Security Pros Pulling Double IT Duty During Pandemic
The widespread work from home orders due to the COVID-19 pandemic is pushing security professionals into work outside their typical infosec duties. A new survey from (ISC)² of 256 cybersecurity professionals finds 81% of respondents, all typically responsible for securing their organizations’ digital assets, say that their job function has changed during the pandemic.
“Organizations all around the world are navigating the current situation by trying to find a balance between making their systems easily accessible to remote employees and making sure that access is as secure as possible. It often falls on cybersecurity professionals to determine how to make both happen simultaneously,” said Wesley Simpson, COO at (ISC)2.
The results paint a picture of a stressed and overwhelmed workforce of security workers who are not only still responsible for risk mitigation, but other more IT-general tasks as well. Almost half, 47%, of respondents said they have been taken off some or all of their typical security duties to assist with other IT-related tasks, such as equipping a mobile workforce. That’s not surprising to Jon Oltsik, a senior principal analyst with ESG and the founder of the firm’s cybersecurity service.
“The CISOs I’ve spoken with say they are moving people around to support IT and focus on work from home security,” said Oltsik.“They also need to add network security capacity they hadn’t anticipated, requiring network and security engineering.”
In addition to the diverse workload, the survey also uncovered some of the challenges respondents are dealing with in trying to support a largely remote workforce. Some issues cited include a lack of hardware to support more remote workers, the struggle between organizational priorities for quick deployment of remote technology and the commensurate level of security to protect systems.
“Security at this point is a best-effort scenario. Speed has become the primary decision-making factor. This has led to more than a few conversations about how doing it insecurely will result in a worse situation than not doing it at all,” said one anonymous respondent to the survey.
Simone Petrella, chief cyberstrategy officer at CyberVista, a cybersecurity development and training provider, said with job responsibilities now shifting at lightning speed amid WFH orders, CyberVista has been working with organizations on ways to maximize existing talents that could be upskilled to other roles and responsibilities as needed.
“We’re helping them understand what the roles are but what, ultimately, are the performance-based tasks that need to be accomplished within an organization and what skills do personnel need in order to be effective in those roles,” she said. “Once you have that information, you look at the people in roles they are currently in, and if they have the appropriate skills. And then you develop your workforce to fill the gaps you have.”
Petrella also noted that amid the myriad free training and course offerings available from several security training and certification firms at this time, there could be an opportunity for those who are seeking entry into a security or IT career to do some exploration on career options and work on skill development.
‘A Perfect Storm’ for Cybersecurity
While the security team may be required to shift gears and put its focus elsewhere, it is not as if they aren’t needed to help with traditional security tasks. According to the survey, 23% said cybersecurity incidents experienced by their organization have increased since transitioning to remote work—with some tracking as many as double the number of incidents.
“This situation is kind of a perfect storm for cybercrime—insecure systems, untrained employees and a stressful situation where workers are accessing unknown (and often malicious) websites to get the latest information on the pandemic,” said Oltsik. “Meanwhile, hackers have ramped up social engineering attacks. I expect one or several big data breaches as a result of this situation.”
And the increase in incidents furthers the necessity for security to be considered at the outset of any new technology or changes in process, which may not be the case as companies scramble to maintain long-term WFH arrangements, said Petrella.
“It’s not just a trade-off for IT as we go mobile. You have to bake security into that at the get-go.”
