A Cybersecurity Stress Test
The current situation is giving rise to new work habits—rather hastily, in some cases. Many companies have been forced against their will to accept these new habits, which encourage faster and more flexible work dynamics while at the same time generating certain security risks. How should a company’s cybersecurity manager approach this problem?
Enrique Dans, Professor of Innovation at IE Business School and Senior Advisor for Innovation at IE University
There are various reasons for the failure to anticipate the current situation, including our longstanding obsession with presenteeism. Many companies never bothered to set up secure connections with the outside world because they never imagined that employees would work from anywhere other than the office. The consequent dearth of protocols, practices, and tools for setting up minimally secure information channels makes organizations extremely vulnerable.
As companies scramble to set up previously unimaginable remote-work practices while navigating policies that, under the present circumstances, essentially prevent employees from connecting to their systems, cybersecurity managers have a clear responsibility.
All signs indicate that the coronavirus crisis will redefine how people work in organizations.
Technical and psychological profile
What is the ideal profile for a corporate cybersecurity manager? In today’s constantly changing environment, the most important requirement is up-to-the-minute knowledge. A cybersecurity manager has to be able to deploy the appropriate tools and technical knowhow to address emerging threats. Unfortunately, many people currently working as cybersecurity managers lack this essential qualification.
Beyond technical skills, there are also various characteristics that are “desirable”—though not strictly required—in a cybersecurity manager. The candidate’s psychological profile is an important factor. Beyond the controversial matter of social engineering, there is another key characteristic: empathy—the ability to perceive, share, and/or infer the feelings, thoughts, and emotions of other people. In the realm of cybersecurity, empathy is fundamental.
Cybersecurity is not merely about dictating rules and implementing tools. Cybersecurity managers have to know and understand the people whose activity they are supervising, especially since knowledge levels tend to vary widely within an organization.
In reality, cybersecurity managers must do much more than simply prevent intrusions and information leaks; they must also ensure that everyone in the organization has access to the information they need to do their jobs.
Promoting new habits
But the role goes even further than that. Cybersecurity managers have to spread the word about new habits. For example, they should encourage the use of a password manager to save employees the trouble of memorizing increasingly complex and constantly changing passwords (or writing them down on scraps of paper where anyone can see them).
Similarly, two-factor authentication systems can give rise to various problems if people are not properly trained to use them. If not managed properly, these sorts of situations will lead to frustration and loss of productivity.
The current situation is clearly a stress test for your company’s cybersecurity. If your protocols prevent employees from doing their jobs normally, you may be preventing intrusions, but you are neglecting the other half of your mission, which has always been important but is absolutely crucial under the current circumstances.