance With a resource crunch, and the purported skills shortage in Security, getting the routine tasks out of the way with minimum effort becomes more and more important. Whether this is simple scripting, individual tools or mass orchestration through suites of products, the ability to drive out cost through automation becomes more important. It is also an opportunity to allow team members to “get rid of” the boring bits of their jobs by doing well documented automations. Predictions Increase in “BAU projects” to refine automation for efficiencyEffort on test/patch-remediate cycle becoming faster and more streamlinedLinking of hybrid environments more pressing – avoiding the gaps between the systems Biography: Keri Lewis has served as a Tech Trailblazers judge and ambassador for three years. He has a pedigree working in all parts of the security community for more than 20 years. He’s had theatre-wide roles in S&P-listed technology companies, MSP’s, Systems Integrators and is currently the CISO of a major UK Financial Services Company.