CISOs reveal secrets to pandemic success in critical organisations

Security leaders at some of the world’s most critical organisations have revealed the inner workings of how they were able to get their staff to buy into a culture of security at a time when they needed to the most.

Chief information security officers (CISOs) at NHS Scotland, IMC Companies, and Israel Airports Authority, speaking at Check Point’s CPX 360 EMEA conference this week, told of the massive challenges they faced in suddenly shifting large workforces to a remote working basis.

NHS Scotland faced a huge number of difficulties as it introduced new initiatives and COVID-19-related innovations, and cyber security was naturally at the heart of the overhaul of its ways of working.

Information governance and data protection were at the forefront of the concerns, but the organisation also had to maintain trust with the public and other authorities when rolling out services such as track and trace.

But Scott Barnett, director of national security operations centre at NHS Scotland, said the pace of development in the Scottish health service has been “incredible” and it was a “necessary” response to the pandemic.

To effectively manage the innovations required to deliver public health services, Barnett placed a lot of effort on internally advertising his team’s security capabilities with developers tasked with creating new digital public health services.

He also said he wanted to ensure his security team wasn’t being seen as an unnecessary “blocker” to development, but helped the programmers at every stage of the development process.

“[Security was] absolutely crucial with the amount of scrutiny on the health service, that the reputation is protected,” he said.

“Trust was a huge element throughout the pandemic, in terms of whether it's providing the capability to schedule, attend, and receive vaccines; whether it's for the booster programme that we've recently been involved in; or whether it's to enable people to take part in and contribute to our track and trace and our whole reporting of health data initiatives - all of which we brought digitally to the front door of our citizens in Scotland, over five million citizens provided by a 200,000-odd workforce.”

He went on to say “security is everyone’s accountability” and that he believes he has managed to accelerate that conversation within NHS Scotland - one of the main positives he draws from “what has been a horrific situation globally”.

An easier transition for some more than others

The situation was markedly easier for David Ulloa, CISO at IMC Companies, who was enjoying a Caribbean holiday with his family in March 2020 when he got a call from his chief information officer (CIO).

With distinct urgency in his voice, Ulloa said, the CIO asked if the company VPN was ready after realising that the majority of the international corporation’s staff would soon have to go remote.

Ulloa was unfazed as the company had fortunately finished setting up the necessary remote working infrastructure only a month prior to the onset of the pandemic.

Before that day in March 2020, just 2% of IMC’s workforce was remote but the COVID-19 pandemic eventually forced a total of 60% to move to home offices. He said this represented around 50 devices using the company VPN pre-COVID to more than 800 almost overnight.

“Last year before that week, when we moved to remote, we were 2% remote,” said Ulloa. “By the peak of the pandemic, we were 60% remote - just like that.

“Just imagine all the complexity that goes on in the background, but we didn't even feel it because we had the infrastructure to provide the service to our business units. And for us to make sure that they had what they needed to make business happen.”

It’s a shift in working conditions that IMC - the success of which saw the company double in size during the pandemic - would never have been experimented with had the pandemic not happened, Ulloa said.

Despite the “perfect timing” of events unravelling, as Ulloa put it, the company demonstrated great competence in its cyber security strategy, as it needed to be with corners of its business being a critical element in the supply chain.

Deploying services for a multinational company in the space of just a few months with minimal friction was a feat in itself, but Ulloa also spoke about the company’s efforts to document all the new services in an easily accessible way.

It was this documentation, accessible through a simple QR code sent to employees, as well as the carefully chosen technology stack, that made the move to remote work so easy for everyone involved.

An old issue with novel approaches

For the Israel Airports Authority, its CISO Roee Laufer said working from home was not a particularly worrying ‘vulnerability’ but the real challenge was shifting a large number of workers to remote work.

“I hear a lot of discussions around introducing new types of vulnerabilities [like] working from home etc. [but] I think it's it's not a matter of new vulnerabilities,” he said.

“I think for us it was more [a case] of dealing with the quantity, the rise in the numbers of resources using remote capabilities, rather than introducing new capabilities that weren't around before. So in that sense, I think that was the major difficulty.”