Recently, we sat down with Adam Geisser, CISSP to discuss how he believes the cybersecurity industry is going to evolve, especially with everyone working from home in 2021 and beyond. With a 25-year background, Adam has experience managing and delivering systems architecture, security auditing, disaster recovery and operations of enterprise financial systems.
Are there new challenges for InfoSec professionals with a larger than normal population working from home?
Adam: Working from home puts a significant reliance on remote communication technologies like VPNs. In the past, some employees had the option to VPN into work, but the majority of your user community wouldn’t be remotely connected to your network.
For example, the company I work for only had a few hundred using VPN daily pre-pandemic, before we had to go remote, and we now have around 4,000-5,000 employees having to VPN into work every day. Another issue that we initially had was that many of our in-office employees only had a desktop at work and no laptop. We initially had to allow people to use their own devices – that we didn’t have appropriate security software, firewalls, or anti-virus on – and use our VPN to log into our network. That introduced a lot of risk in our environments. Once we got a handle on provisioning laptops to all the work from home employees and contractors, we disabled the ability for customers to use non-company hardware to connect to corporate resources, and initially this was a heavy lift, and this put a heavy burden our infrastructure support teams.
There has been a lot more strain on the network than ever before because when everyone was in the office every day, you didn’t have to worry about remote access from home or the use of personal devices. This brings up the strain on mobile device management as well. Many companies, including the one I’m at, didn’t have a mobile device management policy or software in place right away. Suddenly, all of these employees want to use their cellphones, iPads, or other personal devices, but if you don’t have the appropriate controls in place, you’re playing with fire. This creates another problem for the company because we have no visibility on those personal devices.
Right now, we are implementing a mobile device management solution that will probably be the most unpopular security control that we have ever put into place, as people will have to choose. You opt-in, we load a piece of software onto your phone, create a partition, and all of our company data will sit on that partition. That way, if you leave the company, we can delete that partition. If you opt-out, you will not be able to use email, Teams, or do anything work-related on your mobile devices unless you do it through the web. This will most likely cause hesitation regarding about what we can see and do on their phones – which is just the partition; we can’t brick your phone or look through personal text conversations. However, this is the best solution to ensure all of our data is protected throughout the company. Specifically, we decided on using ManageEngine Desktop Central. We chose this because it can work on multiple platforms such as Windows and Mac, which was very important.
Do you anticipate a national GDPR for the US and how might that affect InfoSec teams?
Adam: The General Data Protection Regulation (GDPR) initially started in the UK. A privacy regulation was put into place to protect private citizens and the people that allowed companies to use and market their data. This regulation was initially set up to hold companies accountable for how customer data was being used. This regulation required companies to prove that if someone were to say that they want their data deleted from your system, it could be deleted from all systems. Once you enter your information into a company’s database, it’s propagated into many other databases and systems that may not be protected appropriately – encryption at rest/encryption in transit. GDPR provided a regulation to protect a user’s data from being privatized and monetized. I believe that in the next two years, GDPR will become a worldwide regulation. The effects that it will have on security are probably not as impactful as its effects on compliance. Compliance teams will have to prove that they have the appropriate controls in place to be able to delete all of the data in all of the places that it lives.
“I have over 25 years of Cybersecurity, Information Security and Security Operations in my background. I have worked in Banking and Financial Services, Telecommunications, Travel and Staffing Service industries over that time. My areas of focus have been in Vulnerability Management, Application Security, Penetration Testing, Incident Response, Threat Hunting, Risk Management and Regulatory Compliance. I have worked as a Security Analyst, Security Engineer, Security Architect, Manager of Operations and most recently have taken on management of the Systems Administration team along with being responsible for all Cybersecurity Operations from cradle to grave.
I am the father of four and have been married to HR (my wife) for that last 27 years.”
Adam Geisser, CISSP
Senior Director, Cyber Security Operations (CSO)