Adapting to a new way of working, and how the cybersecurity program is key
We do a daily sync in the mornings. It’s not structured. We can talk about anything including work. It lets us connect with each other, and it’s really strengthened our team.
Also, I’d recommend setting a schedule so that work is not all day, every day. Use visual management aids like wall calendars and white boards to track time, deliverables, events, etc. And make sure you take time to get outside, take a walk, get up and stretch regularly.
@3ncr1pt3d | LinkedIn
When building a great cybersecurity program, I’m going to give you three recommendations, and they’re based on what’s good for the people who will make your program happen. A great program is because of great people. These are as follows:
For most people working remotely, this is a completely new experience. Sure, they had taken the occasional Friday, but working as a dedicated remote staffer is another thing entirely. We as security practitioners need to be there to provide guidance more so than in previous years.
The second element to keep in mind is the use of defined repeatable processes. Having people working remotely will help to draw this need in clear definition. The chance for things to go wrong is compounded with having this lack of face-to-face interactions. The third element to keep in mind for the remote working force is the democratization of security. We have to be sure to provide security tools such as MFA to our employees that enable them to do their jobs safely and securely.
@gattaca | LinkedIn
A cybersecurity program can only be successful when there's support and commitment from the board and management. Leading by example is crucial for adoption. Using the right tools and processes is very important, but in the end, it's the employees that make the difference.
@j_opdenakker
Every employee should be aware that they can have a positive influence on the security of the company while doing their job. That's why it's so important that people in the security team not only have technical skills but also – probably even more importantly – have soft skills like communication and people management.
The security team should not be perceived as the group of people that always says no. Instead, they should explain to people why their actions form potential security risks. Once people understand why security matters and realize it doesn't have to be a barrier, they will adjust their behavior, and some of them will even become security advocates and help to further improve the security in your organization.
Embracing the digital transformation is no longer optional but an imperative. To provide security at scale, organizations will require greater visibility to know what to protect and the ability to automate key security workflows like threat investigation, hunting and remediation.
There must also be a shift in the culture where employees are seen as central to a company’s security strategy. This means creating a well-informed workforce and educating them to potential threats like phishing schemes and equipping them with technology that seamlessly fits into the way they work.
@geerittenhouse | LinkedIn
It is 100% normal to not perform as you normally do. This is not normal. We are all reacting to this in different ways. Some of us are lucky enough to be productive during this time. Some of us are barely holding on. Make sure you work WITH yourself, not against yourself. If that means taking time off or speaking with your boss about your struggles, do so. Our users are not our weakest link but our strongest allies. We need to support them so that they can help keep the business safe, and that requires an ongoing conversation.
@StephandSec | LinkedIn
A few mantras came at me like a flood over the last few months. “Never let a good crisis go to waste.” “Act early, move fast, and stay low.” “Improvise, adapt, overcome.” But there was only one mantra that I knew would stand the test of an enduring campaign, one often cited by my long-time mentor: “Always keep a half pint of goodwill with your people, you’ll never know when you’ll need to call upon it in a crisis.”
We needed to do three major things: Equip staff and students with the appropriate work tools, overlay sensible security measures, and train the workforce on the threats. We then needed to message them again and again. Engagement was key. A gentle “drip drip” of solid and sensible advice to keep their homes cyber safe.
Things haven’t been easy, but with great teamwork and great leadership, magnificent things can happen. Never let fear get in the way of your dreams.
@FailsafeQuery | LinkedIn
A majority of breaches happen because employers are not investing in their employees. When we do not invest in our team, we become a threat to ourselves. In order to support one's security team, it's critical to provide ongoing training and support around mental health.
Within infosec, we have a problem with burnout because we struggle to balance our work and personal life. As a company or a leader, it is your job to make sure your employees are feeling balanced by providing resources and support. Lastly, remember you wouldn't have a product if you didn't have a security team. So, treat them well. Your company depends on it.
@ChloeMessdaghi | LinkedIn
To embrace this new way of working, you should look for what works for you. Working remotely/from home/not-office location is about flexibility, inclusion, and creating a space where you’re best supported.
Security is people, process, and technology. But people come first for a reason.
Our programs need to embed security/technology to work for the users in a way that doesn’t negatively impact them. We also need to build processes that work for their workflows in a way that enhances their working lives.
@RoseSecOps | LinkedIn
On an individual basis having a routine helps you cope, helps you get into work mode. That being said it is very difficult if you don’t have your own space to work in, we’re working from home, and not everyone has a designated office space, we should all learn to be tolerant of how others are managing to work from home and make this work for them and the teams they are part of. We do need to support each other in both the short term and going forward as this new way of working continues to evolve.
In terms of awareness and building a secure workplace, whether remotely or not, you’ve got to work within the culture you’ve got. You’ve got to work with the messages your people already listen to, within the challenges that they have, and within what they celebrate, consider to be a "win", how they like to learn and to work.
For a great cyber security program, know your people better than anyone else, and try to work with them so that you’re not constantly pushing against what they like to do and what they feel is successful. If you can get your people on board, then you’re already more than halfway there.
@Jenny_Radcliffe | LinkedIn
Here are 3 tips I’d like to share:
There are a huge number of factors that go into developing, implementing and operating a cybersecurity program, but one that always seems to get the least attention is the Business Continuity Planning components. If you don’t have a Business Continuity Plan when things go sideways, you’re not doing business continuity; You’re doing disaster recovery, and the impact to your organization can be orders of magnitude more devastating.
@marktw | LinkedIn
It’s important to have a distinction from your work-from-home life and your home-from-home life.
One of the things that’s helped me a lot is trying to emulate my commute as much as possible both in the morning when I’m starting the day and also when I’m done for the day. By listening to music, listening to a podcast or walking my dog for around the time that it would normally take for me to get into the office, it helps me mentally prepare for the day and also shut down whenever I am done working. It’s been extremely helpful.
As for security, we talk about people, process and technology. It truly is in that order. The culture of the people will help influence the processes, which help influence the buying decisions and implementation decisions of your technology. So, it’s really important to start with people.
All of this works because everyone is part of your security team in this day and age. Everyone.
@TriciaKicksSaaS | LinkedIn
I think the main thing to remember is that whilst this way of working feels new, it is only the volume of home work that is new. Many companies have always had people working from home from different locations and from on the road.
With everyone now working from home, your perimeter just got a lot bigger. Ensure that you have a way of patching your client machines even though they're not on your network anymore.
My main piece of advice would be to remember that the risks are not bigger or smaller. They're just different.
@quentynblog | LinkedIn
My advice to people is to use basic sense and start following the advice that has already been around for a long time. Don’t overthink and emotionally complicate things. If anything, this situation should finally force people to start doing what they should have been doing the last 10 years.
Follow the security controls and best practices that already exist for mature levels of handling insider threats, access control, change control and configuration management, asset inventory details as well as secure remote access.
@blackCyberDude | LinkedIn
There has frequently been the pull to allow flexible work to employees as a perk, but the fear of completely breaking the mold held particular institutions back from attempting it. With the pandemic thrusting the majority of the world on some form of lockdown, we had to evolve.
Some of the major security concerns came from having the threat landscape expanded by having students, children and spouses all working remotely under their personal wireless network. The lack of full segmentation on these systems allows risks from one system to spread to others potentially, spreading back into their organizations.
With proper objectives, results and oversight, the remote work force can act just as organized if not better than a typical on-premise office depending on the function of the employee.
@MatthewPascucci | LinkedIn
Working from home means an introduction of a whole slew of BYOD issues, which warrants a review of BYOD/acceptable use policies as well as a renewed focus on remote device management execution.
Bad actors have been taking advantage of COVID-19 in phishing campaigns, but this brings an opportunity for anti-phishing awareness and ongoing education to the fore. It also underscores how the education of users on new security implementations are a necessary part of an organization’s digital transformation curriculum.
@vkeong | LinkedIn
My recommendation to every organization is to implement a security framework at a minimum. All too often, there is a focus on having a blinky box rather than testing or implementing non-technical (administrative and physical) security controls. It doesn’t matter if an organization has the best in-class technical solution if they are not layering multiple control types around critical assets.
The next level is actually executing a business impact analysis and implementing business continuity plans, beyond IT and Disaster Recovery. Generally speaking, many organizations I speak with are focused on those annual or otherwise required technical tests, but thoughtful consideration of risk and impact can be a game changer in widespread events.
@Ghostmath1 | LinkedIn
