When the pandemic swept the globe, CISOs were put on notice. Their already challenging job were amplified under pressures of stay at home orders, vaccine development, and in some cases, barren grocery store shelves.
But CISOs also had an elevated sense of responsibility to deliver their goods and services to customers uninterrupted. With remote operations, their security footprint became more complex and more difficult to protect.
At RSA Conference 2021, CISOs reflected on the pandemic and how it influenced their security priorities. Here are how five CISOs responded to COVID-19:
1. Florence Mottay, SVP of information security and Global CISO of Ahold Delhaize
Ahold Delhaize, international parent company of Giant, Fresh Direct and others, had bittersweet growing pains during the pandemic. "We recognize that it's positive for our company … but we wish we had achieved that under very different circumstances," Mottay said during the RSA Conference Tuesday.
While CISOs are made for crises, the "COVID-19 crisis was very different in that it also affected all of us personally," she said. "Very quickly, I realized that everyone in the team was trying to put on a brave face."
Mottay adopted policies that went beyond the technicalities of the workplace; she embraced the "vitamin shot," where employees had 30 minutes each day to talk about whatever they needed.
As a mother, Mottay was balancing her job with distance learning for her daughters and worries for her older relatives. The vitamin shot was based on cultivating trust in the workplace. "I really encouraged the entire team to share as much as they felt comfortable with, to share what others could do for them."
2. Marene Allison, CISO of Johnson & Johnson
Allison likes J&J to stay in the middle of the road in terms of cybersecurity. "I just want to be right in front of the bear but have a few people behind me," she said during the conference. The pandemic changed that.
Because J&J was developing a vaccine, COVID-19 "made us a target," she said. As with other organizations in the healthcare industry, vaccine developers felt the rise in cyberattacks in 2020.
In recognition of a significant wave of a threat, Allison "thought about the magnitude of what was before us, before my organization, before my information security risk management group."
J&J reinforced the collaboration between J&J's risk management, physical security, brand management, supply chain security, and the rest of the business. "At times, it was like, I'm not sure I've been on this ground before, but it's starting to feel familiar," said Allison.
3. Phil Venables, CISO of Google Cloud
Venables puts high value on "usable security" and improving productivity, he said during the conference. Cloud providers and their scalability will be a driving contributor to the transformation of security.
The usability factor goes beyond Google Cloud's customers, it's for its internal users and software developers. There is no reason the tools engineers use cannot be improved upon, according to Venables. "That doesn't necessarily just have to be tuning of the product, it can be the experience in which the alert is delivered, could make you more tolerant of some level of intrusion."
Good security balances risk mitigation and business productivity. It's a recognition that while there is a cybersecurity skills shortage, the user experience of relevant security tools can improve the efficiency of the talent organizations do have.
4. Lakshmi Hanspal, global CSO of Box
As a service provider, Box is seeing companies "dust off from the pandemic and move from crisis mode to strategic mode," Hanspal said during the conference. In doing so, companies recognize the boundaries of trust have changed.
The three lessons Hanspal took away from a year marred by a pandemic are to lead with empathy, reinforce the public-private sector partnership, and revisit shared responsibilities within the supply chain. "I think we're going to be in a great position to shift into whatever is next," she said.
5. Darren Kane, CSO of nbn™ Australia
As remote work became inevitable, failure and outages were not an option for broadband companies. "A large part of the economy was actually told to grab a laptop, if you can take a screen, head home, and log on," he said. "They largely did that utilizing the nbn, so I actually felt the pressure."
While reliance on broadband and technology supported nbn and Australia's remote workforce, Kane sees the security industry's role changing because of the pandemic. It will be a shift in prevention and detection to more business continuity. Kane was asked to chair nbn's crisis management response as lockdown orders swept Australia.
"Reliability and security is critical," Kane said during the conference. "If you put those two things together, it's trust, you have to trust the provider and the service being provided."