CEO Chuck Robbins speaks onstage September 26, 2019 in New York City. Robbins and Jimmy Sanders, head of information security at Netflix, both noted during the RSA Conference the degree of change in security driven by the pandemic. (Photo by Theo Wargo/Getty Images for Global Citizen)
Was the pandemic a net positive or negative for cybersecurity?
On the one hand, there is no doubt the nearly overnight shift to remote work led to sometimes sloppy IT architecting that increased the overall attack surface for many businesses, quickly followed by a worrying increase in the amount of new vulnerabilities discovered and a cornucopia of high profile hacking incidents against government and industry. On the other hand, the pandemic forced companies to shed many of the legacy systems and older brick and mortar practices that sometimes prevent companies from implementing modern security.
It will take years for the tradeoffs to come into focus, but it’s clear that the onset of the coronavirus and the lockdowns that changed the world have created IT and security implications – good and bad – that many businesses will be dealing with over the long haul.
“We know that our employees, just by having 30 extra minutes on a mobile device, created 20% more vulnerabilities than you would have in a normal time,” said Chuck Robbins, chairman and CEO of Cisco. “But we also learned that businesses can be transformed.”
There’s no doubt executives are paying more attention these days. If cybercrime were a country, Robbins said, the $6 trillion dollar a year industry would have the third highest GDP in the world after the U.S. and China. The daily deluge of stories about the latest hacked company has both highlighted this reality and underscored the business case for greater security investments.
It’s also pushing executives to think about security processes differently, in ways both large and small.
Jimmy Sanders, head of information security at Netflix, said the pandemic highlighted the need for his team to move away from older practices that were already becoming obsolete or less relevant. One of the internal changes implemented resulted in the security team developing proofs of concept on a particular tool or technique on a monthly basis.
“What transpired from that is our team developed a resilient and nimble mindset that does not get worried when change happens; change is just a matter of course,” said Sanders.
Security officials have too often treated security as a Checkers board where every game piece is worth the same, instead of a Chess board where good strategy and the willingness to sacrifice on smaller pieces can be employed to protect your higher value pieces.
“We must ensure we build resilience into our environment where the taking of a symbolic pawn or even a rook doesn’t mean it’s game over or a total disaster for the entire environment,” said Sanders.
Cisco, meanwhile, is looking to move towards an end-to-end security architecture and incorporate more zero trust principles into their technologies and processes to better handle many of the trends produced or accelerated by the virus.
“We think that’s foundational to being able to deal with complexity, with all the number of users, all the number of devices, the applications, the data, everything that we see,” said Robbins.