This post was originally published in TechCrunch.
Now more than ever, IT teams play a vital role in keeping their businesses running smoothly and securely. With all of the assets and data that are now broadly distributed, a CEO depends on their IT team to ensure employees remain connected and productive and that sensitive data remains protected.
CEOs often visualize and measure things in terms of dollars and cents, and in the face of continuing uncertainty, IT -- along with most other parts of the business -- is facing intense scrutiny and tightening of budgets. So, it is more important than ever to be able to demonstrate that they’ve made sound technology investments and have the agility needed to operate successfully in the face of continued uncertainty.
Here are five questions that IT teams should be ready to answer when their CEO comes calling:
What have we spent our money on?
Or, more specifically, exactly how many assets do we have? And, do we know where they are? While these seem like basic questions, they can be shockingly difficult to answer…much more difficult than people realize. The last several months in the wake of the COVID-19 outbreak have been the proof point.
With the mass exodus of machines leaving the building and disconnecting from the corporate network, many IT leaders found themselves guessing just how many devices had been released into the wild and gone home with employees. One CIO we spoke to estimated they had “somewhere between 30,000 and 50,000 devices” that went home with employees, meaning there could have been up to 20,000 that were completely unaccounted for. The complexity was further compounded as old devices were pulled out of desk drawers and storage closets to get something into the hands of employees who were not equipped to work remotely. Companies had endpoints connecting to corporate network and systems that they hadn’t seen for years – meaning they were out of date from a security perspective as well.
This level of uncertainty is obviously unsustainable and introduces a tremendous amount of security risk. Every endpoint that goes unaccounted for not only means wasted spend but also increased vulnerability, greater potential for breach or compliance violation, and more. In order to mitigate these risks, there needs to be a permanent connection to every device that can tell you exactly how many assets you have deployed at any given time – whether they are in the building or out in the wild.
Are our devices and data protected?
Device and data security go hand in hand; without the ability to see every device that is deployed across an organization, it becomes next to impossible to know what data is living on those devices. When employees know they are leaving the building and going to be off network, they tend to engage in “data hoarding.” Storing it locally ensures they’ll have access to it later if they run into issues connecting to corporate systems remotely. Our recent analysis showed the number of pieces of sensitive data identified on enterprise endpoints at the end of October – such as Personally Identifiable Information (PII), Personal Health Information (PHI), and more – was up more than 100 percent versus pre-COVID-19. This is particularly alarming as this data is being stored on devices in varying states of security compliance and often on home networks.
What this ultimately translates to is a potentially massive attack surface, one that is incapable of being secured without the right tools in place. In order for a CEO to properly understand risk exposure and make the right investments to mitigate the most substantial of those risks, IT departments have to be able to confidently communicate what types of data are on any given device at any given time.
Are we working efficiently?
As employees were quickly sent home to work remotely, already-stretched IT teams have carried a lion’s share of the burden of not only standing up remote work programs, but also ensuring they continue to run smoothly and securely. Not every IT tool was ready to make the sudden transition. One example we saw was VPNs – in many cases deployed to support a few mobile workers, not the entire company. With devices in various states of disarray, and many users struggling with connectivity from home, the bandwidth required from the platform and the helpdesk supporting it had some organizations instructing employees not to use their VPNs.
Not only does this affect employees’ ability to work productively, it also hinders IT’s ability to ensure basic, foundational security measures are in place. There’s data to show that even pre-pandemic, the struggle to promptly and effectively patch critical vulnerabilities, as well as keep vital security applications like Encryption and AV up-to-date and working correctly, is real…but these challenges multiplied exponentially with the transition to remote work.
Automation is going to play an important role when it comes to operating successfully and sustainably in this new reality. Things like custom workflows can help IT teams ensure critical updates are successfully installed even when devices are off network or that devices are disconnected from systems or servers until those updates are applied. Self-healing apps and devices can repair and restore themselves when they fall down or are tampered with, saving both the end user and IT from having yet one more ticket added to the backlog.
Are we investing enough, or too much?
Fundamentally, your CEO wants to know whether the level of investment and execution matches the risk appetite of the organization. “Where am I vulnerable and have I purchased technology that can protect me?” is the leading question CEOs and their boards put to their IT and security teams. Security is a rapidly evolving risk landscape where IT organizations are constantly in acquisition mode. Enterprises today have purchased an average of 75 security products, though go to larger or regulated organizations and the numbers will be even higher. Gartner predicts that Enterprise Security spend will reach 178 billion annually by 2024 and we estimate that a large portion of that will be spent on endpoint security – securing devices. On average, a device in the enterprise today has 10 security applications on it…and that number continues to increase every year. Many frameworks, such as NIST or ISO, have emerged that quantify and map risk, allowing organizations to plan a course for prevention, remediation, and readiness.
Is it working?
Honestly, I wish more CEOs were asking this question. Many organizations today have a false sense of security. Despite the staggering annual spend numbers, we have not seen a correlated decrease in endpoint incidents. The exercise of “we bought XYZ solution because the framework told us we needed it” allows everyone to “tick” the box and move on. Unfortunately, installing these applications does not ensure they remain installed and working. As any IT practitioner will tell you, there’s a tremendous amount of time and money spent chasing this rainbow. Users tamper with controls, updates fail to install correctly, and applications collide or decay over time.
As total spend and number of security applications have continued to rise, so too has the complexity in making it all work. There are significant security implications of knowing whether a device's software and applications are completely up-to-date, patched, and sanctioned. Data shows that 60% of data breaches last year were the result of a known vulnerability where a patch had not been applied – something that IT was already tracking and had a fix available. With no way to monitor endpoint health, unfavorable odds point to machines having hundreds of vulnerabilities that could be mitigated by something as simple as a software patch.
IT must have a way to measure the efficacy of existing controls and demonstrate that they are actually working properly in order to show accountability for actually remediating risk.
There also needs to be full acknowledgment that it’s not a question of if the organization will be attacked or compromised, but when… and when hundreds or thousands of devices are walking out the door, that risk increases exponentially. CEOs need to know if those devices have an encryption agent installed and working effectively, if devices can be frozen or wiped remotely, and how data can be recovered safely from a compromised machine or remotely deleted forever.
One thing a lot of IT departments overlook is the need for a feedback loop – the ability to monitor the actual efficacy of the security investments being made. To ensure that you have a permanent connection to every asset in the organization that cannot be taken offline or tampered with, and through that connection you can not only see and manage that device, but also automate the healing of critical controls, can be an incredibly powerful tool in this modern enterprise computing mode.
Simple Questions with Complex Answers
Managing and securing endpoints is a complex challenge to navigate in any scenario, but when the stakes are raised, CEOs need answers to these basic questions in order to understand where there may be gaps or vulnerabilities and then make smart, targeted investments. Especially at a time when so many have transitioned to remote work, IT teams play a crucial role in a company’s survivability and performing that role best – especially in the eyes of their CEO – includes answering these five questions as thoroughly as possible.