The Tools and Strategies Required to Meet the Current Security Climate
Real Challenges Faced by Providers in Today’s Evolving Information and Communication Technology Landscape According to our CEO & Technical Director. We Explore Security, Innovation, Best Practises and More in the Post-Pandemic World
The enormous, industry-changing disruption caused by the 2020 pandemic changed the way businesses work forever. Throughout this period of confusion and disorder, technology and science helped pave the way for recovery. Even though the future is still unknown, one thing is sure, as people adjust to this “new normal”, where most mundane activities move online, technology adoption will continue to skyrocket.
This creates opportunities for businesses to develop new digital strategies and find new business streams. Still, it also entails a few challenges and risks that executives and companies should consider.
While the pandemic is seemingly behind us, what does the Information and Communication Technology landscape hold for us now? We asked our CEO, David Jacobson and our Technical Director, Sam Gelbart, to share their thoughts and opinions on what SYNAQ, the industry, our clients and other businesses can expect.
Q: How has cyber security risk changed recently – particularly since the Covid-19 pandemic? How have we adjusted and overcome challenges that have arisen?
Sam: Cyber Security (CS) risk has changed significantly due to the pandemic. Primarily because of the urgent need for many businesses to enforce and enable work from home (WFH) measures for their staff. Many companies were unprepared, and their existing enterprise security measures were not portable or less effective for their end-users working from home.
Coupled with a highly stressful and emotional time, many people fell victim to phishing and ransomware attacks simply because bad actors targeted them with content that played on their fears.
Under these conditions, people didn’t always behave as they would typically. Because of uncertainty and fear of information around the pandemic, they would lose their trained “scepticism” and become susceptible to traps they might not have previously fallen for.
CTOs and IT managers faced the challenge of quickly and effectively increasing their security perimeter.
Most challenging was the need to grant external WFH users secure access to the business's internal applications. The rapid rollout of VPNs that users connected to their office networks was one way they achieved this.
VPN access to corporate networks today, post-pandemic, is now a ubiquitous service and extends the perimeter to the home, enforcing traditional “centralised security policy” management where end-users work on company-managed devices.
One problem is that many companies give their staff a choice to “bring your own device” (BYOD) for work. Maintaining security standards, including anti-virus installation, scans and updates for home users accessing the internet on the VPN, is challenging. Sensible idle-time screen lock timeouts and password requirements are also essential. With BYOD, companies must enforce these requirements with policies that staff must sign off on after being audited remotely or at the office.
Finally, it’s incumbent on the business to ensure that policies plan for when their business is compromised. They must play out scenarios for most at-risk situations and how they will remediate them. This process allows companies to act strategically and implement measures and plans to work swiftly when security breaches occur.
David: Cyber security has increased since the beginning of the internet and accelerated since Covid. Businesses must manage the risks associated with staff outside the company's physical environment and controls. The best way to manage these risks is a zero-trust security model.
Zero trust is a significant departure from traditional network security, which followed the “trust but verify” method. The traditional approach automatically trusted users and endpoints within the organisation’s perimeter, putting the organisation at risk from malicious internal actors and legitimate credentials taken over by malicious actors, allowing unauthorised and compromised accounts wide-reaching access once inside. This model became obsolete with the cloud migration of business transformation initiatives and the acceleration of a distributed work environment due to the pandemic in 2020.
I believe zero-trust security is the best approach to mitigate the risk for businesses because it seeks to address the following principles based on NIST guidelines.
- Continuous verification. Always verify access, all the time, for all resources.
- Limit the “blast radius”. Minimise impact if an external or insider breach does occur.
- Automate context collection and response. Incorporate behavioural data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate response.
Q: Where do a cyber security provider's responsibilities for clients’ security start and end?
Sam: As an email security and mailbox hosting provider, our responsibility starts at the edge of the internet, where we scan and deliver mail free from threats to their inboxes either hosted by us or hosted by the client. We apply all the best security technology to secure not only the mail in inboxes but access to the mailbox from hackers who attempt to gain illegal access.
We also ensure that all access methods a user can choose to access their mailbox are possible using SSL/TLS so that they do not send mail access credentials in the clear when on their home or public networks.
After the mail layer, the responsibility lies with the client network and on-device protection to ensure all edge devices are appropriately secured.
David: It’s a shared responsibility model. It is shared because security policies are dynamic, and each organisation has its own needs. It is up to the organisation to decide on its risk mitigation approach. The provider can guide the organisation on best practices, but ultimately the business can choose how many of the cyber security vendors' tools and features to implement. Other services outside the cyber security provider must also fall under the company's IT Security guidelines. For these reasons, it’s essential to have a security provider who can guide the organisation and work in a cohesive ecosystem to integrate the appropriate services and configuration.
Businesses are undergoing a drastic transformation, which only innovation can achieve. But with the increased demand for standard business requirements, the ability to innovate is usually delayed or lost altogether.
Q: How do you find a happy medium between the two?
Sam: Innovation is always tricky, even in good times. The key to balancing the concept of new value and any effort focused on keeping things “stable” or “compliant” is accepting that both are vital. It’s not a competition.
It requires discipline and separation of concerns. People responsible for conceptualising and researching innovation must focus on that and plan for it. But often, the people who build or implement innovations are the same people who deliver required organisational change management and maintenance. The people must have the appropriate space and time to balance their expertise and time between stability and “new value”. This is especially vital when teams are smaller or otherwise constrained by conflicting priorities.
The business can foster innovation, technologically speaking, by enabling the best-case scenarios when they are “ready” to innovate. This means identifying the right time – making sure that human resources are available and are free to act on well-defined goals and requirements.
We live in a world where innovators in the tech space can very quickly evaluate or prove concepts using technology platforms such as AWS. Proving concepts or ideas and developing them through to maturity and “going live” as soon as possible is a required cost of innovation. Not investing in these environments and resources is a killer of innovation and must be accepted as a standard budgetary priority item so there can be as little red tape as possible around innovation.
David: Constraints cause innovation. The magic comes from thinking out of the box and bridging the two. Innovate in sandbox DMZs and let engineers break things in a controlled environment. Deploy Continuous Integration and Continuous Delivery with your DevOps teams. Regular small changes at a fast pace de-risk this innovation dilemma. Get intelligent and experienced Executives and Engineers, and they will increase your innovation ten times while keeping systems stable.
On Hiring and Retaining Skilled Technical Staff
In any organisation, software applications updates and business processes constantly evolve to meet the company's growing needs. Legacy infrastructure is replaced with modern solutions, and integration of various applications happens rapidly. Because of this, they need skilled and qualified professionals to manage these IT operations. This creates a massive demand for talented IT professionals. Finding the right candidate is getting increasingly difficult because of the lack of experience and hard skills that the job demands.
Q: Does your business have this problem, and how do you manage to attract and retain key staff?
Sam: Retaining key IT staff is always challenging, especially if your business does not enable progress and growth in technical teams. The most common reason for re-entering the job market when interviewing prospective employees is the need for development and experience in new or challenging technology environments. The key to retention is strong leadership. A “retention-focused” leader listens to their key staff and empathises with their needs and wants while watching for signs of stagnation. Challenging staff is key to retention, but giving them what they need to grow independently (innovation type growth) and for what the company needs strategically.
A blend of freedom to invent and business requirements is ideal for any business that wants to retain its key people. This strategy blends curiosity or independence with a strong sense of responsibility and becomes entrenched as a set of core values that teams live by.
Finding new talent is based on identifying shared values and matching experience with current needs.
David: Attracting and attaining key staff is a continuous effort. We go through phases. Right now, we are rapidly scaling up our engineering teams and recently have had to look at other platforms to onboard skilled people and handle the logistics of managing and paying worldwide. However, several key staff have been with us for over 10 years. There are many reasons for this and some key things we have learned.
- We spend time on the hiring process. We use the A Method for hiring. We work on scorecards which state the outcomes we are looking for rather than the inputs and spend most of our time on reference checks.
- Co-create the mission and vision. No one buys into a unilateral vision, even if it’s well thought out. We ask the right questions to lead us all on the same path of purpose.
- We create a great environment and give all the tools the teams need to thrive. Then we don’t micro-manage. We get out of the way and use tech-savvy systems to collaborate and keep up with progress. We use many tools, but our primary process is Objectives and Key Results (OKRs). It is a collaborative goal-setting methodology used by teams and individuals to set challenging, ambitious goals with measurable results. OKRs are how you track progress, create alignment, and encourage engagement around quantifiable goals.
- We set up meetings with relevant cadences and follow agendas. These include company-wide huddles, one-on-ones, executive meetings, staff meetings and quarterly business reviews. We try to minimise meeting time to give people space to work and are mindful of our developer’s creative and “deep” work. We try to schedule meetings for afternoons. When we’re at our best, we have fewer and shorter meetings depending on internal and external project load.
- We follow segments out of the Scaling Up and Entrepreneurs Operating System (EOS), which helps us set up our accountability matrix and ensure we are fixing the essential items and not symptoms of problems.
On Best Practices
One of the most challenging tasks of a CTO is to set up work processes so that everyone can do their job more efficiently without wasting time on tasks that could be simplified or automated.
Q: How do you know what tasks are critical, and how do you fit them in when your workforce is busy with standard operations?
Sam and David: Tools that provide excellent visibility of work in progress, along with regular (daily or at least weekly) prioritisation and progress monitoring, and a process that caters for the promotion of critical, urgent work without losing track of what has been planned for the short and long terms.
Q: How do you decide if processes, services sand software should be managed in-house or outsourced?
Sam & David: In-house is better if you have the ability and time to learn skills that do not exist. Knowledge can be shared and innovated if it is vital to your business. External outsourced services are ideal if processes and services are genuinely not core to your company and are reasonably priced.
On Client Centricity
Q: How do you keep clients’ needs at the forefront of all you do?
Sam: All maintenance, process, or innovation are for one of two reasons:
- It will make the business more efficient, performant, predictable and stable.
- It will make the business more competitive and create value.
Both benefit the customer. From better tech support, billing clarity, and take-on processes that take less time and are more robust to creating features that blow customers away in value. Everything must ultimately benefit the customer.
Everything we do is related to customer experience and happiness. The more efficient our tools and processes, the better we can allocate time and energy to serving our customers. They are why we are in business, and solving our internal and value-providing problems will ensure we always put the customer first.
David: We are fortunate to have a large client and reseller base, servicing 100 000’s users at scale. Therein lies tons of data. We have moved beyond the Data Information Age and need to find a signal in the noise. We have invested millions in building a Big Data Platform from which we learn. It is an art and a science to be able to correlate all this information and turn it into client-centric success. We don’t get it right all the time but continuously work on getting the best info at hand to build more relevant and robust services. Additionally, we use this data to enhance our support and security continually.