Celebrating a Secure 2020
Congratulations, You Made It! And other good Security news.
It’s December already. Not just any December, but THIS December: 2020. The year of COVID and elections and COVID and BLM and COVID and natural disasters and COVID. And did I mention COVID?
Whatever state you are currently in — happy, healthy, sad, sick — I want to wish you a Happy New Year because, by golly (does anyone even use this term anymore?), you’ve earned it. You made it through a really really tough year. Maybe a little older and wiser and perhaps sadder, but you are here.
For those of you who work in the Security industry, a double shout out to you. This year has been chock full of events — private, public, national, international — that has made working and living and thriving in Security a real challenge. All those “2020 predictions” that came around this time last year weren’t completely wrong, but they sure didn’t take into account an international pandemic that sent millions of people out of the office, changed the international supply chains, diverted the attention of national policymakers, and otherwise turned 2020 into a Security dumpster fire.
Throughout the year, there have been some positive things happen, that I want to raise up for your awareness. My gift to you, to help you remember that while 2020 has been a struggle, there have been some great Security things happen too. So, here goes:
Security Projects Accelerated
For some of us, when COVID hit and all our employees had to head home to their security-challenged personal working spaces, projects to secure end devices or implement zero-trust authorization or cloud gateways got fast-tracked. What was planned to happen in six months took six weeks. Leadership and security teams and IT teams realized that security projects could happen faster, without breaking things. They observed that with the right political will the right security things could happen. They realized that when they accelerated security projects, the cost of security projects went down. Leadership realized that they should have been paying closer attention to Security all along…
Security Salespeople Became More Creative
I admit it was rocky at first. As a CISO, my phone/inbox/LinkedIn feeds were constantly being bombarded with cold calls (“let me tell you how product XX can solve your COVID problems!”), and the social distancing made this worse, not better. But over time, as vendors had to grapple with not being able to meet in person, and that another online meeting (virtual whiskey, anyone?) was just too much for zoom-fatigued security people to bear, they have become more concerned with how to meaningfully engage. This is not to say that they weren’t thinking about it before — they were — but COVID has forced creativity and introspection in a way that a typical year couldn’t do. Product demos are more easily accessible without having to run the gauntlet of sales meetings, and less travel means product teams can spend more time on improving their product. I don’t envy security salespeople at the best of times, and this year must have been particularly difficult. But I am hopeful that 2020 will usher in a new, more efficient, and more meaningful way of interaction between salespeople and security buyers.
Hiring Pools Expanded
Did you know there’s a shortage of security talent? (I’m being facetious). I don’t think our need for talent decreased (an ISC2 Workforce Study is a good read if you’re interested) and it seems more people entered the cybersecurity workforce in 2020 than in previous years. I think the good news is that hiring managers realized that they didn’t need to have as many people on site and could therefore accept candidates from other geographies.
Why is this a Good Thing? If we are going to increase the diversity of thought and experience in technology/security, we are going to have to go looking in unusual places for candidates (in the US, this means anywhere outside Silicon Valley or the Northeast Corridor). There is a ton of talent in non-obvious places, we just need to go there to get it.
I’m hopeful that 2020 is the year that hiring managers, recruiters, and companies learned that there is a world outside their immediate location just waiting to be hired and that in the future they continue to reach out to those locations for talent.
Security Training
When the global workforce was sent home, governments, colleges, and universities, and private companies came together as they usually do, to see what could be done to reskill displaced workers.
The good news for Security is that colleges and universities understand they need to be faster, more flexible, and less expensive if they are to have a role in training the cybersecurity workforce of tomorrow. They are actively taking steps to make this happen. Simultaneously, state and federal governments (at least in the US)are actively funding K-12, boot camps, scholarships, and other programs, to accelerate the training of potential workers for the Cybersecurity industry.
All these things should mean a future where the cost and time barriers to receiving training are reduced for individuals, and the candidate pool for security employers will get bigger and more diverse. Win win!
Risk Management 101
If I had designed a tabletop exercise using the events of 2020 for my scenario, I would have been pilloried, if not fired, for making something so unrealistic as to be irrelevant. And yet, here we are, dealing simultaneously with an international pandemic, wildfires, hurricanes, ransomware, and disinformation attacks. All future tabletop exercises are now completely fair game.
Lest I spend too much time gloating (nothing like “I told you so” to make a security person feel vindicated), the silver lining is not that all these things happened. Of course not. The silver lining is that it has pushed every company employee through a crash course in risk management. What is important to the company? What needed to be recovered first, second, last? Which employees are “critical”? How do employees rate the criticality of their work over the safety and security of their families? Which vendors do we need the most? Does our leadership team have the skills to manage through a crisis? If not, why not? Does our family have the means to manage through a crisis? If not, why not?
These lessons are invaluable, not just for now but for future years. Having leadership with this kind of experience will only help, not hurt, security efforts. A gift that keeps on giving.
Yes, 2020 has been a tough year. And I know that we are not yet out of the woods — 2021 will continue to be challenging. I am trying hard to find the light in the darkness, to see the potential Good Things that are coming our way, to know that even though we are in a tunnel there is a light at the end that is not a train!
Congratulations for being here, for making it through (in whatever state you are in), and for being ready to face 2021. There is much to do, and many Good Things to anticipate and enjoy.
May it be so.
