Not long ago, most business was conducted within the confines of office walls, that is, until 2020. This year, work as we know it evolved practically overnight, as employees went home with company cell phones, laptops and information, and many have yet to return. Unlike ever before, companies must rely on their people to secure any work-related technology and trust that corporate data and information are safe. But should they? And is their current security strategy adequate?
To find out, we talk to Kory Patrick, Risk & Security Solution Executive at TEKsystems.
Security magazine: What is your title and background?
Patrick: I’m an information security solution executive offering more than 20 years of experience in designing, developing and managing global cybersecurity programs in both public and private sectors. I’ve led global counterintelligence and cybersecurity investigations leading to the identification of nation state, financial, terrorist and insider threats. I have provided advisory and consultative services leading to the implementation of identity management solutions, security operations, compliance programs, control frameworks and testing within cloud, on-premise and hybrid environments. My clients range from small businesses to global organizations, including 18 of the Fortune Global 100.
Security magazine: How has COVID-19 exposed and challenged companies’ security measures?
Patrick: Early on in the pandemic, a lot of organizations struggled because of what I would call a lack of maturity around identity access management. Many were experiencing hiring freezes because they couldn’t remotely onboard or provision access the way they needed to. Although some of that has alleviated and adapted, the reality is a lot of organizations did not build out infrastructure to support 100% remote. Good plans and strategies were in place but not tested for the load that we’re experiencing today. The other piece—security is about control. What can we wrap our arms around? What can we harden? Now the variable of remote work and devices beyond a company’s control—it can be unnerving.
Security magazine: How has 2020 evolved the cybersecurity industry?
Patrick: Security has always had a focus on tools and technology. Sometimes an organization is woefully behind or underfunded, which creates an emphasis on tooling—not the security strategy and what the tool is trying to accomplish. 2020 has evolved our thinking into prioritizing the “process” piece. Figure out how your tools and technology align to your strategy, not the other way around. A lot of times, we walk into an organization that has four or five tools that do the same thing. That’s not simple or sustainable.
This has also shown that security and protecting data is a community effort. We’re only as secure as our partner or who we share our data with. 2020 has put an emphasis on investing in processes, controls and structure to be compliant. Aligning to security control frameworks such as NIST or ISO, investing in enterprise-level certifications, third-party risk programs and ensuring regulatory compliance will be even more of a competitive advantage moving forward.
Security magazine: What are your predictions for 2021?
Patrick: Remote is here to stay—identity is your new perimeter. If you relied on your physical perimeter as your security posture, that’s been eliminated. There is no perimeter to protect anymore. You must ensure that at any given moment wherever your data is, the right people or services or partners have access to the information they need—nothing more, nothing less. Organizations have not invested in protecting identities. When you think about some recent breaches, they’ve occurred because someone still had credentials they shouldn’t have and knew exactly where information was. To me, that emphasizes having a well-thought-out identity strategy; investing and implementing has never been more important. If an organization does not have a mature identity access program, that should be an area of focus for 2021.
Security magazine: What is your advice for companies striving to secure their greatest asset, and now, potential vulnerability: their people?
Patrick: The good news? It’s been proven that we can do this. From a business perspective, we can work remotely. Is it optimal? No. Is it hard on the psyche? Absolutely. Have we introduced an entirely new vernacular in 2020? “You’re on mute.” Yes.
To me, this all can be positive. We started to embrace and overcome these obstacles. Besides implementing a strong identity access and management program, now we need to think bigger and longer term with our remote workforce. Organizations need to bring more automation and process into how we provision and deprovision access to people. Have more emphasis on how we monitor incidents and logs. Understand that the unthinkable can happen; now become able to quantify impacts and move forward with data-driven business decisions.