As with other roles in technology, 2020 was a very challenging year for CISOs to effectively defend their organizations as adversaries ramped up attacks. This was at the time when cybersecurity resources and budgets became more constrained (largely due to the global COVID-19 pandemic). Gartner is forecasting decreased security spend for 2021 and 50 percent of CISOs are embarking on a vendor consolidation strategy in the next 18 months.
To gain an insight into the 2021 challenges that businesses and CISOs will face, Digital Journal spoke with Bradley Schaufenbuel, Vice President and Chief Information Security Officer at Paychex, inaugural member of the AttackIQ Informed Defenders Council
Digital Journal: Reflecting on this past year, what are your top cybersecurity lessons learned?
Bradley Schaufenbuel: The top three cybersecurity lessons I learned this year are:
Although not entirely dead, the perimeter is certainly dying. With most employees working from home networks, more organizational activities are happening outside of the perimeter than within it.
Cybersecurity teams can be just as productive (in not more so) working remotely than when they are in the office. With the right collaboration tools, cyber security teams can be more connected to one another from home than they are in cubicle farms.
A “talent anywhere” strategy is no longer a luxury for cyber security teams. If you are not flexible in where you source cyber security talent and / or the flexibility you provide your team, you are at a distinct disadvantage in an already tight cyber security talent market.”
DJ: Were there any specific cybersecurity/IT strategies that you think put you in a better position to manage the unique challenges brought on by the pandemic and a more aggressive/active cybercrime landscape?
Schaufenbuel: Three cyber security strategies have put us in a better position to manage the unique challenges brough on by the pandemic and a more active cybercrime landscape. First, our adoption of zero trust network access technologies and a cloud-based end user security stack made the transition of ninety-five percent of our workforce from relatively secure corporate networks to relatively unsecure home networks virtually seamless for the end user but comparatively safe.
Second, a robust security awareness program reduced our employee population’s susceptibility to phishing and other social engineering techniques, which proved essential when we witnessed a large increase in social engineering attacks that specifically targeted our work from home employees.
Finally, we were able to offset what would have been a significant loss in our ability to monitor our attack surface, identity threats and vulnerabilities, and respond to incidents by adding new endpoint visibility and protection mechanisms.”
DJ: What do you predict will be the biggest hurdles for CISOs to overcome in 2021, and what are your suggestions to fellow CISOs for solving these?
Schaufenbuel: I predict the three biggest challenges for CISOs to overcome in 2021 will be:
Continuing to respond to a rapidly changing threat landscape despite a challenging business climate resulting in flattening cyber security budgets.
Acquiring and retaining cyber security employees in an already tight talent environment where geographic constraints are no longer an inhibitor to competitive poaching.
Staying abreast of change when accelerating digital transformation and business disruption are the norm and not the exception.
In response to these challenges, I offer my peers the following suggestions:
CISOs need to be working with their internal and external partners in Human Resources and Recruiting to codify more flexible work arrangements for cyber security professionals and to adopt a “talent anywhere” strategy for cyber security recruiting.
In a more challenging economic environment, CISOs need to both defend their continuing investments in cyber security via techniques like economic cyber risk quantification and look for opportunities to optimize spend through tool rationalization and process automation.
Cybersecurity teams need to both foster innovation and adopt agile methodologies to keep pace with the quickening rate of environmental change.