2020 Hindsight and 2021 Foresight: Lessons Learned in the Work From Home Era
It is hard to believe that it has already (or only?) been a year since a global pandemic forced organizations to adapt to the “new normal” of the work from home era. Given the 12-month milestone, now seems like the perfect time to stop and reflect on how things have changed, what we have learned, and what the world will look like moving forward.
Recently, CloudVector hosted a CISO panel discussion on these topics with two esteemed speakers: Jason Lish, Chief Security, Privacy and Data Office, Advisor Group; and Shaun Marion, VP & CISO, Republic Services. Collectively, these two practitioners share almost 50 years of experience — if you find this blog post interesting it is entirely because of the intelligent point of view these gentlemen shared with me. I’ve linked directly to both of their LinkedIn profiles because one of the themes of our conversation was the importance of building community (you can also find me at Lebin Cheng).
We began our discussion with a recap of the past year. There is a lot of optimism about the shift to remote work, but the reality is that technology solutions like always-on VPNs and split tunneling have been exposed as a bit archaic. If there is a silver lining, it is that organizations are exploring new approaches to technology, and even expediting the deployment of key technologies, such as cloud proxies. On the other hand, some of these new technologies are breathing new life into old solutions, such as split tunneling via cloud services — something that wouldn’t have been possible 10 years ago. Perhaps the lesson learned here is that technology solutions are not so black and white.
Priorities in 2021 have shifted because of remote work, as the panelists turned their attention to digital transformation and the infamous adage that “every company is a software company.” And now, in the case of platform providers, every company may also become a cloud provider. But even organizations delivering real-world services with massive logistics and operations, such as waste management, still require copious amounts of custom software and digital transformation. For example, using Google Maps for routing may not be efficient enough for garbage trucks that need to pick up trash cans from the right side of the road — a custom software solution may be required.
This sort of digital transformation requires partnership across departments to embed security into its processes. The two key words of this conversation are enablement and engagement. Our experts agree that security starts with partnership and collaboration. Security must be seen as an enabler of development, not another gateway — both figuratively and literally since there are already enough ineffective gateway solutions in the marketplace. One concept that really resonated with me was the ability to “deputize” your DevOps team by training them in-house, teaching them threat modeling, providing them visibility into their environments, and serving as a trusted consultant.
A lot of security tools provide a dual function, such as how CloudVector provides comprehensive visibility into API calls while protecting the sensitive data it carries, which is useful for security and DevOps. It can be good to think about the vested interests from both sides. Security can be guilty of trying to force processes instead of moving along with developers — it isn’t as if developers come to work intending to create vulnerabilities — we are all working together to build something better.
However, 2020 revealed that we don’t know as much as we think. I am speaking of course about, “the attack that shall not be named,” SolarWinds. Software has always been vulnerable because it is so complex. How do you protect an ecosystem that contains open source, third-party software, and the third-party software of third-party software (ie fourth-party software)? Third-party risk and securing the supply chain have been long-standing issues, and 2020 exposed it.
The SolarWinds vulnerability existed for years, so what could organizations have done differently to mitigate the risk? Historically, anti-virus, patching and inventory management could be considered the foundation of security (if you’re willing to simplify more complex subjects into these buckets). If we apply this triad to 2020, it could mean understanding your suppliers, your systems, and third-party applications (not to mention identity, authentication, etc.). But a software inventory is very hard to create, even for in-house applications, and especially once third-party applications are involved. Ultimately, the approach should be to “trust, but verify” by modeling and monitoring behavior.
This approach introduces an analogy that poorly installed electrical wiring could someday cause a fire. Certainly, organizations need to know where the fire extinguisher is, and be prepared to call upon firefighters, but the fire could have been avoided if there were more fire inspectors. And if there are not enough fire inspectors then organizations need to be prepared to “deputize” them.
In conclusion, the world changed dramatically in 2020 and it continues to change in 2021. Priorities are changing — for example, digital transformation continues, but its focus is more on mobile work than network segmentation. It can be challenging to keep pace — tech keeps evolving, so attacks keep evolving. Emerging security solutions, such as “API Security” mean something to non-technical executives as a concept, but they need to be educated why it matters. It is important that security professionals serve as a risk management partner to their organizations — vulnerability and threat management, and GRC are all very important.
And finally, I want to bring it back to fostering engagement and community, which are also important priorities in 2021 and beyond. The importance of engaging not only with internal stakeholders and inter-departmental teams, but also with external partners and other colleagues in the community should not be underestimated. For example, CloudVector is a member of the Cloud Security Alliance, which has an active community on LinkedIn and also hosts its own community, called Circle. And on a personal note, Jason, Shaun and myself invite you all to connect with us on LinkedIn to continue to build our community. We’re optimistic about what the future holds, even with how quickly it is changing.