While some IT leaders are still in the midst of responding to the impacts of COVID-19, many are starting to assess their initial response and navigating how to balance innovation with business continuity. But every CIO is also thinking about how to emerge stronger from this crisis, and how to safeguard privacy and trust while addressing an increased risk of new security threats in an ever-changing world.
In this series, we’re exploring how the CIO can help ensure business continuity through three different lenses: employees, critical business processes, and data assets. In this third post, the focus is on protecting data assets.
The reality of cybersecurity risk is that during and after a time of crisis it increases. Bad actors take advantage of the disruption, so IT teams must resist the temptation to ease up on security requirements when taking fast actions, such as equipping a newly remote workforce. In fact, the Neustar International Cyber Benchmarks Index shows that in March 2020, most threats grew more than average, but social engineering emails grew the most.
Just as new threats appear in crisis, recovery will offer up another unpredictable set of threat vectors, as well as opportunities. Security is foundational, but IT shouldn’t (or, depending on the industry, can’t) ignore transformational activities. Digital transformation tends to increase the digital footprint of a company, but at the same time, new technologies that have integrated security models and leverage machine learning can allow companies to simultaneously innovate as well as improve security and privacy.
Workday Chief Security Officer (CSO) Josh DeFigueiredo says, “Risk management is a continuous process as the threat landscape is ever evolving. COVID-19 introduces new risks and changes the severity of existing ones. Having a strong partnership between the office of the CIO and CSO is critical to making transformational changes that enable productivity without exposing the company to undue cyber risk.”
The CIO, CSO, chief privacy officer, and IT teams must develop the ability to stay ahead of new threat vectors to ensure security of their organizations’ IT assets and continuous data safety. During the initial response to a crisis—any crisis—the IT organization needs assurance that the systems they rely on are built on a foundation of trust. They also need to know that those systems will offer the ability to increase security and provide continuous visibility and proactive measures to assure ongoing data privacy. But for an IT organization in recovery mode, what are the best practices? Based on our own experience and our conversations with customers, we recommend:
Involving the CSO and other leaders in joint business-IT planning to assess and address how the company’s risk profile may have changed following the crisis, and whether there are any new or expected regional, global, or industry regulations that might be put into place. This is also an opportunity to talk about any potential changes to the types of data the business will need to keep.
Preparing for the impact of new data privacy, business continuity, or security process regulation across the business or IT landscape. This includes inventorying the business systems that house critical data and ensuring that capabilities exist to align with upcoming regulatory requirements.
Continuing to educate the workforce on new security threats and ways to mitigate them. This continuing education needs to include why it’s critical to keep a vigilant security posture, even when firmly headed into recovery.
Here at Workday, we make security and data privacy the highest priority in how we deliver our service. Our Workday service has many built-in capabilities to help security teams continuously identify, monitor, adjust, and strengthen the security profile of their tenant and the governance around access and data privacy. Across all areas of security—multi-factor and step-up authentication, always-on, auditable user, domain, and role-based security, in-depth security reporting, and data scrambling for learning, testing, and support—Workday offers multiple tools for continuous security monitoring and control.
As DeFigueiredo says, “The importance of prioritizing cybersecurity is constant, regardless of external circumstances. Continuous evaluation of one's threat landscape and risk appetite, coupled with the ability and willingness to pivot accordingly, is paramount.”
Read the first article in this series, “CIO Leadership and COVID-19: Supporting a Suddenly Remote Workforce” and the second, "CIO Leadership and COVID-19: Ensuring Critical Business Processes.” For more guidance on navigating the challenges of COVID-19, visit our resources page.