ISF CISO Briefing:

Adapting to a New World

2

CLASSIFICATIONPublic

The information in this document is correct as of 1 July 2020.

See appendix for website details.

ISF CISO BRIEFING2. ADAPTING TO A NEW WORLDPublished: July 2020

PUBLISHED BYInformation Security Forum Limited +44 (0)20 3875 6868 info@securityforum.org securityforum.org

AUTHORMark Chaplin

DESIGNAbigail Palmer

RESEARCHAman Behl

QUALITY REVIEWEmma Bickerstaffe June Chambers

2 Information Security Forum

CONTENTS

INTRODUCTION04

LOCKDOWN TO DOWNTURN06

MOVING BEYOND RESPONSE08

KEY AREAS OF CONCERN10

TAKING ACTION14

APPENDIX15

3ISF CISO Briefing: 2. Adapting to a New World

CASCADE SCENARIOS

Release from lockdown across the globe will be complex and drawn-out. Fears of a further outbreak and reluctance to return to the office will cause delays to resuming normal operations.

Government response and rescue action (e.g. furlough schemes, relief checks, wage subsidies and bailout packages) will incur huge national debt, influencing future taxation, GDP and interest rates.

Supply chain disruption (both upstream and downstream) will lead to loss of, and increased competition for, suppliers. A significant decrease in customer demand and loss of revenue will impact budgets enterprise-wide.

Many organisations affected by the financial fallout will be forced to cancel or delay commercial projects, reassess investments and revise expectations. Workforce lay-offs will be unavoidable, leading to exceptional levels of global unemployment.

Legal and regulatory pressures will increase as regulators exert greater scrutiny in areas such as financial regulation, internet legislation and privacy law.

BASIS AND PURPOSE OF THIS PAPER

This paper represents one of a series of Information Security Forum (ISF) publications, focused on the needs of the CISO and other risk management professionals. It is based on the contribution of senior risk management and security leaders, insights from ISF research and an examination of reputable sources from around the world.

The paper is influenced by the circumstances following the COVID-19 outbreak and views the post-crisis landscape from the perspective of the CISO. It addresses the global economic situation, explores post response circumstances faced by organisations as they adapt to a new operating model and introduces a set of considerations for CISOs to prioritise.

BRACING FOR A TURBULENT FUTURE

We are now operating in a new world and one unrecognisable from 2019. Society, commerce and our lives have been disrupted on a level not experienced by many generations.

As countries implement exit strategies from lockdown, the fallout from COVID-19 has presented a complex set of interrelated factors, causing a ripple effect that impacts the global economy, every geographic region and all industry sectors. This cascade effect reaches deep into every organisation, including the office of the CISO.

THE COVID-19 CASCADE EFFECT

Global and regional factors, particularly those driven by contracting economies, will influence government action, political tensions, regulation, supplier relationships, customer demand and internal operations within organisations. Scenarios that organisations can expect over the coming months will have both a direct and indirect impact on the CISO’s role and the security function.

INTRODUCTION

“FOR THE FIRST TIME SINCE THE GREAT

DEPRESSION BOTH ADVANCED ECONOMIES

AND EMERGING MARKET AND DEVELOPING

ECONOMIES ARE IN RECESSION.”

- International Monetary Fund

4 Information Security Forum

POLITICAL ECONOMIC SOCIAL

TECH

NOLOGICAL

LEGAL

ENVIRONMENTAL

GLO

BAL

LEVE

LG

LOBA

L LE

VEL

REG

ION

AL/I

ND

UST

RY L

EVEL

REG

ION

AL/I

ND

UST

RY L

EVEL

ORG

ANIS

ATIO

NAL

LEV

ELO

RGAN

ISAT

ION

AL L

EVEL

PESTLE CategoriesPESTLE Categories

Interruptedbusinessoperations

Release fromlockdowndifficulties

Governmentdebt

Trade tensions

Deep global recession

Financialmarket

uncertainty

Supply chainintegrity

Budgetcontraints

Volatilerevenue

and liquidity

Disruptedworking

arrangements

Skillsshortage

Jobsecurity

Workforcemobility

Insiderthreat

Publicanxiety

Privacyconcerns

Increasedregulatoryscrutiny

Compliancedistraction

Digitaltransformation

Businessasset

exposure

Technologyrisk

Cyberthreats

COVID-19 OUTBREAK

The COVID-19 cascade effect

5ISF CISO Briefing: 2. Adapting to a New World

Organisations with strong resilience measures in place and a healthy balance sheet will likely survive but many face uncertainty for the foreseeable future.

As countries emerge from lockdown, an economic downturn awaits with the fate of many organisations and individuals still to be determined. Release from lockdown in different regions (even within countries) will vary in pace and approach. This presents further challenges for organisations that operate in multiple countries or depend on an international supply chain.

The nature of the economic recovery is likely to be a key indicator for budget allocation in the years to come. Since the outbreak of the pandemic, global GDP has continued to contract, unemployment has hit levels not seen since the Great Depression and government debt around the world is approaching all-time highs. Yet during the same period, the S&P 500 Index saw its best 50-day rally and the NASDAQ Composite Index hit all-time highs. This disconnect between stock markets and the wider economy illustrates the high level of uncertainty that remains.

LOCKDOWN TO DOWNTURN

“WE NEVER ENVISAGED

A SCENARIO WHERE

EVERY COMPANY IN

THE WORLD WOULD

IMPLEMENT THEIR

BUSINESS CONTINUITY

MEASURES AT

THE SAME TIME.

FORTUNATELY, OUR

RESILIENCE PLANNING

PAID OFF.”

- ISF Member

Border restrictions eased

Non-essentialshops reopened

State of emergencydeclared

Nationallockdowndate

First schools reopened

Lockdown exit strategies compared

23

26

26

23

23

16†

13

19

17*

1 15

28 11

1 8

420 15

4 11

147

15 11 15

4

19

GB

NZ

ZA

DE

AU

JP

DK

US(LA)

CA (Ontario)

March April May June

* Regional † National

6 Information Security Forum

World GDP comparison (%) Potential S&P 500 Index recovery scenarios ($)

Data source: International Monetary Fund 14 April 2020

Data source: Google Finance (INDEXSP: .INX) 16 June 2020

Currently, a perfect recovery has been priced into the markets with the hope that easing lockdown measures will return business to normality. The way markets bounced back strongly from March lows has led to this being referred to as a V-shaped recovery. If this optimal scenario continues, consumer confidence should return, generating corporate revenues. This, in turn, should grow business confidence allowing firms to resume long term projects and investments previously put on hold.

However, with output struggling to reach pre-pandemic levels, political and social tensions rising as well as little progress in terms of developing a vaccine, the reality of this recovery scenario is being called into question. Corporate earnings in the second quarter of this year will paint a more accurate picture of the type of recovery economies are likely to endure. It may be the case that these earnings do not meet expectations and instead of a V-shape, a W-shaped recovery emerges where the market trades sideways for a prolonged period. In this scenario, business growth will remain slow for the foreseeable future, putting increased pressure on budgets across the organisation.

-3

-4

-2

-1

0

1

-3.0

-0.1

GREAT LOCKDOWN (2020)

GLOBAL FINANCIAL CRISIS (2009)

2,000

2,500

3,000

3,500

4,000

4,500

Feb April June AugustMarch May July

Presentday

Actual market index

S&P 500 market trend line projection pre-COVID-19.

V-shaped recovery

W-shapedrecovery

V

V

W

W

7ISF CISO Briefing: 2. Adapting to a New World

THE BUSINESS VIEW

A business view of the organisation covers all areas of the enterprise as shown below. Some of the key business-related considerations include:

Suppliers

Customers

Channels(products/services)

Sales andmarketing

Research anddevelopment

Governance/strategy

Cost managementand planning

Revenue streams

Businesspartners

Operations, resources and infrastructure

• integrity and availability of assets, including people, information, technology and premises

• dependency on, and commercial stability of, the supply chain and business partnerships

• financial health of the organisation

• value of products and services to existing and new customers

• operating capability in the form of business processes.

Despite the unexpected, complex and far-reaching circumstances faced by risk management and security functions worldwide, the verdict is clear – planning pays off. Those who had invested in resilience planning and testing reaped the benefit, following established processes and procedures to respond quickly. Yet even the most prepared CISO still had to improvise to meet business demands and devise secure workarounds.

As CISOs and other business leaders reflect on their efforts to keep the business running, the next phase – Adapt – presents another set of challenges. It is a critical time for organisations that will determine their long-term recovery and future success.

As organisations adjust to a new operating environment, the CISO’s role in resuming normal business operations remains vital. As a function leader tasked with protecting the organisation’s information assets and technical infrastructure, CISOs need to understand board-level concerns. This involves taking a business view, which relies on close engagement with business leaders and other senior stakeholders.

“NOW THAT WE

HAVE GENUINE

ATTENTION

OF THE BOARD,

WE NEED TO

KEEP IT.”

- ISF Member

MOVING BEYOND RESPONSE

8 Information Security Forum

TAKING STOCK AND GETTING AHEAD OF THE GAME

The task ahead is now greater than ever before. Many circumstances remain outside the control of the organisation, but where possible, CISOs need to accommodate the business requirements both inside the organisation (e.g. operations, workforce and technology) and beyond (e.g. suppliers, business partners, regulators, customers and even the public).

Against this backdrop, a unique situation has arisen for the CISO. Unlike many other functions where the nature of the work has shifted, the workload and expectations for the security function have dramatically increased.

“THIS IS THE TIME WHEN WE

NEED EXECUTIVE SUPPORT

AND INVESTMENT.”

- ISF Member

While new risks have emerged and are receiving prompt attention, CISOs must also keep existing risks within acceptable levels – all while the organisation’s risk profile continues to change, forcing the board to re-evaluate its risk tolerance.

Applying established risk management principles will act as a strong guide during these difficult times. Good risk management will enable meaningful engagement with business leaders on key issues such as:

• prioritising business assets for protection

• profiling threats

• reducing exposure of assets

• estimating financial loss.

Business leaders will inevitably need to make difficult decisions with implications for budgets, resourcing and programme prioritisation, but this is not the time to cut security budgets and put business protection initiatives on hold. CISOs play a pivotal role in helping business leaders make informed decisions about risk.

RESPOND RESUMEADAPT

“EVERY ORGANIZATION MUST BE PREPARED TO ABANDON EVERYTHING IT DOES TO SURVIVE IN THE FUTURE.”

- Peter F. Drucker

9ISF CISO Briefing: 2. Adapting to a New World

Engagement with leading risk management and security leaders has identified five particularly problematic areas as organisations adapt to current working arrangements. These are not unexpected, but if overlooked could introduce unnecessary risk exposure in the months to come.

With security budgets at risk of being cut or subject to increased scrutiny, prioritisation of risk management, security governance and compliance is essential to ensure risks do not exceed the organisation’s risk tolerance.

1 Assuming new threat scenarios can be mitigated, is the organisation ready for a major cyber-related incident under the current circumstances? While resilience has proven successful, concerns are shared among many CISOs regarding their cyber response capability.

2

During the early stages of the crisis, organisations had to modify on-site working arrangements and operating procedures, with many instructing the majority of their employees to work from home. As working arrangements evolve, concerns remain regarding exposure of sensitive information, use of unknown equipment, introduction of malware and the insider threat.

5Adjusting to new operating models has extended beyond the organisation to suppliers, customers and business partners. An already complex environment that is so dependent on trust and assurance, the complete supply chain has received increased attention as a likely source of more risk.

4

Demands on corporate networks and the underlying architecture are changing dramatically to accommodate new methods of working. Many organisations have now inherited a new digital transformation programme, and with it a new attack surface.

3 “WE ARE NOW EXECUTING

AN UNINTENDED AND

ORGANISATION‑WIDE DIGITAL

TRANSFORMATION PLAN.”

- ISF Member

KEY AREAS OF CONCERN

10 Information Security Forum

To address these five areas of concern, the ISF presents the following considerations, which should be incorporated into current security planning activities.

RISK MANAGEMENT, SECURITY GOVERNANCE AND COMPLIANCE

Effects on budget (whether reduced, unchanged or even increased) will require improvisation and creativity on the part of risk management and security leaders. CISOs need to:

• actively engage with business leaders to demonstrate the importance of the security budget as the risk profile of the organisation continues to evolve

• focus on short-term management and safeguarding of the remote workforce

• plan long-term projects and investments that have been subject to delays and postponement

• apply a forward-looking approach and actively seeking opportunities for effective digital transformation

• identify COVID-19 related regulations that might influence risk management and security efforts

• revisit the governance framework (including policies, standards and procedures) for the foreseeable future.

RESILIENCE

In the current circumstances, resilience remains a number one business priority for organisations.Measures such as business continuity and disaster recovery are essential for organisations to deal with further unexpected scenarios that threaten the business. Key aspects of maintaining business resilience include:

• identifying and reprioritising critical assets that might have changed in value (e.g. those emerging due to new operating models, changes in technical infrastructure and adoption of new services)

• reducing alert fatigue from manual investigation of high-volume alerts through automation, to collect, analyse, filter and action the most critical security events

• continually improving breach response capabilities, particularly while security operation teams work remotely and at reduced capacity, to ensure threat events can be mitigated in a timely manner.

11ISF CISO Briefing: 2. Adapting to a New World

TECHNOLOGY AND SERVICES

Organisations’ technical infrastructure and services (including those used to protect technology) have been subject to disruption and have, in some cases, had to transform overnight to meet the needs of a changing business. In many cases, this has placed a great deal of pressure on an already complex, diverse and overstretched infrastructure. Keeping technology risk within acceptable limits requires:

• transitioning to the cloud securely, particularly for organisations that had not started such a strategy before the crisis

• engaging with cloud service providers to manage expectations on capacity levels, VPN requirements and authentication needs as demand changes over the foreseeable future

• revisiting capacity planning for local, corporate and global networks (including connections and bandwidth requirements), depending on how the workforce operates in the future

• stress testing data centres, networks, cloud service providers and backup facilities

• removing or securing corporate-owned information on non-corporate devices and platforms (including personal cloud services)

• addressing security requirements when introducing new network technologies (e.g. software-defined networking)

• assessing risks associated with new return-to-work technologies (e.g. temperature screening devices and social distancing beacons), which might introduce new attack vectors on the corporate network.

SUPPLY CHAIN INTEGRITY

Supply chains across many industry sectors will be subject to disruption and uncertainty. The consequences of the global crisis will affect supply chains upstream (e.g. loss of suppliers, disrupted supply, change of suppliers and suppliers unable to operate at adequate levels) and downstream (e.g. loss of customers, drop in demand and inability to meet customer demand). Both factors will affect internal operations. Supply chain risks that affect business processes, information and technical infrastructure will need to be managed. This involves:

• communicating regularly with key suppliers and customers to identify and address new and emerging risks

• identifying new threat vectors as a result of new working arrangements and operating procedures

• reviewing potential exposure to current and new threats (e.g. through temporary relaxation of controls, inheriting new infrastructure vulnerabilities and working in environments with a different risk profile)

• determining operating procedures that no longer meet contractual expectations and implementing alternatives that avoid increase in risk

• agreeing new assurance activities and reporting, including audits, security assessments and business continuity exercises.

12 Information Security Forum

PLANNING FOR THE FUTURE

Although a great deal of focus and attention is directed towards supporting and protecting an organisation during a time of significant disruption, proactive CISOs are already pursuing opportunities and planning for the future.

Whether budgets increase or decrease, risk management and security functions will need to prepare for long-term cost savings, redirection of investment and process efficiencies. The results of these and related benefits will need to be demonstrated to business leaders and stakeholders. Risk management will play a pivotal role in the success of organisations as they resume normal operations.

MOBILE WORKFORCE

The approach taken for employees returning to organisations’ premises will vary greatly. While some organisations are considering the possibility of the complete workforce returning, others are undertaking this in stages, with many exploring a hybrid of the two. Measures to implement now include:

• maintaining an accurate and up-to-date inventory of all workforce-related equipment (including spare, redundant and newly issued equipment)

• confirming all equipment used by remote workers does not introduce unnecessary exposure during transport or when connected to the corporate network (e.g. by containing malware or unencrypted sensitive information)

• informing employees of any new or updated security policies and procedures (e.g. expectations regarding on-premise working arrangements) and providing a full induction process for newly hired employees

• verifying that safeguards are in place to protect against any increase in insider threat levels (e.g. as a result of disgruntled or disaffected staff).

13ISF CISO Briefing: 2. Adapting to a New World

CISO Briefings from the ISF examine the most important topics of concern among leading CISOs from around the world. They focus on meeting business needs, managing risk effectively and providing assurance of the highest levels of protection across an enterprise.Future publications in this series will build on business resilience as a key priority and help CISOs transition smoothly from Adapt to Resume. To achieve this, CISOs will need to leverage all the resources and capabilities at their disposal.

TAKING ACTION

ISF MEMBER RESOURCESThe ISF has an extensive library of reports, tools and methodologies available to Member organisations on ISF Live and recommend the following:

Securing the Supply Chain: Preventing your suppliers’ vulnerabilities from becoming your own

Legal and RegulatoryImplications forInformation Security

Using Cloud Services Securely: Harnessing core controls

Standard of Good Practice for Information Security 2020

Building Tomorrow's Security Workforce Briefing Paper

Securing Collaboration Platforms Briefing Paper

Delivering an Effective Cyber Security Exercise

Protecting the Crown Jewels: How to secure mission‑critical information assets

Managing the Insider Threat:Improving trustworthiness

Supply Chain Assurance Framework: Contracting in confidence

COVID-19 RECOVERY RESOURCE CENTRE

ISF resources to help Members address key challenges during this period are available on ISF Live and include:

• Top Tips for Using Cloud Services Securely Poster

• Top Tips to Prepare for Future Threats Poster

• Top Tips for Supply Chain Security Poster

• Podcasts and webinars• Blogs and press releases

Access the ISF COVID-19 Recovery Resource Centre on securityforum.orgClick here

Download these

resources from

ISF LiveClick here

14 Information Security Forum

EXTERNAL RESOURCES

Credible sources of information regarding COVID-19 are available publicly, including:• European Centre for Disease Prevention and

Control: Situation update worldwide• European Commission• European Union COVID-19: Commission sets

out European coordinated response• Health and Safety Executive: Coronavirus latest

information and advice• Johns Hopkins Coronavirus Resource Center• Nextstrain• Public Health England• United Nations: Coronavirus disease

(COVID-19)• US Centers for Disease Control

and Prevention• US Department of Health and Human Services• World Health Organization• Worldometer Coronavirus Update (Live)

COVID-19 Virus Outbreak

APPENDIX

15ISF CISO Briefing: 2. Adapting to a New World

ABOUT ISFFounded in 1989, the ISF is an independent, not-for-profit association of leading organisations from around the world. The organisation is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.

ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work programme. The ISF provides a confidential forum and framework, which ensures that Members adopt leading-edge information security strategies and solutions.

By working together, ISF Members avoid the major expenditure required to reach the same goals on their own.

Consultancy services are available to support the implementation of ISF Products.

FOR FURTHER INFORMATION CONTACT:Information Security Forum +44 (0)20 3875 6868 info@securityforum.org securityforum.org

Prepared: July 2020©2020 Information Security Forum Limited. All rights reserved.