COVID-19 has been an unprecedented event, causing organizations across the globe to rethink how they work overnight. We recently spoke to four security leaders about how they’re navigating the business impacts of COVID-19 and asked them to share their best practices.
Meet the panel:
Chris Merkel, Senior Director for Cybersecurity Operations, Northwestern Mutual
With more than a decade of experience as a senior security leader, Chris is responsible for DevSecOps and counter-threat teams at Milwaukee-based financial services organization Northwestern Mutual.
Dave Farrow, Senior Director Information Security, Barracuda Networks
Responsible for leading and influencing security strategy across the company, Dave helps protect digital assets at security, networking, and storage specialist Barracuda Networks. He also leads the company’s initiatives in evaluating, identifying, and reporting on information protection and security risks while driving resolution, response, and mitigation.
Eric Johnson, Chief Information Officer, SurveyMonkey
Eric oversees the IT vision and roadmap at cloud-based survey company SurveyMonkey. He drives priorities such as security, data infrastructure, business intelligence, and enterprise tools that maximize efficiency.
Harshil Parikh, Head of Security, Medallia
With more than 15 years experience as a security practitioner, Harshil is currently focused on democratization of security at customer experience management company Medallia. He helps ensure the scalability and effectiveness of secure product development lifecycle, DevSecOps, monitoring, and incident response.
Tip 1: Protect your employees
With remote work no longer just an option but a necessity, our panel unanimously agreed that the most important responsibility of security leaders right now is to look after their people so teams can continue to work productively and securely from home.
From an IT security perspective this means protecting employees from the increase in phishing and spamming attacks. “Organizations around the world have just engaged in a broad scale zero trust experiment, with the entire workforce operating in unknown environments all day long,” explains Dave. “To ensure employees don’t become unwitting victims, organizations must have in place email security, endpoint security, and a comprehensive access control program that includes multi-factor authentication.”
Tip 2: Put people first
Security shouldn’t be the only concern for leaders – team health and well-being must also be prioritized in the current environment. “For SurveyMonkey, productivity isn’t tapering off and people are actually working longer hours, but they’re also under additional stress,” comments Eric. “People are our most valuable asset and keeping them healthy is now more important than ever before, but also much harder. We might be used to leading from a technology perspective, but it’s time to switch to a people-first mode.”
This can mean taking different approaches for employee well-being that are usually taken for granted. For example, our panel agreed that ergonomics are an important factor to take into consideration, and have made stipends or discounted deals available. “We don’t want staff working from the sofa with their laptop on an ironing board!” says Chris. “We’ve partnered with an office equipment specialist to offer discounted products to make sure our staff are safe and comfortable in their working environment.”
It’s also important to bear in mind that there’s no one-size-fits-all for employee health and well-being, as Harshil reminds us. “In the US, we’re generally lucky with large houses and plenty of space, but this isn’t always the case in other parts of the world. Some people will struggle to work productively from home, and it’s important to take this into account when putting solutions in place.”
Tip 3: Ramp up communications
Another vital factor in employee satisfaction is maintaining consistent communications. “We’ve established new patterns for the current work environment, which has meant increasing team meetings from once a week to every other day, to help keep everyone aligned and on track,” says Harshil. “But you need to be cautious not to overwhelm people. We’re trying to retain a balance, so they can continue to focus on their work as well.”
Eric recommends conducting regular surveys to check in on people, as he explains, “We’re sending out a pulse survey every two weeks to get feedback from the company as a whole. It helps us understand how people are feeling and the support that they need.”
It’s not just about formal contact, however, but also replacing those casual water cooler conversations in the right way. “Although colleagues need to continue to chat, we’ve found that it’s not something that works from a top-down mandate, as people are already working around challenges such as childcare,” advises Chris. “It’s better to have organic happy hours and trivia sessions.”
Tip 4: Regularly revisit your processes
While people are priority number one, and technology is of course essential, process is the third pillar that is vital for resilience and retaining productivity in the new working environment. “We’re putting lots of time and energy into ensuring our processes are rock solid,” affirms Eric. “Whether it’s incident response or user support, we’re constantly revisiting our processes as things change to ensure nothing falls through the cracks.”
Tip 5: Document changes and decisions as they’re made
With massive organization-wide changes being made rapidly, the only way to keep on top of things is to ensure every decision is documented. “When the dust settles it will be important to go back and review what happened so you can evaluate changes in a calmer light and adjust them as necessary,” explains Dave. “The systems being put in place are likely to last for the foreseeable future and you probably won’t get them all completely right the first time; so leaving a trail of breadcrumbs will help you shore up the changes as you have time.”
Tip 6: Continue to leverage the changes that work
Although many of the transformations made to cope with COVID-19 weren’t meticulously planned in advance, some of them have undoubtedly delivered benefits, and there’s no reason why they shouldn’t remain. In fact, in some cases, you might find employees are reluctant to go back to the old ways. “Now that it’s clear that virtually all of our business functions can operate remotely, it’s likely that the capability for remote work will remain available,” comments Dave.
Embracing remote working doesn’t just impact existing employees, however, but also the way in which organizations recruit and onboard new talent, particularly in areas where security skills are in short supply. “Remote working has proven itself, so there’s less pressure for the security team to be local,” adds Dave. “As a result, we can take advantage of a much wider pool of talent, which will help us optimize security throughout COVID-19 and into the future.”
While addressing COVID-19 has no doubt been challenging, it’s also enabled organizations to learn important lessons that will benefit them in the future. We hope the advice from our security leaders will help your organization stay secure and productive in these difficult times.
To find out more about how Bugcrowd can help your organization stay secure through COVID-19, go to https://www.bugcrowd.com/try-bugcrowd/.