The shift to remote work was like an army retreating to safer ground, its personnel scattered in the face of the oncoming pandemic. IT functions raced to reconnect these employees to the organization and reestablish communication as their businesses began to understand what disruption really means.
Meeting the technology demands and solving the problems that arose during the early days of the COVID-19 crisis taxed beleaguered IT functions, but it also put many IT initiatives on hold. For 44% of organizations, cybersecurity was one of those initiatives, according to the 2020 Work-from-home IT Impact Study from cybersecurity firm Sectigo and Wakefield Research.
Since then, IT functions have been catching up on safeguarding remote work. Now as organizations have settled into a more long-term — and even permanent — remote operating environment, their IT teams have turned their attention to what comes next.
Those organizations need a dual cybersecurity mindset, a recent McKinsey & Co. article advises. They must secure the technology needed for remote work, while anticipating how to design security for life after the pandemic.
In the current crisis, "cybersecurity teams are being perceived anew," according to "A Dual Cybersecurity Mindset for the Next Normal." Going forward, the authors note, "They must no longer be seen as a barrier to growth, but rather become recognized as strategic partners in technology and business decision-making." Internal audit functions may find McKinsey's recommendations helpful when assessing cybersecurity risk, and advising executives and IT management about future plans.
Securing Remote Work
Five months into remote operations, organizations must fortify their security work, while considering how to safeguard new technology and processes adopted during the pandemic, the McKinsey article advises. The authors recommend focusing on:
- Assessing hot spots by remedying operational, process, and technology gaps.
- Fixing operations by evaluating new risks and implementing controls.
- Fortifying security gains by standardizing remote work procedures and evaluating technologies to reduce long-term risk.
The Next Phase
While they continue to address the pandemic, IT and cybersecurity leaders should look at how new business conditions may affect the organization, the article says. The authors point to four areas where leaders should act to protect the organization's ability to create value.
Secure Workforce in New Ways of Working In response to fundamental changes in the way organizations work, the authors recommend undertaking cybersecurity initiatives, including:
- Dynamic security of users, assets, and resources.
- Cloud-based tools and infrastructure.
- "Contact-aware" workforce privacy that may involve employee consent.
- People defense to reduce fraud and other vulnerabilities that may result from employees' anxiety.
- A remote cybersecurity operating model and talent strategy.
Secure Customers in Shift to Digital Customers expect a "secure and seamless" digital experience with greater choice and availability, the article notes. IT and cybersecurity functions should prioritize:
- A frictionless customer security experience across all web, mobile, and customer service channels.
- Cybersecurity controls that function at scale.
- Privacy by design that includes controls on the use of customer data.
- Advanced analytics that integrate security into fraud controls.
Rethink Supply Chain and Third-party Risk Organizations need to assess the resilience of their supply chain as they adopt new ways of operating. The article recommends:
- Expanding assessment coverage to review all vendors and potential third parties.
- Updating security controls to account for third parties' remote operations.
- Securing partner collaboration.
- Planning for geopolitical challenges to critical vendors.
Sustaining Increased Sector Collaboration Organizations need to strengthen partnerships with peers, their industry sectors, and regulators to support changing processes, the authors say.
Align Security With Changing Business Strategies
Flexibility will be key for IT and cybersecurity functions to adopt a dual cybersecurity mindset, the McKinsey authors say. Leaders of these functions should "plan their security strategies to best align with business strategies and priorities," which may have changed during the pandemic. The article recommends that leaders assess opportunities to "leapfrog" current security capabilities, set parameters that prioritize essential initiatives, and clearly communicate time frames for cybersecurity efforts.