When the pandemic pushed state workers in Colorado home, the state’s security department “became the heroes,” said Deborah Blyth, chief information security officer of State of Colorado.
They “saw a new value in our organization,” as the department toiled to provision VPN accounts and scale from 10,000 concurrent sessions to 30,000 over the first weekend that workers went home, Blyth said during a Women in Cybersecurity Leading Through Unprecedented Change roundtable, hosted by the National Cybersecurity Alliance and Proofpoint.
The state had the advantage of having moved steadily to the cloud over the previous few years, which made the transition to remote working that much easier, a sentiment echoed by fellow panelist Sue Lapierre, CISO at Prologis, a logistics real estate company that moved 95,000 of 100,000 employees out of the office to work remotely.
“We’re six or seven years into our journey in the cloud and that helped us,” said Lapierre, noting that her company began dealing with the effects of COVID shutdowns earlier than most because its employees in China went on lockdown in February. Prologis had been using videoconferencing for years as well, which meant the jump to virtual meetings wasn’t a cultural shock.
A thornier problem for Mary Haynes, vice president of network security at Charter Communications, was accommodating its call centers, which had to handle a surge of calls after the internet service provider rolled out a 60-day free internet service to extend connectivity to more users.
The cybersecurity leaders continue to grapple with the issues that most CISOs face – fending off growing and evolving threats, raising awareness to spurn phishing attacks and ransomware and locking down access.
The threat landscape was initially pockmarked with spikes in DDoS attacks, then a rise in what Haynes calls “ing” attacks – phishing, smishing, vishing and the like.
And while most of the women leaders said they had technology in place to handle those threats, they all underscored the importance of educating and training employees, stressing that communication is key.
For instance, the pandemic prompted Colorado to publish a tech kit that included instructions on how to set up and use a VPN and explained to employees the tools that were at their disposal to do their jobs and remain secure. In the spring, with phishing attempts ticking up, Prologis decided it was “the perfect time to do a phishing campaign,” Lapierre said. “It wasn’t popular but senior management supported it.”
The trio have also improved communications between the business and tech factions of their organizations. In 2015 Charter Communications adopted the cybersecurity framework from the National Institute of Standards and Technology and used that to educate the board, said Haynes, who says risk management is built into everything they do. “We’ve created a common language between tech teams and the board.”
Now, she said, board members ask questions like how much it would cost to be NIST Tier 4.
Likewise, at Prologis, Lapierre said, “We also use NIST when we’re promoting cybersecurity.”
The three leaders agreed cybersecurity it going through a transformation, “moving away from the typical waterfall software development cycle,” said Haynes, to be baked in from the beginning and not bolted on.
They’d also like to see more women in security, specifically in leadership positions, and urged young women to discover the myriad careers that cybersecurity can offer. “There are so many skillsets needed for cyber, so much to do – my role is not all technical,” said Blyth. “It’s talking, communicating, persuading.”
Haynes urged companies to tap inner city schools to get a diverse pool of budding cybersecurity professionals – “introduce them to careers that pay very well,” she said. “We need to change the image of who security people are.”
Lapierre, who came from business, advised young women to take chances. “Don’t’ be afraid to take on new things, even a task no one else wants to do,” she said. “Raise your hand.”
Original article source was posted here