tashatuvango - Fotolia
When enterprises shifted to a remote workforce in the midst of a global pandemic, they didn't anticipate how vulnerable they'd become to cyber attacks. Not only did business leaders have to ramp up their digital transformation efforts, but chief information security officers needed to rethink their cybersecurity strategy and quickly find new ways to manage the threats.
Roota Almeida, CISO at Delta Dental of New Jersey and Delta Dental of Connecticut, said she managed cybersecurity during the pandemic by reskilling security teams and rethinking how they handle threats.
Make sure to read the interview below and watch the video where Almeida, a speaker at 2021's MIT Sloan CIO Symposium on a panel about protecting your digital innovations from cyber attack, talks about the importance of finding people with new skill sets and how the pandemic is opening doors for more women to join the industry, particularly in cybersecurity roles.
What kind of cybersecurity threats are you seeing today? How are they different from what you've seen and dealt with in the past?
Roota Almeida: Today, third-party risk management is one of the top threats that we are seeing in the industry. You might have seen, in the past few months, there are many prominent breaches on various organizations in the United States and worldwide, where the hackers have leveraged third-party vulnerabilities to get in.
Organizations are relying more on third parties for critical information processing than they did before. This makes it even more important to manage the risks that are inherent in this process. At the end of the day, that data is still owned by the organization even if a third party [is used] to process that data or to post that data -- I'm still liable to protect it. So, every organization should have a robust third-party risk management program to continuously assess and manage these risks. It is imperative to ensure that the third parties you're choosing to do business with are following the security protocols required by your organization because now they are an extension of your organization [handling] your data.
As an organization, how are you going to assess that? Assessment cannot be [done at one] point in time -- it needs to be a continuous process. It's also not a 'one size fits all.' You have to understand what the criticality is in this relationship. Not every third party you do business with is critical; [therefore,] you shouldn't look at them through the same lens.
Security best practices are often hard to make stick even during normal times. How did you and your security team go about training employees so that they can work effectively during the pandemic, while also being conscious of the risk of potential security breaches?
Almeida: The pandemic has surely changed the corporate workplace. The companies that traditionally followed the face-to-face culture had to change overnight, and everyone started working remotely just as we did at Delta Dental of New Jersey and Connecticut. But our investments on enhancing our security posture and supporting remote work from [the] business and security perspective in the past few years definitely paid off. Suddenly, we all went remote like the rest of the world. From that point of view, we did not have to drastically change the way we work in terms of security. But, from a monitoring perspective, our security and operational controls goals were accelerated or refined.
To give you an example, certain back-burner initiatives were ramped up. We accelerated our identity and access management strategy to ensure seamless and secure access for our users, regardless of the device or the application that we're using. We also revisited and tweaked our UBA [user behavior analytics] algorithms to support the new way of working to limit false positives and save valuable time for my security team.
You don't want to get buried in false positives, especially now that we were monitoring and alerting on various kinds of activities that we didn't quite focus on earlier, such as remote logins. From an investment perspective, whatever we were investing in the past few years, paid off. And what we did change was increasing the pace on certain things and getting them out of the back burner or backlogs and started moving them in a faster manner.
There's been a lot of conversation around having to reskill employees or hire people with different skill sets in this new digital age. Are the skill sets you're looking for in your security team different from what you were seeking before the pandemic?
Almeida: The skill sets have not changed, per se. But hiring people outside of the commutable areas has changed. And it's not just us -- I think a lot of organizations are now opening up, and they are being enabled to now hire people with the right skill set, who can be completely remote but can still deliver the same value. Because organizations are now used to working remotely, they can open their horizons and get the skill set from another state, so to speak. It has opened doors for many companies trying to fill jobs and candidates seeking different kinds of jobs.
One thing that has become top of our list when we hire candidates in this remote work environment is communication skills. Whether it's any kind of written communication skills or verbal communication skills via email, phone [or] video calls, it has become important, especially for new hires, who will be completely remote and working with a big team. Communication becomes [increasingly] important when you cannot be in the same room or same building as others.
You've been instrumental in instituting cultural change within the field of cybersecurity. And, while there's still not enough women in tech -- especially in C-suite positions -- do you think that that could change given that the future of work is transforming? Is the pandemic creating new opportunities for more women to join the industry, particularly in STEM?
Almeida: I think this work from home or working from anywhere that has come up due to the pandemic will help women enter an industry like ours and stay for a longer time. In the past, the barriers that I have seen are due to the stress related to this kind of job -- women either don't enter the workforce, or when they enter the workforce, they don't stay for very long, especially if they're starting a family or something [similar]. Then, it's hard for them to stay in such a stressful environment.
Now, because of being able to go from anytime, anywhere, they can balance their work and life better. I think it has opened doors not only in the security industry, but in various other industries as well. And I'm hoping that more women will join this security field, but that is just one aspect of why women are not joining -- we can talk for hours on other aspects of education and things that [are] not available everywhere. But this remote work will increase the percentage of women.
Editor's note: Responses were edited for length and clarity.