After a long pause, I felt that it would be wise to collect my thoughts in one a general commentary about the state of the industry. In particular the shifting priorities, rapidly changing workforce, a return to a perceived normalcy, and near-future predictions.
Diverging Paths: Business & Technology
Despite arguably ample warning the pandemic arrived abruptly. People were sent home with little notice, or promise that they'd return, to find that that remote work was going to be reality for awhile. Two things arose from this: first companies began to posture themselves very quickly to preserve profitability, and second IT departments were tasked with supporting their entire workforce working from home. Many IT teams were also given notice that their internal priorities may be shifting. As a security engineer the question that was often posed: Do we need to continue on this path, or is our time better spent elsewhere? For many of us in the retail space these diverging paths quickly resulted in a mad dash to e-commerce viability, and IT buckling up for the ride.
The Mad Dash to E-Commerce
One of the biggest prioritization changes was one that many companies already were on the path towards: profitability in e-commerce. With the groundwork already laid the dash to e-commerce was expected, but it had impact. Many companies were not prepared for the quick move to cloud-first, or even hybrid, infrastructure. The past year has seen an incredible uptick in the desire for SaaS, and in certain spaces those providers were still offering on-prem solutions only. As a result one of the biggest changes I've seen are companies offering their on-prem solution rebranded as SaaS. This is most often referred to as a hosted solution; with the caveat being that there is little to no performance benefit, often an impact, along with additional overhead. These solutions often have no potential for scalability and significant downtime, but come with an increased price tag. Conversely there are new, true SaaS products making it to market very quickly to account for the tremendous increase in focus on e-commerce. Any company offering a product was forced to pivot to an online only presence as quickly as they possibly could, else risk shutting down indefinitely. Meanwhile the increase in need for new services and tools, while company profits were potentially lower than ever, resulted in a catch-22 of a huge backlog with no appetite to hire additional IT staff to account for it. Essentially product-based companies were fighting to stay relevant, while service-based companies had to scale quickly to take advantage of the increased market share. All the while everyone universally switched to a remote workforce.
Enabling a Remote Workforce
The second major prioritization shift was the move to a fully remote workforce. From the perspective of a company that already enabled this to some degree; it went better than we could've imagined. There are many options in today's world to help make this a possibility. The technology was already there, and the companies offering it were eager to increase their market share. As a result it was relatively simple to answer the how from a technology perspective. The real challenge that came forth was centered on the people. The main challenges that professionals faced: a completely new workspace, work-life balance, and, for Info Sec, the behavioral changes that came from it. Imagine having years of user behavior patterns that fit an extremely specific pattern: 8-5, from well-defined office network ranges, infrequent anomalies, and only approved peripherals. Now turn that completely on its head, and that was the impact of COVID on user behaviors. Don't get me wrong, I fully support employee autonomy and have had nothing but great experiences over the past year. Collaboration was at an all time high, no more searching for conference rooms, or impromptu visit to someone's desk. Teamwork is dynamic and frequent, and in my experience productivity is at an all time high. With that in mind however we found the attack surface rapidly changing. Previously predictable network traffic was now exclusively coming from VPN zones. People wanted to connect to home printers, some wire directly to modems, others went to hunker down with families out of state. Needless to say many previously unforeseen gaps were identified very quickly. For instance public interfaces being able to bridge certain types of traffic. It was initially attractive; we can keep streaming traffic on a home network and not bog down the corporate network. Unfortunately it was not so easy; the most egregious issue being with totally unknown networks making their way in to our forwarded event logs. Many small challenges arose, and were addressed, but it was clear that much longer term priorities would and will continue to shift and evolve to the now standard "atypical" employee profile.
Eventually "Atypical" Just Becomes "A Typical", Right?
Now the pandemic is "ending", at least in the broad sense that discussions are being had about returning to the old ways, or the old ways have been abandoned entirely and the new way persists. One thing is clear: the temporary priority shift we all came up with early on isn't so temporary. Obviously one important factor with an Info Sec program is flexibility. Things change, people change, technology changes. In this case however, I think we all lied to ourselves a bit; counting on things eventually going back to normal. I'm here to say there is no normal, that paradigm has sailed. It's time to focus instead on where things are going. That requires a long look at what the business requires, and what its people require. From a business perspective, for me currently, that is going to go back to e-commerce. The move to cloud infrastructure is probably already well under way for most people. The on-prem exclusive model is no more. With it goes the whole idea of a secure perimeter, as the perimeter no longer exists. With that in mind teams need to focus resources on their most important initiatives including customer facing applications, point of sale, and data storage. Offer, require, and provide training to anyone who is willing to tackle the daunting frontier that is the public cloud (seriously, how often can <major cloud provider> possibly change core architecture components on a whim?) including development teams that will likely be the primary users. At the same time do not assume that on-prem infrastructure employees are willing and able to take on what is easily a second full time job managing cloud infrastructure. Expand teams as needed to account for this. Furthermore continue to focus on the people element. We are just now wrapping up a year and a half that proved without a doubt that productivity and collaborative efforts can reach an all time high when the right tools are deployed to enable it. At the same time many people prefer an in-person experience and have a need to interact and socialize with coworkers when possible. I touched on it before, but as a manager it is vital to support employee autonomy. Enable people to make work work for them, and you will get some of their best work. Behavioral analytics may have gone through significant changes, but why not take the opportunity to take a more proactive approach such as with conditional access. Hey, I want to work at 12am instead of 12pm one day, normalize expecting a MFA challenge. Empower employees to work in a way that is healthy and suitable for them, and build defenses in a way that supports that.
Where to Next?
As I said at the beginning this post is largely serving as a mental catch-up, but the main theme wound up being "things change, deal with it." With that in mind I want to wrap up with some final observations and semi-forward thinking. Continuing the focus on employees, with Info Sec teams in mind: Expect burnout and a, hopefully temporary, dip in morale. One of the unturned stones of the pandemic so far is the second wave of uncertainty caused by the "return to normalcy." Teams have worked incredibly hard this past year to make things work in brand new ways, faster than ever. On top of that it has been an absolute proving ground of a year to show that dispersed teams can and do work. The right answer is going to vary from team to team, but involve the affected people heavily in the planning and decision making. Second, do not expect businesses to return their priorities to a pre-COVID state. Many companies saw record profits after an initial slump, and e-commerce continues to dominate. While companies may expect their people to revert to a pre-COVID environment, the business is not going to do the same. So instead we must discard the notion that staying the course is an option. Info Sec priorities need to be re-assessed heavily. Whole programs may need overhauling, and it is certainly a time to look at expanding teams. The industry as a whole is extremely hot right now, service-based companies are hiring like crazy so anticipate and plan for the potential of losing highly skilled employees to new opportunities. Third, re-evaluate risk tolerances and business continuity plans. The landscape has changed drastically. If cloud wasn't accounted for before it should be now. Finally, contrary to my insistence that paradigms are dead, don't forget the basics. COVID brought with it an onslaught of phishing targeting people's fear, uncertainty, and doubt. Couple that with a push to e-commerce at break neck speeds and I fully expect some very high profile disclosures by the end of the year. Consider including fraud detection and analysis as a priority in any threat detection program.
Jake Hooker
@securityhook