For those unfamiliar with the term “Forcing Function,” it’s any task, activity or event that forces one to take action and produce a result. There’s no question that as of late we’ve been pushed into a global forcing function with how we globally respond to the COVID-19 event currently unfolding.
We’ve seen (especially in the last year) companies continuing digital transformation, whether it be adopting more cloud services, migrating to distributed infrastructure or preparing for a more mobile workforce. The reasons for digital transformation are generally ascribed to: business value such as growth, operational efficiency, faster time-to-market and ultimately, and increased profits. One cause for caution during digital transformation is that introducing new technologies create gaps in defenses which require careful planning to minimize risk before rushing headlong.
Now suddenly, that’s all changed.
COVID-19 is the new forcing function due to the rapid implementation of a default work-from-home environment. Traditional security infrastructures with a particular focus on the firewall hasn’t gone away. But like a thousand seeds bursting from a dandelion, the security horizon has suddenly exploded, and we’ve all been forced—in some ways kicking and screaming—to move to a more distributed workforce that relies on borderless endpoints and other technology not protected by traditional firewalls and physical defenses.
Security strategy historically lags behind new technology adoption. The Internet itself was architected with an eye to resilience: get this packet from this system to that other system by any route possible. Similarly, cloud offerings were brought to market with promises of flexibility and cheaper infrastructure. And, consumer-grade mobile devices were incorporated into business functions. None of these examples debuted with more secure services. The need for new security measures came when threat actors stormed the gates.
As we are forced forward into our new reality, I strongly urge you to think now about the new processes and mechanisms required to secure it. This doesn’t mean we can ignore the previous methods in place; there’s still a need for components such as strong firewall policy, identity management, endpoint patching, vulnerability scanning and VPN access.
But we need to consider what this “new normal” requires to continue with a rigorous security stance and to prepare for edge cases we’d not considered before. For example, even if you have a well-defined incident response plan in place, fully documented within playbooks with tabletop exercises performed every quarter … how would you be able to affect a proper incident response scenario if nobody is in your office? If you had to create a forensic copy of a system implemented in AWS, do you have the proper credentials and process in place to perform this?
It’s a brave new world of digital transformation. We best respond to it by quickly assessing our exposure and making sure that we’ve maintained the same depth and breadth of information security coverage and update our policies, processes, and procedures appropriately.