CIA in troubled times.

No, this isn't the beginning of a spy novel. Nor will it be political musings on the current state of affairs in North America. With the ongoing pandemic caused by COVID19 I believe most readers will be quite familiar with the term "troubled times". This article reflects my observations and experiences around how this all affects information security, and thoughts on how to manage it.

Threats

We can all agree on information security's primary focus being the balanced protection of the Confidentiality, Integrity and Availability of information (the CIA-triad), while supporting the business strategy and not being a damper on productivity. Changing with the rest of society, information security has slowly morphed into Cybersecurity, reflecting the interconnectivity and digitalization that has come to influence every part of our modern lives. No one will oppose the fact change isn't happening fast these days, but I will argue we still have had some sort of control on the situation.

Then a new version of a well-known virus comes along and throws a monkey wrench in the whole thing. - Not too distant from what certain large enterprises have been experiencing with computer viruses over the last decade. But this time nobody is spared. It affects all of us. Within weeks society as we knew it was flipped around, and we all found ourselves going full-on digital.

Strange times for sure. Challenging times – absolutely. Troubled times? Oh yes, I'll say there are plenty of things to worry about. But as with most things in life here are two sides to a coin, and hope to be found where there is misery. Let's start looking at the challenges. Going back to the fundamentals of the CIA-triad, I'd like to debate what I've seen of emerging threats with protecting the confidentiality, integrity and availability of information under the current special circumstances.

Confidentiality. Perhaps the holy grail of the three. Absolutely the one being discussed the most, and often the one causing the most friction between security and business. Salesmen and marketers alike get starry eyes when faced with the endless opportunities Social Media, Big Data and Artificial Intelligence could provide in terms of predictability, market dominance and increase in revenue. A trend though, is that most people over the last few years have gotten more interested in their digital presence and identity – which in turn has made restrictions due to confidentiality and privacy more accepted and understood. There are certainly miles to go also here, but at least nowadays less people have a password that is the name of their cat."

Has anything changed? Yes and no. No, meaning confidentiality is still as important as it ever was. But definitely yes, looking at how we go about securing it.

We no longer know where the information is being accessed and we don't know who's present while it is being accessed.

Going to work at an office there are lots of controls in place to ensure confidentiality. Burglar alarms on doors and windows; security cameras watching the perimeters; different areas with different security levels only accessible to those with the right clearance. Each person moving around inside an area where a certain type of information is being accessed has been screened, vetted and authenticated upon entering. Working remotely from an undisclosed location, all these security controls have been removed. We now longer know where the information is being accessed and we don't know who's present while it is being accessed. This means that we at this point have a much lesser degree of control around who is accessing the information.

Integrity. Working in finance for almost a decade, I know a lot of people not having the slightest problem putting a value on integrity of information. Integrity, however, is not something exclusively linked to financial services even though a wrong number in the wrong place here could mean millions in losses. In the pharmaceutical industry for example a similar mistake could mean the difference between life and death. Luckily people are usually diligent at their work. Over the years we have also developed well tested processes, and there is ever improving technology in place to further reduce the risk of making mistakes.

Has anything changed? Again, I would argue yes and no. No, in terms of processes and technology still being readily available. Yes, because people tend to become less diligent working from home.

When working from home, you've been removed from your "work state". The line is blurred between the professional you, and the personal you.

I'm sure you have all seen examples of people on video-calls wearing shirts and no pants. To me this is a perfect illustration of the Rhythm and Blues going on in a home office. From the waistline up, all seems kosher and in a steady rhythm, while under the table the blues is literally playing your pants off. -When working from home, you've been removed from your "work state". The line is blurred between the professional you, and the personal you. The you that you are paid to be, and the you that grew up teasing the neighbor's cat with a water pistol. I don't hold a degree in psychology, but coming of age I believe I at least know a thing or two about myself. I for one can honestly say my mindset does change when I leave the office and loosen the tie – the same way it changes coming into the office, hanging up my coat and pushing the button for that first cup of coffee.

It's not that we don't want to do well. It's not that we're sloppy or lazy. It's just that over the years we've perfected these two very distinct states of mind, and now we're mashing them together. The outcome is at times unpredictable, and unforeseen mishaps can and will occur (remember again the person with shirt and no pants).

Availability. This is an interesting one. Go back 15-20 years and most people placed in newly created CISO positions had one of two backgrounds: Police, or Military. Coming from a very physical world of security, the approach was often putting as much red tape as possible around the information, keeping it locked down and confidential. Availability was at this point as often an "enemy" of information security more than it was a part of it. I'm glad to say we've come quite far since then. Nobody would like to have their obituary read: "Died because the patient's records were kept confidential and unavailable for the first responders arriving at the scene of the accident."

Has anything changed? Big yes! Everything has changed here. At the office there are multiple networks entering the building, providing redundancy and fail-over for the connection to the Internet. Huge generators are standing by in the basement, ready to crank up the voltage should the main supply of electricity for some reason give in. Problem with your workstation? IT's just a quick shuffle away, ready to supply you with whatever backup you need to get you up and running again in no time.

Is the company's quarterly financial report suddenly competing with teenager's consumption of Netflix and Minecraft, over who gets the available bandwidth? 

But what's the situation at home? Is the company's quarterly financial reporting suddenly competing with teenager's consumption of Netflix and Minecraft, over who gets the available bandwidth? And the laptop on the kitchen table you just turned your back to while getting a cup of coffee? Now it has half a bowl of porridge stuck in its keyboard due to your toddler's misfortune, trying to get to the stuff without assistance. Have you got a backup readily available?

With the current pandemic being a global situation it's also important to remember this doesn't just affect one part of the world. While working from home might be more widespread in some societies, it can be close to non-existent in others. Availability and quality of infrastructure is also something that varies a lot. It's not necessarily the case that associates working with your offshore partner even have broadband connection to the internet at home – much less a personal computer. What to do then when working from the office is no longer an option?

Opportunities

People, Processes and Technology. Another triad well known to information security professionals. For a more positive take on the situation I'd like to go through these three as well, concluding this article.

People. People represented the most important dimension in information security before COVID19, and they are even more important to address now. To uphold the desired level of confidentiality and integrity, it's imperative to have the people onboard. Available controls have diminished severely, and education and awareness with each individual employee is of the uttermost importance to mitigate this loss. People do however seem to react very positively to guidance in uncertain times, so there is an opportunity here of building something solid from the get-go. But, it requires setting a standard quickly, and sticking to it. Scope creep here should be unacceptable. Formal communication is also more important than it ever was, as all the informal arenas like standing around the coffee machine or sitting at the lunch table have disappeared. To keep familiarity, adherence to strategy and company culture – management must focus a lot more on creating and upholding arenas for communication.

Available controls have diminished severely, and education and awareness with each individual employee is of the uttermost importance to mitigate this loss.

Processes. Not so much affecting confidentiality or availability, working with processes can do wonders for integrity. Checklists, signoff sheets, principle of four eyes, requirements for documentation and arenas for reporting are examples of controls that help reduce the occurrence of mishaps and mistakes. When someone's not always at your shoulder anymore, creating that virtual shoulder becomes just the more important. The strength in numbers we usually experience at the office must find a way to follow us out to our remote locations. Adapting our way of collaborating, from sitting in the same location to sitting in separate locations, should be placed high on any company's agenda. Looking at Charles Darwin's research we've got ample evidence that this isn't something we ought to do – it's something we must do - if we want this to work in the long run. Early feedback does however show an increase in productivity for some functions when working from home, so there seem to be opportunities also here.

Technology. Finally, technology is absolutely an important dimension to address in overcoming the many challenges with the current situation. Both in terms of confidentiality, integrity and availability.

The frontline today is in hundreds of kitchens, basements, bedrooms, garages and what not, running on a variety of different carriers and technology.

The perimeter has clearly moved away from the office and out on each, separate device that's connected to the company's network. The traditional way of looking at security by putting up high walls and placing anything you wanted to secure inside, is now completely irrelevant. The frontline today is in hundreds of kitchens, basements, bedrooms, garages and what not, running on a variety of different carriers and technology. Fortunately, the industry has already made huge advances in technical security controls. It's all a matter of acquiring the right competence to make the right choices, implementing the right technology.

Opportunities. They do exist even in troubled times. As argued above there are certainly a handful of challenges to manage, but having worked from home the past months I don't find them impossible. I've found that going about work in a usual manner seems to yield good results as long as we are concious about, and pay attention to the special circumstances.

In the times that lie before us success will rely on getting every employee - manager and subordinate alike - up to speed on what have changed, and how we need to change with it. Business processes will have to change as well, to accommodate new ways of working, and to mitigate new risks. Lastly, our jobs and how we go about them need to be adequately supported by the right use of the right technology.

I firmly believe that only then, when using a holistic approach encompassing people, processes and technology, will we find safe ways to navigate these unchartered waters.

Bj?rn R. Watne

SVP, Head of Group Security (CISO) - Storebrand Group