Fraud Management & Cybercrime , Fraud Risk Management , Governance & Risk Management
How COVID-19 Is Changing CISOs' Approaches to Security
'Zero Trust' Model, More Frequent Risk Assessments Are Among the PrioritiesThe COVID-19 pandemic is forcing big businesses to rethink their security plans. For example, the National Football League is experimenting with “zero trust” architectures, while Jet Blue is focusing on more frequent risk assessments.
In a panel discussion at Information Security Media Group's Cybersecurity Virtual Summit, the CISOs of the NFL and JetBlue explained how they are mitigating the threat posed by an increase of cybercrime during the economic downturn triggered by the pandemic (see: Global Cybercrime Surging During Pandemic).
See Also: Preparing for New Cybersecurity Reporting Requirements
"As economic downturns happen, typically criminality goes up. So our job hasn't changed when it comes to looking at threats, threat actors and what they are targeting," said Jet Blue CISO Tim Rohrbaugh. "We have changed our approach just a little to better expect what we see coming out of our information sharing programs. Security team sizes are obviously affected by a drop off in revenue, and that can affect how you're viewing the volume of data you are seeing. That has caused some challenges with respect to detecting anomalies."
NFL's ‘Zero Trust’ Approach
Meanwhile, the NFL has begun experimenting with a “zero trust” approach to help it better manage who has access to certain apps and resources (see: NIST Issues Final Guidance on 'Zero Trust' Architecture).
"We are looking at how do we limit and screen traffic internal to our environment … and how does data leave and enter our environment. And we're looking at that across our data centers," said NFL CISO Tomas Maldonado.
Remote work and other issues associated with the pandemic led Maldonado and his team to consider how a zero trust architecture could help protect infrastructure and assets. The NFL security team is trying to determine how implementing zero trust in one part of its network affects other network components, Maldonado said.
"How do you actually handle business continuity planning when you're in this sort of hybrid mode - where you've got a portion of the environment doing zero trust?" Maldonado asks. "That’s a challenge that we're looking at, especially making sure that we could clearly document and recover our business."
Maldonado joined the NFL as CISO in December 2019, giving him only a few months at the organization before the pandemic hit.
"I never really got the chance to get comfortable in the new role," Maldonado said. "You don't have your typical 30-, 60-, 90- or 100-day plans that you would do as a new CISO. Coming into any new organization, you literally throw it out the window, because you just started and the pandemic hit and you're in almost a fire-fighting mode."
Frequent Risk Assessments
Although airline travel is far lower during the pandemic, cybersecurity remains a priority for Jet Blue, Rohrbaugh said. Over the last several months, his team has focused on how risk assessments can help with efforts to fill in security gaps as staff members leave the organization and there’s more work for those who remain.
"Gone are the times where we could rely on doing risk assessments once a year, or maybe doing one just at the enterprise level," Rohrbaugh said. "You really have to be flexible with doing risk assessments very frequently - at the project level and at all change levels. And in the remote situation that we're in, we have to really learn to communicate well to our staff members and make them part of the process."
Beware of Risks
Rohrbaugh noted that recent ransomware attacks against large organizations, such as Garmin, should serve as a warning (see: Garmin Confirms Hackers Encrypted Several Systems).
Ransomware gangs “are doing due diligence on the systems that they have encrypted … and sometimes even looking for filings and reports before they ever give a price to unlock," he said.
Since March, the NFL security team has tracked over 100,000 suspicious domains, Maldonado said, and it’s attempting to block any emails that might attempt to lure employees into clicking on malicious links.
"Phishing emails have probably gone up by tenfold," Maldonado said. "We were tracking all newly registered domain names that had any sort of combination of 'Coronavirus,' 'COVID,' 'Wuhan'."