The Covid-19 pandemic has us thinking differently about a lot of things. Security is high on that list.
The enforced transition to remote, work-from-home and online service models, at scale, has unearthed a host of cyber security vulnerabilities. It’s highlighted our growing dependence on technology and, alongside it, the importance of security.
I recently participated in a London Tech Week panel discussion on Rethinking security for a post-pandemic world with leaders from National Security, HM Government, Microsoft and data verification company Zamna. Insights from this chat highlighted changing perceptions of security—who owns it, who drives it and the criticality of rethinking current approaches.
For me the single biggest take-away is that there is now a clearer understanding - by tech companies, businesses, regulators and individuals – of what is at stake. There is certainly a new appreciation for concepts like ‘zero-trust’ and ‘security by design’, and greater willingness to engage.
Covid-19’s cross-sector impact on security
Pre-Covid-19, many companies, especially larger enterprises, had begun a shift to hybrid on-premise and remote work models enabled by cloud and collaborative solutions. But even companies far advanced on this journey were challenged by the massive scale-up to remote work demanded by Covid-19. Microsoft, for example, has 160,000 staff to consider, keep safe and productive; at Capita, we have over 60,000 people in offices, our two security operations centres, our labs and onsite at clients who we needed to shift to remote support of customers. Consider also the UK government, a hugely complex and diverse organisation.
All this has required a considerable mindshift in terms of security.
For many companies, security controls previously built around an office environment, centralised data stacks and physical access had to be radically changed to meet the needs of remote work and workers. For individuals, the shift was just as startling. Working from home and via external networks to collaborate on projects and to service customers meant adopting new layers of security. And for many the sociological challenge—knowing what action was appropriate (and secure) in what context—was as considerable as the technological problems.
For government, this change drove a number of pivots in terms of security—first, to defend critical national infrastructure such as the health system, but also to defend science and technology infrastructure as it strove to develop a vaccine, and to protect its ability to communicate effectively about health risks and issues. Government’s big picture realisation? “What the pandemic has done for us is emphasise the centrality of science, technology and digital – critically digital – to our notions of national power and national positioning, and our cyber power has become critical to our national survival and the competitive positioning of the UK,” said Anthony Finkelstein, Chief Scientific Advisor for National Security, HM Government.
For Zamna - a data verification platform for airlines, governments and security companies- demand for security services bloomed. For example, the c.100,000 passport checks it was running per month for airlines pre-Covid-19 grew exponentially as the need for passenger data to deliver a good service shifted to a need for passenger data to prevent the spread of Covid-19 – nationally and globally. The pandemic has given new meaning to the importance of data and security, noted Zamna’s Irra Ariella Khi. It’s shifted security-by-design from nice-to-have to need-to-have.
How can these learnings be translated into practical principles for managing data and privacy?
A new view on security economics
In the immediacy of the crisis there was a focus on the basics, noted Finkelstein. Now there needs to be a reflection on learnings—achieving a better understanding of ‘security economics’, how to calculate risk, and the structures that must be put in place to achieve the levels of security needed to safeguard data, privacy and progress. There is also the vital issue of making security agile.
If security is laborious, difficult to implement and slows the workforce down, it’s hard to ensure compliance and leads to ‘shadow IT’ in the workplace, said Microsoft’s Sian John. To make security agile, adaptable and responsive to ongoing change, it needs to be built into the remote workplace—it must support productivity naturally. I believe that, going forward, it’s going to be critical to get the balance right.
Both usability and flexibility are important—security must meet business requirements in terms of governance, but it can’t be so stringent that it prevents business from get the job done quickly and easily. The winners will be those companies that can make security a seamless part of business.
Who will lead the security conversation?
Will regulators and large tech and security companies continue to lead the security conversation in future? I believe this period of change has uncovered new considerations for individuals, businesses and government. The responsibility lies with each stakeholder to define these concerns and to take a collaborative approach to securing both business and society.
Security is a living, rapidly growing area of expertise. There is significant opportunity now, by redefining and driving the adoption of security standards across sectors, to put in place a security-by-design foundation. There are already strong, collaborative ecosystem-wide security movements in place — AXELOS, Capita’s joint venture with the Cabinet Office to set global standards for cyber resilience — is a key example. It provides access to security best practices (e.g., ITIL, PRINCE2, MSP) used by security and IT professionals everywhere, helps develop these best practices and offers guidance on cyber resilience, risk, value and portfolio management.
These kinds of collaborative efforts will help organisations look further ahead to anticipate the next normal for the workforce and supply chains and build better resilience.
Cyber security is an increasingly important part of the technology we use every day. It is evolving rapidly in unexpected ways. In my next blog I will take a closer look at security awareness and education - the need for change relating to Covid.
Take a look at the recording of the London Tech Week panel discussion, Rethinking security for a post-pandemic world.
Paul Key
Capita Group Chief Information Security Officer
Paul Key is an accomplished security professional with over 30 years’ experience of strategy, leadership and communication at all levels, his background allows him to understand a wide range of business, privacy, cyber, security and IT issues.