The Role of a Chief Information Security Officer (CISO) in the Shift to Remote Work

As employees have shifted to a remote work environment, organizations have been forced to rapidly adapt their information security strategies to reflect the structure and keep their teams and technology safe. Chief information security officers (CISOs) have shifted priorities around privacy, integration of corporate and user systems, and the introduction of new technology in light of COVID-19.

First, let’s answer the question: what does a chief information security officer do? CISOs assume responsibility for an organization’s information and data security. Their role can include implementing programs and projects to mitigate risks, managing security operations and analyzing immediate threats, and ensuring all security initiatives run smoothly. The scramble to shift workers to a remote environment in 2020 forced CISOs to alter many strategies and priorities and highlighted the importance of their role within an organization.

We sat down with Premise Health’s CISO, Joey Johnson, to discuss the remote workforce shift. Here are some of the top challenges companies face as they enable employees to work remotely and how CISOs can play an active role in mitigating them.

Increase in Malware

Industry wide, employees’ resilience to phishing scams decreased tremendously after shifting to a work-from-home environment. Remote work has increased employees’ email load, which has given hackers more opportunities to scam workers with malware and phishing attacks.

Contrary to popular belief, poor information security is not often a result of poor security systems – it’s a result of being human. For hackers, the easiest way into a company is not through their firewall, but through their employees. Therefore, the best way for a CISO to improve an organization’s information security posture is to educate their workforce.

To ensure employees are properly educated on security threats, CISOs can:

1. Work with HR teams to set up employee courses on security awareness.
2. Emphasize user-advocation. Employees often think they are 100 percent safe because their organization has a security team. CISOs should educate employees about the threats they are seeing and how they are being mitigated. Awareness helps overall attentiveness.
3. Use simulated phishing scams to test employees’ resilience to malware. Real-world examples are the best way to show workers what phishing can look like in their inbox.

Need for New Technology

As your organization adapts to working from home, there is a need for new tools and technology to replace face-to-face interaction and allow workers to continue communicating and collaborating with co-workers and third parties. If employees don’t have the tools they need to complete their work or if the tools are ineffective, they may try to solve the problem on their own by using un-vetted applications. Additionally, if third parties don’t have access to the same solutions as internal teams, workers will try to fill the gaps with unapproved tools.

CISOs play an integral role in understanding what tools employees need and thoroughly vetting each one. The work-from-home environment has only increased the need for new technology and because the shift was required with little notice, CISOs are having to quickly find solutions.

Here are two ways to address these challenges:

1. Provide the best, most effective tool the first time. If workforces have what they need, they won’t go looking for a solution on their own.
2. Emphasize the importance of open communication. If the CISO and security team are available and approachable, employees will feel comfortable coming to them with any issues instead of trying to solve them on their own and introducing unnecessary risk.

Integration of User Data and Corporate Systems

The biggest challenge CISOs face with a remote workforce is the lack of privacy and security that employees have in their homes and on personal networks. For clinical workers conducting virtual care appointments at home, ensuring they maintain the same privacy standards in their homes as they would in an onsite or nearsite health center is critical. Many in-home technologies (such as Alexa and Ring doorbells) have built in microphones and listening capabilities, creating serious privacy risks. When paired with multiple family members working out of the home, finding a completely private space can be difficult.

A VPN (virtual private network) is one way to provide secure network access to remote employees. VPNs allow team members to access secure documents and applications remotely and give IT teams access to employees’ devices so they can keep technology and systems up to date. VPN technology is critical to many operations, but it also introduces unique security concerns. When an employee signs on to a VPN from a personal device or while on a public network, they are essentially creating a secure tunnel directly into their organization’s network. If an individual has malware on their device and signs on to the VPN, they have given that malware full access to the company network.

How can CISOs minimize these security risks?

1. Stay vigilant. Make it clear that employees will be held accountable for their actions when utilizing corporate tools and technology and lay out concerns in a way they can understand.
2. Communicate clear guidelines for how employees can use corporate tools and technology in their remote work environment and provide them with the resources they need to comply.

The Role of CISOs Moving Forward

The coronavirus pandemic was, and still is, a force of function. The technology to successfully work remotely has been available for years, but many organizations have been resistant to adopt it. Remote workforces are the new normal and are likely here to stay. As organizations navigate the change, security teams will continue to face challenges around home computing technology and devices. With this shift, CISOs will need to stay vigilant to new threats, educate their teams, create awareness around information security, and provide their employees with the tools they need to be in compliance and successful.

Learn more about how Premise Health uses technology to provide members a powerfully effortless experience.