Authored by Pete Shoard, Sr. Director Analyst, Gartner
Security teams must pay close attention to how new work arrangements affect security visibility.
The onset of global pandemic has initiated a new wave of remote work. Many, if not all, organizations are asking employees to work remotely. This move has created some obvious challenges for IT in terms of infrastructure and capacity. It is also creating challenges for security teams as they push to scale remote work on a rapid and global level.
Many are utilizing remote working systems that have not been operationally tested as part of their core security operations monitoring. For many, the likely result is fewer security alerts and issues because the corporate infrastructure will not be subject to the same levels of usage in areas such as internet browsing, and users may be working from web-based applications on non-company-sanctioned assets.
Ask more questions
For security operations center (SOC) analysts, this may seem like a heavenly situation: Fewer false positives to deal with, lower likelihood of security policies being broken and more time to deal with all those things they want to concentrate on but never had the time for before.
But fewer alerts does not equate with being more secure; rather it might mean you are more blinded by the lack of visibility. Lack of visibility does not equate to a lack of security vulnerabilities. Security leaders must consider these new risks to our organizations:
Set up a strong security steering committee
It’s time to gather your team (assuming you haven’t already done so) around the (possibly virtual) table. Much like the government response to the socioeconomic challenges at the moment, we have to manage these challenges one day at a time.
Where the government will have top medical experts, your table should have not just management, but a variety of security skill sets. The goal should be to help security operations prioritize a strategic response to this potential crisis so that we are not negligent. We don’t want to adopt an attitude where we just let security issues happen. Once gathered, answer a couple of the key questions:
Think beyond technology as a solution
The solution to these issues lies in solid processes, not technology. The goal is twofold: Establish a set of priorities for the security operations team and focus on an adjusted set of business risks. But don’t neglect to establish a path to return to normal in a nondisruptive way when the time comes.
As business requirements shift and flex in the current environment, security use cases will require reevaluation. First, we need to account for any new data sources and new ways of working. Second, think about the protection of new key business enablers (such as remote working platforms or VPNs).
Part of this process will be to meticulously document all changes so they can be reversed at a later date, understanding and recording where everything that creates new risk now resides. Even if these are strategic changes, evaluate carefully, as most are probably tactical at this point. You’ll need to reevaluate the path taken to ensure it is robust.
The security part of our businesses need to move quickly on this. It’s not just a question of “Can our security operations and SOC analysts work remotely?” but also “What new risk does this bring?” and “Have our security priorities changed?”
Whether these changes are purely for our internal teams or whether we have to engage our security service providers about moving faster to change based on new requirements, it’s clear that organizations need to complete a due diligence exercise to make sure that what they are doing to protect the organization matches the objectives set to keep cyberrisk low. Adjusting in alignment with what is high priority and what is feasible is an agile change.
