The role of the CISO in the Covid-19 era

Cyber security specialists discuss how the pandemic has affected their sector.

Sign Up

Get the New Statesman's Morning Call email.

The coronavirus pandemic has changed the way people live and work. With new office structures, many of them home-based, come new challenges, incluidng managing the evolving threats attached to technology. 

For the most recent Spotlight report on cyber security, we collated the insights of different chief information security officers or people in similar roles. Here is what they had to say.

Becky Pinkard, chief information security officer at Aldermore 
Financial service concerns as they related to our Covid-19 response were very similar to those experienced by all tech-driven companies around the world – how to relocate entire teams of people to working from home conditions that were functional, secure and worthy of an “office-like” replacement, yet for an unknown quantity of time. Our response was driven in multiple ways – in some circumstances it meant sourcing kit for entire teams to be able to work remotely and in conjunction, teaching them how to work remotely, efficiently and securely.

Our challenges meant we leant heavily on our communications IT, data protection and security teams to work hand-in-hand across these various departments. There were additional regulatory oversight considerations that factored into every move and process change, mandating detailed tracking and reporting of the risk landscape as it evolved through our response.

Lastly, an increase in attacker-led targeting of individuals across each facet of possible Covid-related fraud you could imagine meant that we were kept constantly on our toes, again tracking and informing our users of the latest possible way we could be attacked as a company or even themselves in their personal lives.

Graham Ingram, chief information security officer at the University of Oxford
A university is a collection of great minds; the progress of knowledge is partly enabled through a non-conformist culture. This culture can also extend to the past development of bespoke information communications technology. Now mixed with recent commercial systems, this sets the conditions for the cyber challenge.

Add Covid-19 and the challenge just became more significant. It is a remarkable feat that universities switched to remote working so quickly; IT staff moved mountains to mitigate disruption in the delivery of teaching and learning.

Read more: How to work from home safely during a crisis

This complex ICT landscape is a considerable threat surface. The older the services, the less cost effective the security. In a largely Bring Your Own Device (BYOD) organisation achieving zero-trust networking is challenging. However, ambitious targets are needed and strong security principles applied. Research of global interest needs to be secured and shadow IT usage reduced. Academia must prepare for a near future of higher security and privacy expectations from donors, research sponsors and collaborators.

The near-term security challenges of our new normal are yesterday’s worry. An opportunity now presents itself, with a new appetite for transformation, to develop conformity to emerging IT standards and security expectations. This reduces the risk of a breach causing reputational damage, generates trust in the protection of research, and preserves academic freedom. 

Jaya Baloo, chief information security officer at  Avast
The antivirus (AV) industry had to adapt quickly to a significant increase in the volume of attacks, from phishing to ransomware to stalkerware. For instance, in the UK our detection of stalkerware rose 83 per cent between March and June this year. But the industry also had to adapt to the changes that attackers were making as a result of Covid-19.

We have seen financially motivated attacks from state actors, not just opportunistic cybercriminals, which is interesting because state actors are not usually in it for the money, they tend to focus on attacking one another. So, as volume increases and attack types and motivations evolve, the security industry must understand and act on this if it is to get better at detection.

A challenge that we are concentrating on right now is business transformation. Specifically, how we transform digitally, how we transform organisationally with new working arrangements and how we transform technologically with our infrastructure setup, our approach to innovation and visibility over the large quantities of log information and threat intelligence data we have. There are cyber security challenges that come with each, but this is where Covid-19 has had a major impact. It has been a catalyst for organisational change.

Councillor Peter Fleming, chair of the Improvement and Innovation Board at the Local Government Association
The work of councils has never been so vital to the most vulnerable in our society, and the digital communications and services that they use have never been so critical to our efforts. From video conferencing and new data sharing, to the digitisation of public meetings, local government’s response to Covid-19 demands continuous and accelerated digital innovation.

But despite the crisis, cyber threats have not gone away, and many criminals are using the current situation as an opportunity to extort ransoms. When combined with the increase in vulnerabilities brought by distance working, new partnerships, and our increased reliance on digital services, this means that the risk associated with a cyber incident is greater than ever.

Read more: Prospering from a pandemic

Ten years ago, cyber security was a niche technical topic; something only the IT crowd had heard of. Today it is something that every senior manager and leader in local government needs to understand. The reason for that is that the last decade was the first since the Second World War that civil institutions in the UK came under regular attack from foreign actors.

That’s a remarkable change in the context within which our 1.4-million-person workforce is operating. To mitigate the cyber security risks that come from this brave new world, local government must – like everyone else in the public sector – invest in the upskilling and awareness of our people. The LGA remains committed to being part of that effort.

This article originally appeared in a Spotlight report on cyber security. You can download the full edition here.

Free trial CSS