Social Network For Security Executives: Network, Learn & Collaborate
As the CEO of Zoom, Eric Yuan is certainly one of the beneficiaries of the dramatic shift to remote work that’s occurred in light of the COVID-19 pandemic. His video conferencing platform has become somewhat of a phenomenon virtually overnight, and Yuan has become one of the world’s richest men in the process. So why has April turned into the toughest month of his career?
Yuan, like most of us, never saw this coming. In his words, Zoom “wasn’t designed with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.” Perhaps unsurprisingly, the sudden influx of new users has revealed a plethora of platform vulnerabilities and security issues that his team is now scrambling to resolve. It’s also led to a barrage of questions about whether Zoom’s tools are actually end-to-end encrypted as advertised, and about what the company does with user data.
Yuan isn’t alone, of course. Microsoft, Google, and other cloud providers have admitted that they are struggling to adapt to the recent spike in demand for their services. Likewise, many of the organizations that use those services are suddenly finding themselves forced to shift to remote work for the first time and are now facing struggles of their own.
For starters, the shift has forced lots of companies to implement bring-your-own-device policies, regardless of whether they already have protocols in place for making BYOD safe. Employees may find themselves doing work on the same home machine that the kids are using to do their homework or play video games — not a pleasant thought if you're a CISO. Should mandatory quarantines persist, this will happen more often and could result in a lot of ghost data sitting around on home hard drives.
Moreover, employees are often bypassing the authentication and authorization tools they’d typically use at work, meaning companies have much less control over how sensitive data is being accessed. The quick solution is to implement corporate-issued VPNs or secure-remote-access tools, but for many CISOs, the risks are still unacceptable.
Unfortunately, not every organization will be equipped to handle the transition smoothly, and not every company will come out of this unscathed. CISOs can take some steps, however, to mitigate risks and ensure that progress is being made so that remote work becomes more viable in the future. Here are a few:
1. Document everything
The COVID-19 crisis happened fast, but business in the digital age has always moved at a breakneck pace. Pay attention to the changes you’re seeing and document them as you see them. Don’t plan to do this later, because it likely won’t happen. Write down the steps you’re taking and your thinking behind them. Keep a record of what’s getting approved and whether initiatives are implemented as part of a concerted effort or in an ad-hoc manner.
It’s possible that auditors may skip a quarter, but at some point in the not-too-distant future, you’ll have to prove that everything you did during this crisis complied with industry regulations. When the pandemic ends, rest assured that we won’t see a return to the way things used to be. Business will be changed permanently. By documenting everything now, you’ll have a blueprint for navigating the future.
2. Understand the human element
The business challenges that almost all companies face right now may seem substantial, but they pale in comparison to the emotional and psychological challenges many people are being forced to confront during this crisis. As you implement technical changes and alter company processes, don’t forget how those changes will affect end users.
Our personal and professional lives are now being blended more than ever before. That means CISOs and executives have to account for new variables that will inevitably affect business decisions. The best leaders will move their organizations forward by leading with emotional intelligence and giving employees a reason to believe in their visions for the future.
3. Prioritize employee education
Ensuring that employees receive adequate levels of training has always been important, but perhaps never as important as it is now. Under normal circumstances, your data governance needs are constantly evolving as your business evolves. In the current climate, your needs have likely multiplied exponentially; it will take a team to make sure they’re met.
Employees must know how to treat different types of data and must be able to follow protocols that prevent inadvertent disclosure. Basic topics worth covering in training sessions include your data classification system, permission-based access policies, and password policies, among others. Make sure your entire team knows what’s at stake, and that each individual clearly understands his or her responsibilities.
Massive organizational change is inevitably hard, but when your team understands what needs to be done and is determined to make it happen, you’ll come out stronger than before.