How do you switch trajectory at speed when you’re under threat?

8 minute read 6 Aug 2020
By EY Global

Ernst & Young Global Ltd.

8 minute read 6 Aug 2020
Related topics Consulting Cybersecurity Risk

There’s a long list of organizational vulnerabilities for CISOs to contend with, but some practical steps can help mitigate these.

In brief
  • Simple steps to prepare for the new version of business as usual include updating security policies and performing a “spring clean” of devices and networks.
  • Forward-looking CISOs must reprioritize the strategy, road map and budget to meet inevitable requests for a pause in spending as business strategy is reviewed.
  • In the longer term, certain macro trends may also add to the CISO’s agenda, such as surveillance, digital payments and omnichannel marketing.

As organizations recover and employees prepare to return to work, security leaders are liable to face the challenge of restarting their operations and helping teams adopt a new reality. They also are likely to realign and prioritize budgets within a changed business context, as well as clean up risks that may have been inadvertently introduced during the crisis period.

Recent research published by EY and The International Association of Privacy Professionals (IAPP) indicates 60% of organizations either abbreviated or totally dispensed with security checks in and around new capabilities introduced to support their business.

Reduction in security checks


of organizations either abbreviated or totally dispensed with security checks in and around new capabilities introduced to support their business.

To assist CISOs tactically and strategically, we have outlined a set of actions to take now, next and, in the longer term, beyond.

(Chapter breaker)

Chapter 1

Now: The COVID-19 cyber clean-up

Some simple steps to help prepare for the new version of business as usual.

What should we worry about?

It’s a long list. As we consider opening for business again, the required expansion of remote working makes it more likely that people have:

  • Been granted local admin privilege on their laptop
  • Synced and stored corporate data to personal cloud storage accounts
  • Synced corporate passwords to personal browsers or keychains
  • Enabled printing from home devices
  • Stored sensitive data into open team rooms
  • Stored data on a USB memory stick or USB external hard drive
  • Reconfigured/misconfigured local security settings (such as personal firewall, VPN, wireless, Bluetooth, anti-virus and software updates/automatic storage syncing)

And there are other potential areas, due to the disruptions in business as usual, that can make organizations vulnerable. They include:

  • Supervisors/managers may have collected personally identifiable information on people to track their health and status.
  • Employees’ endpoint devices could be infected with malware via successful phishing campaigns – and, as a result, malware may have found residency within your network, resident in data stores, collaboration sites, or other systems and servers.
  • Patches and upgrades may have been deferred.
  • Quality assurance processes associated with software development were abbreviated, resulting in statistically more defects per line of code that can be vulnerable to exploit.
  • Access controls have been relaxed, additional remote login accounts or credentials have been granted to teleworkers, partners or outsourced staff.
  • Privileged access has been granted to service providers and/or backup staff.

Due to the disruptions in business as usual, potential areas that can make organizations vulnerable include deferred upgrades, relaxations in access controls, and malware on the network due to successful phishing campaigns.

Where do we start?

Here are a few simple steps to take as we prepare for the new version of business as usual:

  • Update security policies and educate employees on how to expunge information that has inadvertently been stored to personal accounts.
  • Use configuration management tools to remove or reconfigure features or functions not ordinarily permitted by policy (compare configuration against the golden image, if possible).
  • Review directories for grants of privileged access during the infections period, ensure that access is required or revoke excess privilege.
  • Perform a “spring cleaning” of devices and networks – assess devices and networks for evidence of malware infection and command and control communication.
  • Review logs created during the COVID-19 period for anomalies – such as unexpected behaviors, gaps in the record, and more.
  • Assure endpoint protection packages are up-to-date and configured correctly.
  • Run enhanced network vulnerability scans across.
  • Review and reprioritize patches and upgrades.
  • Make sure your incidence process can cover ransomware-related events.
(Chapter breaker)

Chapter 2

Next: Strategy realignment and budget reprioritization

Security concerns continue at the same pace, irrespective of how the economy is performing.

What should we worry about?

If we look back at the experience of the last recession, one could argue that the security market should be immune to economic downfall:

  • Hackers do not stop hacking – cyber-crime increases as those with IT skills join the criminal ranks for needed income
  • End users don’t stop double clicking – the financially desperate become more vulnerable than ever to sophisticated financial scams
  • Regulations do not simply disappear
  • The number of vulnerabilities – our attack surface – increase as organizations defer or delay patching and upgrades,
  • The specter of job loss, job dissatisfaction or feelings of economic inequity increases insider risk
  • Demand for counterfeit products increases
  • There is an increased dependence on third-party outsourcers or cloud service providers to deliver core business functions at a lower cost

That said, it is likely that even under the best-case circumstance, COVID-19-era CISOs will face a flat or nominally increasing budget as non-essential IT programs are reviewed, and upgrades deferred.

It is therefore important that forward-looking CISOs strategically reprioritize their strategy, road map and budget – heading off an inevitable stand-off when the business requests a pause in spending as business strategy is reviewed.

Where do we start?

Here are some actions to take now:

Carry out a budget defensible strategy and project road map

The COVID-19 crisis has changed the risk landscape. It is therefore critical that forward-looking CISOs reassess their risk – identifying threats, vulnerabilities and potential impacts in financial terms. Quantify and prioritize implementation and/or operation of controls based on the value they deliver in managing that risk. Orient your project road map to addressing worst first. By creating a business-oriented, financially defensible program, it will be difficult for business leaders to question the approach or redirect your resources.

Consider a program of radical control simplification and integration

We all recognize that the plethora of tools and data sources upon which we rely has overwhelmed our ability to effectively manage our tools and data sources, let alone understand and respond to an ever-increasing volume of security alerts. Ironically, in the flush times, it is hard to let go – particularly with heightened C-level concern about cyber risk. A recessionary environment is the perfect opportunity to take a step back and simplify. 

Build a strong culture of security by design

At the best of times, security is introduced into a digital transformation program late in the process – generally as a compliance item. With inevitable changes associated with greater use of cloud services, third-party outsourcing of core business functions, and/or reduction of internal staff, it is critical the security team is introduced into the discussion as a business risk function. 

Reconsider your approach to privacy

For anyone working in this field, it is well understood that privacy needs to evolve. This is driven by technological developments as well as changes in societal attitudes and perceptions – ordinarily rooted in national and cultural factors – which are highly reactive to the perception of extraneous events. Now, in the midst of the COVID-19 pandemic, we must ask ourselves … what happens next? Have consumer perceptions of privacy fundamentally changed? Have our perceptions about trustworthiness of government and business shifted? Is there an opportunity for governments and businesses to redefine approaches to collection and use of PII moving forward? If so, what do those approaches look like?

(Chapter breaker)

Chapter 3

Beyond: Adapting operations to the new reality

CISOs have an opportunity to be well placed as business advisors and transformation enablers.

What should we worry about?

The near future will see shelter-in-place restrictions being lifted, people returning to work in various configurations, and normal operations resuming.

CISOs need to anticipate that:

  • Some employees will be reluctant to return and continue to work remotely
  • Shortages and supply chain risks will continue to disrupt normal business
  • Insider threats remain high as staff members’ futures remain unclear
  • Nation-states will continue to exploit the persistence obtained previously
  • InfoSec will continue to uncover historical breaches while managing ongoing significant ransomware risks
  • Companies will invest in infrastructure as emphasis on resiliency and contingency planning is renewed

In the longer term, certain macro trends may also be adding to the CISO’s agenda:


To address the crisis and protect their constituencies, governments and even some large companies are rolling out AI-driven applications which leverage cameras, drones, thermal imaging, location trackers, and facial tracking software. An IAPP report suggests that “civil society and private companies have advocated for a clear regulatory framework of facial recognition technology … Possible measures could include a binding requirement to involve data protection experts and human rights specialists in the teams working on the development of the technology, to ensure fundamental rights compliance by design.” CISOs should fully expect the emergence of new compliance requirements as regulatory agencies balance the need for surveillance powers with the democratic push for privacy rights.

Digital payments 

Physicality of cash use may make digital payment platforms a competitive differentiator. From a security perspective, this shift will require CISOs to rethink the role of technologies, such as identity and access management (IAM), morphing it from a tool of control to a tool which enables client interaction. For example, contactless IAM will see they deliver technologies into bricks-and-mortar facilities that allow for facial or voice authentication. CISOs need to be particularly wary of fraudulent exploitation of these platforms – compromised credentials represent 80% of breaches.

Omnichannel marketing 

The COVID-19 crisis has accelerated the trend toward ecommerce, with 44% of consumers expecting to do more grocery shopping online and 39% expecting to do more durables shopping online over the next one to two years, according to the EY Future Consumer Index. With this shift to online retail comes a push to increase omnichannel marketing capabilities. Collecting more information about consumers, as their activities are tracked, helps create new opportunities for marketers, and for CISOs to identify and prevent fraud. But this also introduces new privacy risks, and potential negative perception from customers. There is a growing “techlash” against technology companies motivated by privacy concerns and what companies do with their data. CISOs need to make sure that customer-data collection not only complies with the relevant laws, but is also justified and provides useful benefits in consumers’ eyes.

Accelerated trend toward ecommerce


of consumers expect to do more grocery shopping online over the next one to two years.

Where do we start?

However the near future unfolds, CISOs can be well placed as business advisors and transformation enablers with a focus on the following: 

  • The cybersecurity strategy and road map, as well as security governance, management and operational structure, need to be realigned.
  • Risk assessment methodologies should be revised to reflect revised operational requirements.
  • New KPIs and KRIs for business stakeholders will be necessary to reflect cyber performance in this new world.

Lead through the COVID-19 crisis

We have a clear view of the critical questions and new answers required for effective business continuity and resilience.


Contact us for immediate support

Gain access to our help with crisis management, business continuity and enterprise resilience.




To assist CISOs tactically and strategically, we have outlined a set of actions to take now, next and, in the longer term, beyond. Actions include considering a program of radical control simplification and integration, and building a strong culture of security by design. Macro trends such as surveillance, digital payments and omnichannel marketing are also likely to have an impact. CISOs must ensure they are well-placed as business advisors and transformation enablers.

About this article

By EY Global

Ernst & Young Global Ltd.

Related topics Consulting Cybersecurity Risk