Given the demands of the role, a modern CISO can feel like David fighting multiple Goliaths. CISOs, or Chief Information Security Officers, must manage a wide variety of tasks, ranging from cybersecurity threats to automation, to regulatory compliance, and an environment of ever-evolving technologies. Now, CISOs must not only handle all of the above, but do so in a remote or hybrid work environment.
To better understand how security professionals are managing this paradigm shift, I talked to Adrian Ludwig, Chief Information Security Officer at Atlassian, to learn what keeps him up at night and what he’s excited about.
Worrying about the unknown unknowns
There are a variety of known security threats that CISOs have to deal with in their role – it’s just part of the job. But these knowns are not what really worries Adrian. He recalls a quote from United States Secretary of Defense Donald Rumsfeld, “… there are also unknown unknowns – the ones we don’t know we don’t know… .” It’s the unknown unknowns, especially in a newly remote world, that worry Adrian.
Social dynamics and interactions
Adrian points to the impact of social dynamics and interactions on an organization and its security. “Most of the underlying security technology we embrace is similar, whether people are remote or in an office. What’s not obvious is how the changing social dynamics and social interactions end up impacting security,” he explains. This challenge is unprecedented and unpredictable at this scale, and the impact of this shift can vary from person to person, making it difficult to predict or plan for.
Just as you change your behavior when you leave the office and go to the bar, people may behave differently when they’re working in their pajamas on the couch. Will individuals be less vigilant about the files they’re opening? Will they leave their computer unattended at a coffee shop?
These questions make it all the more important to bring strong workplace practices into the remote world. Good onboarding, training, and open communication help ensure employees remain integrated with the company, feel connected, and provide an opportunity to share trust signals and security practices.
Shared responsibility
Enterprise security does not fall solely on the security team. While the topic of security is not top-of-mind for the majority of an organization, he said it should be. Adrian is a firm believer that “security truly is a team sport and a shared responsibility for most people in a company.” When this is the case, you’re able to reap benefits at scale. However, this “team sport” is harder when your “players” are scattered across the globe.
Being in a physical office makes it easier to raise security awareness and keep the concept continuously present. “There are many intuitive social cues such as office doors, badges, turnstiles, even posters that foster security awareness.” Adrian says he fears without these things we might see lower security awareness which could lead to an increase in security problems.
The future of enterprise security
Given the concept of security is so central to the enterprise conversation, there are always new technologies, trends, and best practices to be optimistic about.
The shift to cloud
“Who doesn’t get excited about better enterprise security for less work?” Adrian asks, noting the opportunity and benefits that come with a shift to cloud-based software and SaaS offerings. “The movement toward cloud reduces a lot of security toil, like tracking inventory, installing OSs, keeping patches up to date.” By removing that time and effort, energy can be shifted to more strategic security initiatives.
Case in Point
“One example we’ve seen at Atlassian is that the use of a cloud-based platform as a service has allowed us to more quickly deliver security improvements across all of the micro-services that make up our products. Similarly, the use of containers has made it possible for us to automatically update the base images we use in our PaaS, to more quickly update our software, and minimize exposure to known vulnerabilities.”
Consumer influence
We all know the enterprise space isn’t known for being hyper nimble or flush with early adopters, especially when compared to the consumer space. “However, that doesn’t mean we can’t take cues from the consumer space,” Adrian notes. The consumer realm has seen a rapid escalation in security expectations over the last decade. Ten years ago, no one would have assumed billions of people would be using devices (iPhones, Androids) with built-in, enabled-by-default strong encryption, and that many of our most popular messaging apps (iMessage, WhatsApp) would have end-to-end encryption. “While the enterprise has been a bit slower to adopt these technologies, I’m excited to see security primitives being absorbed directly into tools that we use day-to-day.”
The marriage of ease-of-use and usability
Often there is a misconception that anything around security is difficult, cumbersome, or unfriendly to users, but with good design and focus on user experience, that tension can be alleviated. Adrian is encouraged by recent advances: “I love that so many of the recent powerful enterprise security improvements (U2F/Yubikey, SSO, ZeroTrust) have resulted in ease-of-use and productivity improvements while enhancing security. I’ve never been convinced that usability and ease-of-use are at odds with security, so it’s exciting to see good design getting deployed as part of security solutions.” Adrian is a firm believer that continued design improvements will have a net positive effect on security and improve both adoption and usage of security best practices.
Improve workflows to improve security
It can seem like there are an overwhelming number of threats and issues CISOs have to prepare for, and Adrian shared some best practices for coping. “When it comes to security, organizations can sometimes be their own worst enemy. A lot of security problems are really workflow-related. The security team might flag an issue but are unable to drive resolution, while other teams may not even know it’s an issue at all,” he explains. Leveraging software that’s open and collaborative can improve workflow challenges and help organizations get ahead of these problems and improve their security.
Atlassian Cloud offers dedicated teams charged with keeping your data safe, and enables your organization to leverage secure remote-ready practices that help your teams get work done efficiently and effectively. Click below for more!