Yet organizations will find that simply maintaining the same online operations they built this year, under the tightest deadlines and often with makeshift technology, will not do. Businesses will have to up their games on digital customer and worker experiences, said Laura Koetzle, a vice president and group director with the IT research firm Forrester.
“Among consumers, there was a certain amount of, ‘OK, it’s a pandemic, I get it,’ but they are going to quickly become less tolerant of that,” she said. “You’re going to have ensure that those experiences actually scale, work properly and deliver the same emotional resonance that those in-person experiences did.”
Authenticated Identity Is the New Cybersecurity Perimeter
The time for putting off the transition to a zero-trust security framework is over. Those businesses that were relying exclusively on virtual private networks to enable remote work at the beginning of the pandemic discovered quickly the inadequacy of that approach when they sent their entire workforces home. In response, many have rapidly moved more workloads onto cloud platforms, but cloud comes with its own security demands.
Only a zero-trust framework with authenticated identity as the security linchpin is sufficient for an increasingly mobile world, said Microsoft CISO Bret Arsenault. “It’s got to be about a healthy device, strong identity and consistent telemetry, and I asked every one of my vendors to show me how they make that happen. So, that’s resulted in this ‘zero trust or bust, no exceptions’ model that we have across the entire company and that we hold everyone accountable to.”
Arsenault, who has been guiding Microsoft and its 163,000 employees toward zero-trust security for more than four years, said every organization should be striving to do the same. “When I look at numbers like fewer than 20 percent of organizations have 100 percent multifactor authentication — you’ve got to get that done.”
To Become Resilient, Businesses Must Embrace Chaos
The word resilience has been used a lot this year, typically to describe organizations that have survived, or even thrived, during one of the most challenging times in the history of modern business. The organizers of RSA 2021 even made the concept the theme of the event.
But what is business resilience? RSA CEO Rohit Ghai said that truly resilient businesses are those that “fall less often, withstand the fall better and rise up stronger every time.” As threat actors are striving to create organizational chaos, Ghai said that leaning into chaos, rather than trying to avoid it, is the key to resilience.
“How do you secure chaos?” he said. “You can’t. You don’t. You focus on resilience by embracing chaos. How? First, expect the unexpected. Trust no one and compartmentalize failures.”
Companies fail to do this, said Gabriel Whalen, manager of CDW’s information security solutions practice. They deploy cybersecurity solutions but don’t always plan for the near inevitability of a breach.
“It’s not a matter of if but when an organization is going to be impacted by a criminal cyber actor,” Whalen said. “Regardless of the size of the organization, it’s a matter of being underprepared.”
The security talent shortage is now a crisis
According to the (ISC)2 Cybersecurity Workforce Study, 2020 by research firm (ISC)2, the industry is about 3.1 million cybersecurity workers short of what businesses need; 64 percent of cybersecurity professionals say their organizations are impacted by the shortage.
“Our data suggests that the global cybersecurity workforce needs to grow 89% to effectively defend organizations’ critical assets,” the report notes.
Cisco Systems CEO Chuck Robbins said that providing existing workers with cybersecurity skills and looking in unconventional places for talent are the paths forward. He noted that only 24 percent of cybersecurity professionals are women, even though most new workers today are female.
“We have more unfilled opportunities than we have trained professionals in the world,” he said. “We have to train people, we have to reskill people, we have to continue to develop the existing talent. We have to make it easier for people to get into cybersecurity and we have to look at untapped sources of talent.”