2020 has been a year of immense challenge for organizations, and especially for those tasked with securing them. When COVID-19 swept the world, security and risk leaders were suddenly responsible for securing remote employees on an extremely aggressive timeline. While some organizations had an established infrastructure for a seamless transition, others were scrambling to supply employees with hardware, often resorting to older machines with less than ideal security parameters.
“ Enterprise project portfolios are changing on the fly, and of course, increasing our risk landscape”
Distracted employees in less-than-ideal work-from-home environments became potential sources of risk, and hackers began exploiting newly presented opportunities. After the initial response, CISOs needed to continue to recommend and guide their businesses, which were operating under unprecedented and daunting conditions.
“Over the past six months, defining risk appetite has become even more of a challenge for security leaders. Enterprise project portfolios are changing on the fly, and of course, increasing our risk landscape,” said Jeffrey Wheatman, VP Analyst, during the opening keynote of the virtual Gartner Security & Risk Management Summit, 2020.
“Security leaders are focusing on reprioritizing projects and initiatives, which involves dropping some, adding and accelerating others, all while trying to hit the moving target of risk appetite.”
The security risks of 2020
Even before COVID-19, new and different security challenges were present in 2020. More digital services were being delivered on a global scale and tensions were high in international communities; for example, trade disputes that often incited cyberwars. Further, more digitalization of physical objects means more cyber-physical risks that security and risk leaders must address. And a general increase in digital services with increased customer touchpoints, from banks to utility companies, creates even more vulnerabilities ripe for exploitation by a nefarious party.
And then came COVID-19.
Some industries — travel, retail, entertainment — experienced catastrophic impact, while others — online shopping, telemedicine — saw huge growth. Each of these situations comes with unique security and risk challenges.
The initial scramble to keep businesses operating, people working and money moving afforded an opportunity to identify new risks, reassign resources and shift investments to meet outcomes. Now that organizations have moved past the initial response phase, security and risk leaders can review what was done and identify new risks on the horizon — as well as new opportunities.
The drive to digital business
New opportunities bring with them new risks, and CISOs worry the business will fail to prepare for some of them. The Gartner CEO survey revealed that 82% of CEOs have a digital transformation or management initiative, up from 62% in 2018. However, a Gartner survey of CISOs found that while 90% of respondents believe digital business will create new types and new levels of risk, 70% felt the investment in risk management was not keeping up with the newer higher level of risk.
The good news is that the business continues to value cybersecurity as an essential function and executives will look to CISOs to secure the business and limit risk, while also enabling opportunities for technology to transform operating models. This is especially important as CEOs look to accelerate digital business to survive and thrive in a post-COVID-19 environment.
The goal should be to balance risk, trust and opportunity as businesses and organizations enter the “renew” stage of pandemic planning. New technologies will help accelerate and guide this process, whether it’s XDR or the rapidly increasing push to cloud, or what role automation and artificial intelligence (AI) will play as the world reacclimates.
“ Your disciplines are fundamental to addressing the risks inherent in the technology solutions your enterprises are embracing”
For example, at the beginning of 2020, a large government agency responsible for gathering, analyzing and storing immense amounts of personal data started the year with a slate of 19 active security projects. Once COVID started to ramp up, the agency realized it would be unable to sustain the work effort. But when the organization reframed its approach to security projects with a renewed focus on balancing risk, trust and opportunity, the team was able to narrow the list to just nine active projects — including three new opportunities.
With a renewed mindset and focus on balance, security and risk leaders must guide and drive the business to remain secure and limit risk as they accelerate digital and move into a new phase.
“As risk and security experts, you cannot change the course of the major disruptions impacting your enterprises,” said Wheatman. “But your disciplines are fundamental to addressing the risks inherent in the technology solutions your enterprises are embracing to help them recover and renew in the post-pandemic era — and with your expertise in identifying, assessing and managing the new risks inherent in these technologies, the opportunity to succeed is endless.”