Suits The C-Suite

(Second of two parts)

In last week’s article, we highlighted the challenges of cybersecurity in terms of remote working, identity and access management risk, physical security and data privacy. In this second part, we will focus on cybersecurity management and discuss additional challenges that require recalibrating traditional security for the remote workspace; potential analyst disruption; the pandemic’s impact on cybersecurity budgets; and reassessing the cybersecurity function as we adjust to the new normal of business.

Global and larger Philippine companies, in general, have been able to ride out the storm more comfortably than smaller companies. While recent news of a vaccine is a welcome development, many organizations still expect the current working protocols to continue at least until the end of 2021. For the chief technology officers (CTOs) and chief information security officers (CISOs), this means that budgets will be affected as the full risk impact is assessed.

Companies will continue to engage in projects designed for effective remote working and are expected to invest more on network upgrades, mobile devices, cloud applications and infrastructure. Budgets around these areas can therefore be reasonably expected to increase.

How the pandemic affected cybersecurity management varies according to organizations’ size, geography, and industry. Small- and medium-sized companies noticed the impact the most, with higher network and staff disruptions, as well as a disproportionally higher number of cyber threats such as phishing, malware, ransomware and zero-day exploits. Large companies have faced remote-working challenges but, perhaps unsurprisingly, have been more resilient to cyber threats.

The cybersecurity team needs to adapt quickly to the dynamically changing threat landscape. It needs to be more proactive in identifying new threats and detecting attackers. The traditional security solutions, such as firewalls, threat monitoring software, vulnerability management tools and identity solutions may need to be recalibrated to address the new working setup in the enterprise.

An EY research study conducted during the pandemic confirms that the COVID-19 crisis has caused significant disruption in day-to-day security operations, particularly with enabling remote working. It is a mixed picture, but the research shows that what most leaders seem to agree on is that day-to-day security operations have been disrupted, almost a third (29%) saying significantly so. Remote-working support was the biggest challenge (71%), followed by budget restrictions (41%), network overload (40%) and reduced staffing levels (37%).

Indeed, during the total lockdown when physical movements of employees (including cybersecurity professionals) were very limited, providing 24/7 operational support from remote locations remains a formidable challenge for many CISOs. For example, additional privileged workstations were configured and deployed for a more secure remote connection by system and security administrators. Physical security of the work areas of these privileged users were also required and at times supported by companies.

Many CISOs also learned to be prepared for any disruptions in the security operations caused by the unavailability of a security analyst becoming unavailable either due to home network or health issues. It becomes a real concern for CISOs when one or two analysts contract the virus and become indisposed for a long period. A viable plan to address reduced staffing levels should be ready and implemented immediately as required.

Considering that incidents of phishing and other threats like malware and ransomware are on the rise, CISOs should increase focus on the people side of cybersecurity. A well-designed security awareness campaign that includes webinars, periodic advisories, as well as directed phishing tests should be continuously implemented to address this risk.

Disruption is definitely happening, and with respect to budgets, change is expected to happen fast. In the same EY research study, 79% of respondents expect cybersecurity budgets to be impacted within the next six months if not sooner (21% believe “immediately”), though not all think budgets will be cut. As many as a third (32%) think that investment will increase or at the worst, stay the same (24%).

Identity and access management and data protection and privacy are considered priority areas for an increase in spending. Additionally, outsourcing is being considered, notably for data protection, privacy, risk, compliance and resilience.

A majority of businesses surveyed in the EY research study are considering (or would consider) outsourcing security operations as part of their cybersecurity strategy. The findings tend to be consistent across geographies, sectors and roles, although there is a bias within smaller companies to prioritize security operations as well as architecture and engineering. Interestingly, there is a marked difference between CISOs and CTOs in their attitude toward outsourcing security operations: 44% versus 81%.

Following the COVID-19 pandemic, should we expect any more longer-lasting or even permanent changes in cybersecurity strategy and approach? Certainly, some security leaders expect their function to become even more important and visible at the board/executive level. Some Philippine companies are starting to step back and reassess their cybersecurity posture as they become accustomed to the new normal of business operations.

With the introduction of surveillance mechanisms (such as mobile apps) to track and manage the virus vis-à-vis the ongoing DoLE and DoH requirements to collect health details of employees and customers, data privacy will further increase in value and importance.

In a related survey by PSB Research of 1,000 US consumers (April 2020), the findings suggest that consumers are especially reluctant to surrender their personal privacy, regardless of the challenges posed by the pandemic, and similarly are not convinced that any such engagement will be for their own good. While the survey was done in the US, similar public sentiments may emerge here judging from recent advisories and activities by the National Privacy Commission on the use COVID-19-related personal data.

As we emerge slowly into a post-crisis world and a new normal, it will be interesting to see if the cybersecurity teams’ predictions of an elevated status will come true and are to be embedded beyond the short term. While this is yet to be seen, it is evident that there has never been a better time for CTOs and CISOs to demonstrate their mettle and validate their deserved place in the C-Suite.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views reflected in this article are the views of the author and do not necessarily reflect the views of SGV, the global EY organization or its member firms.


Warren R. Bituin is the Technology Consulting Leader of SGV & Co.