COVID-19 Amplifies Existing Cybersecurity Crisis
By Jessica Lyons Hardcastle
Back in the early days of the COVID-19 lockdown, Palo Alto Network hosted a webinar about how to run a remote security operations center (SOC). One of the first slides says “remote SOCs are the new reality,” and it includes a photo of Matt Mellon, who heads Palo Alto Networks’ SOC. He’s working from home, running the $950 million security company’s SOC, with his adorable toddler sitting on his lap.
This is what 2020 work-life balance looks like. There is no balance, and there’s really no hyphen, either. It all blurs together into one messy, exhausting event. It’s difficult for everyone, but it may be even tougher for cybersecurity professionals who were already short-staffed and stressed out before the COVID-19 pandemic hit.
Enterprise Strategic Group (ESG) and the International Systems Security Association (ISSA) recently released a couple of reports: the fourth annual Life and Times of Cybersecurity Professionals 2020 and a second that looked specifically at The Impact of the COVID-19 Pandemic on Cybersecurity. Neither paint a bright, cheery picture.
‘Cybersecurity in Crisis,’ Plus COVID-19
The former called cybersecurity “a profession in crisis,” and it found a continued lack of training, career development, and long-term planning. It also found the skills shortage is getting worse with 70% of ISSA members saying that their organization has been affected by this. The report said 45% believe the cybersecurity skills shortage worsened over the past few years while 48% say it remained about the same. Only 7% believe things have gotten better. “It is getting more frustrating,” said Jon Oltsik, senior principal analyst and fellow at ESG. “We felt that rather than report data and say things haven’t changed, it was time to say things haven’t changed and that’s alarming.”
Meanwhile, the second COVID-19-specific report found that the pandemic has increased cybersecurity professionals’ workloads and the meetings they have to attend while also increasing their stress levels related to their jobs.
ISSA President Candy Alexander said many organizations project a just-get-it-done attitude about security no matter how long it takes or at what cost to employees. This leads to burnout. “And believe me, I’m almost at that stage now,” she said. “I’m working crazy hours and have crazy deadlines, but we all need to speak up and say, wait a minute. I’m willing to go the extra mile, but I need a little downtime. I need a breather because I’ve got my hand up out of the water, I’m going under for the second time, and I’ve only got one more time.”
What Happens When You Can’t Work at 80%
Plus, in other physical emergency and disaster recovery situations, additional law enforcement and first responders are called up to help out. “This is something that we’re not really good at either” in cybersecurity, Alexander said. “And whether it is to fill the skills gap or to help us get through the COVID-19 pandemic response, let’s look at what other skill sets that can come in and help us.” For example: several departments other than cybersecurity within organizations use analytics and employ people who specialize in this discipline. “Analytics is analytics, whether it’s financial analytics or web analytics,” Alexander said. “Pull them in to help you analyze data from your [security information and event management], or help with patching. Data is data, and they will learn the cyber piece of it.”
Rishi Bhargava, VP of product strategy for Cortex XSOAR at Palo Alto Networks, said while decreasing output during the pandemic might be OK for other professions or even other tech sectors, it won’t work for security. “In one sense it’s no different than how every other profession was severely impacted because nobody was used to working in this particular environment,” Bhargava said. “But, in security specifically, you need to work your 100%. You cannot go to your 80% capacity. What 20% of stuff would you not do?”
Weathering Ransomware, Vuln Storm, WFH
It’s a valid question. Destructive attacks, ransomware, and COVID-19 related phishing attacks all surged during the pandemic. Add to that the “vuln storm,” zero perimeter, and a threat landscape that now includes your kids’ iPhones and gaming devices, and it seems the stars have all aligned for the attackers. The demands on security professionals feel especially heavy these days, and we’re only talking about cyberthreats — not the real, physical threats of losing a job, a loved one, or your own life. But the mundane takes its toll as well. “I’ve been remote, while managing kids at home, managing family, and figuring out the groceries,” Bhargava said. “Across the board, it’s been tough. I think we’ve found a rhythm. Cybersecurity always had and will have this uncertainty because you’re always in this reactive mode: find a new attack, respond to it. This time we learned that if you are more organized and the more prepared you are, the better you will be able to respond.”
Despite the long hours and increasingly sophisticated attacks, Bhargava reflects an optimism that I hear from all of the security professionals I’ve interviewed since COVID-19 shut everything down. Coincidentally, that happened shortly after the annual RSA security conference.
Virtual Black Hat, Defcon
Six months later, when all of these same people should have been at Black Hat, happily hacking voting machines and enjoying cocktails in Las Vegas, we are all still stuck at home working remotely. I caught up with Okta Executive Director of Cybersecurity Marc Rogers ahead of Black Hat as he geared up for the first-ever virtual Defcon (he’s also the head of security at Defcon). “It’s a very close-knit community, and the feeling within the security community is one of profound loss,” he said. “This is the time when we would be catching up with friends and colleagues that we normally only ever see once a year, and now we’re not. We’ve lost that human contact, and the community feels it really hard.”
Some do weekly Zooms, “but it’s not the same,” he added. “As we get closer to Defcon, it’s going to be felt more keenly.”
Monitoring Security Professionals Mental Health
But, Rogers added, the pandemic killed more than trade shows and social interactions. “The information security community has lost a number of prominent members, some of whom have died from COVID-19, some of them from other causes during the COVID era,” he said. “It’s been hard to cope with those losses as well because during this lockdown you can’t go and celebrate someone’s parting, and you can’t go and be there, emotionally, physically, for the people left behind.” Rogers also noted the high stress levels and mental health turmoil that security professionals experience, and the pandemic compounds both. The ESG-ISSA Life and Times report notes that security professionals sometimes struggle with issues like depression, alcoholism, and drug addiction related to job stress. This year, the survey specifically asked about this topic, and 29% said that they’ve either experienced significant personal issues as a result of cybersecurity job stress or they know someone else who has. However, this percentage may be higher because 17% either don’t know or prefer not to say.
Not surprisingly, the ESG-ISSA COVID-19 specific report found 23% of cybersecurity respondents said that COVID-19 and remote work have increased the amount of stress associated with their jobs. “The positive sign is we’ve been talking about mental health for years in the community,” Rogers said. “Please, if you’re struggling, reach out. I don’t want to lose any more friends. We are here, and we are willing to help.”