The key to securing your post-pandemic network

by George Lamont on October 23, 2020

Like many other companies — from startups to multi-national behemoths — IronNet was quick to pivot to an all-remote workforce in mid-March. The pandemic flipped the script from protecting 70-80% of the company population in typical brick and mortar offices to protecting a 100% remote workforce. It was an extremely challenging time, but we had done the things necessary early on to provision and scale our systems (firewalls, servers, etc.) and ISP connections to provide us capacity, agility, and freedom of movement — for an employee population willing and eager to maintain full operational impact.

As we’re entering an eighth month of operating under pandemic conditions, though, I can attest that the key to securing our network with a fully remote workforce is not just about the technology. It’s about engagement.

What we found to be hugely beneficial for our successful pivot is engaging people. We have done so on three different levels:

Engaging at the employee level. Foremost is making sure you are transparent with your employees regularly, because your employees truly want to help and be strong cyber citizens across the company. We have found time and time again that you can get ahead of an employee base that may not want to do the security “thing” that you’re mandating as the CISO. When you put in controls and measures, employees, especially in a crisis situation, do understand and will step up. So don’t be afraid to implement and communicate what the right thing to do is at the risk of someone not liking it. Your employees will surprise you.
At IronNet, our employees continue to rise to the challenge of increased expectations for security. They want the company to be secure and successful, and are not satisfied taking shortcuts. High VPN usage, two-factor authentication, and other security controls were in place and in use throughout, but like any operation after a sustained high pace, people tend to get a bit fatigued, a little relaxed with their security habits — so I have to make a point of being more visible and relentless about refresher training, reminders, and reporting. Employees want to make a difference, and they are often our first line of defense. I am constantly reminding folks to remain vigilant, and if they are not reporting suspicious activity, like phishing emails, it makes it harder to protect the company. Much like IronNet’s Collective Defense strategy, I can defend better against cyber attacks if I have better visibility, even if it is at a smaller scale.
Leadership: You have to get executive buy-in to ensure your security plans and the changes you need to implement don’t just trickle down; instead, in times of crisis, you need to open the cross-company communication flood gate. We all need to act fast to stay ahead of the hackers salivating at our new remote work environments. Your company’s leadership has to be a part of that voice for every employee to do his or her part, providing sound-bytes and regular all-hands communication. Part of attaining this support from the leadership team is making sure that your leaders understand where they’re bringing value, where you as the CISO are bringing value … and, most important, how you’re working together to ensure a secure network, business continuity, and a cyber-responsible workforce.
Your peer network: Although IronNet personally (and coincidentally) conducted pandemic tabletop exercises last year, we didn’t have every element of the plan figured out to a tee. No one does. Therefore I encourage everyone to reach out to peers. Overconfidence can be a liability in cybersecurity, where everyone is trying to prove themselves smarter than the other. CISOs who think they are untouchable will leave themselves and their organization open to all sorts of breaches.
No one should be afraid to ask for input and advice. We must continue to learn, especially in the current environment. Even if you think your business continuity plan is flawless, no plan is validated as foolproof upon its initial, real-world contact. Being a hero means reaching out to your peers instead of going at it alone.

A startup company with “300 offices”

Looking ahead to 2021, I find it hard to believe that remote work environments will simply flip back to pre-pandemic operations now that many have seen it can work. In the case of IronNet, we are now a startup with “300 offices.” My colleague Melissa Logsdon outlines in “Building cyber citizens in a remote workforce” ways for remote employees to be hyper-aware and vigilant when it comes to their home networks and at-home practices such as downloading browser extensions.

Behind the scenes as a CISO, I can say that it’s critical to have an always-on line of contact for employees to report any suspicious activity, especially as phishing attempts and Business Email Compromise (BEC) activities become more and more rampant. To me, and to everyone else in enterprise security, there is never a stupid question. We must encourage employees to engage at all times, both now and as we plan for post-pandemic operations to balance the new norm.