The CFO as Security Decision Maker in Times of Crisis
As business continuity became threatened by remote working, security became a financial issue.
The COVID-19 pandemic has forced a major shift in working practices across the globe, putting the impetus on companies to rapidly relocate staff to home offices and switch to remote working solutions. Nathan Howe, Director of Transformation Strategy at Zscaler, examines the unusual consequences that this has had for financial services.
The movement of all employees to home offices may be the most visible impact of the virus on organisations, but behind the scenes, and at the highest levels of organisations, there’s been a distinct reallocation of responsibility. Although an overused phrase at this point, these are unprecedented times, and have called for unprecedented actions from businesses to ensure business continuity.
Although these changes have spanned the breadth of managerial and executive levels, there’s one aspect I’d like to focus on: the increased role of the finance function in cybersecurity.
Unprepared for remote working
For many businesses, when the pandemic hit, they were unprepared for this scale of remote working. Companies that had already opted not only to host data and applications in multicloud environments, but also to adapt their security and remote access infrastructure to meet the needs of a modern mobile workforce, had the least difficulty coming to grips with the new situation. These were in the minority, however, and many sectors, including financial services, felt the pinch on their historic resistance to cloud adoption.
Companies operating in this more conventional way would, at best, probably have planned for no more than one-third of their staff to work from home on a temporary basis at any one time. In this unforeseen situation however, bottlenecks quickly developed as a result of a massive increase in data traffic. This flood of data pushed the traditional hardware or licence-based infrastructure for remote access to data and applications to its limits.
For many businesses, when the pandemic hit, they were unprepared for this scale of remote working.
As these companies placed their security technology at the perimeter of their system, all of the data traffic from the remote workers’ home offices had to be diverted through the data centre before they could access applications, which created a less-than-ideal foundation for a positive home-working experience.
Although one would imagine that all these issues would land on the desk of the IT team or the CTO, the reality of the situation was that, as the scale of the issues affected business productivity and continuity across entire organisations, they became a blockade to essential cash flow for businesses, quickly becoming a matter for finance.
Functionality vs. security
What we saw across the earliest period of lockdown was a cost-effective approach to cybersecurity that was driven by the finance function. During the search to identify the factor holding companies back from high-performance remote working, blame fell on the firewalls or remote access VPNs used as perimeter-based security infrastructures, or on the devices used by employees. Sacrificing these solutions would increase productivity and shore up the bottom line but penalise the organisation’s security posture.
Essentially companies were faced with a difficult choice between ensuring normal levels of productivity or providing secure remote access—albeit with frequent drops in the connection and with hardware being switched off at the bottleneck. Due to the sheer number of different devices used in the workplace, it was not always possible for companies to insist on compliance with standardised security policies across all devices.
I’ve seen for myself businesses making those security sacrifices. Essential security processes, such as SSL decryption, have been bypassed entirely to make remote working easier. These are quick and dirty fixes to increase connectivity and productivity, without addressing the broader issues around improving network architecture to facilitate better remote working standards. They may work in the short term, particularly given the speed in which connectivity had to be ensured at the beginning of lockdown. But in the long term, these “fixes” not only increase the risk to an individual business, but all businesses. Cybersecurity vendors use the data on threats collected from customers to improve their own solutions over time, so this function-over-security dynamic has a far broader risk element.
Switching the narrative
As many of us begin to return gradually to the office, the security posture for organisations needs to be restored. The bypassing of security in favour of business continuity was, for many organisations, a difficult but essential decision during the most tumultuous periods of lockdown. What I’d hope the finance function has learned from its time with its hands on the security wheel is that they need to invest in converting their emergency workarounds into practical approaches for the future. Employees have come to value the greater flexibility of being able to choose where they work and as yet may be unwilling to bid farewell to the option of remote working.
Emulating those businesses that, at the outset of the pandemic, had the multicloud security and remote access infrastructure already in place would be a good place to start. The new world of work requires an approach that combines connectivity, security, and performance without making dangerous sacrifices.