Since the COVID-19 pandemic changed our lives in early 2020, we have all intellectually been in search of ways to remain centered and focused on essential tasks. Our lives have become far more complex, and we have all been consumed with “the mission (personal and professional),” whether that is protecting against cybersecurity threats or ensuring that our families are safe and healthy. Some long for the comfort and predictability of the past and are searching for ways to fit the uncertainty of the COVID environment into that template. The reality is we are likely in the midst of a cascading series of future states that mandates a fundamentally different approach to maintain our competitive advantage, regardless of the roles we play.
It is the magnitude and intensity of the mission that requires us to find ways to stay grounded, alert, aware, and optimistic for those we are privileged to lead … and, truth be told, for ourselves. One way I like to do that is by getting in an early-morning run, thinking about the many facets and complexities of the mission to keep our organization safe, secure, and functioning at optimal efficiency. Like so many of my teammates in the military—and like many others in the private sector—my thoughts were dominated on one typical morning run by a recurring theme: The New Normal.
We’ve all heard, and probably uttered that phrase so often this year that it has the potential to become stale and meaningless. While I believe that many people have defaulted to that phrase as a way to explain what we’re going through and what may be around the corner, the reality is that a return to normalcy may be unachievable. We may talk about the new normal as a way to improve our comfort with our current challenges, but I feel it’s time that we all need to embrace the change and begin posturing our people and our organizations to rapidly adapt, at speed, and at scale. My sense is the time has come to forget the new normal and embrace the realities of the new now.
Everything Feels Different
What do I mean by the new now, and how is it different from the new normal narrative that has dominated the headlines? Let me use what we experienced as a result of the national tragedy of September 11, 2001 to explain.
As fate would have it, I was in the Pentagon on that horrific day. The next day, we all knew that many things were going to be different. New rules were quickly developed to ensure the physical security of our people and our national assets. In the military, this included things like installing concrete barriers at the entrances to our bases and tightening up security checks before we could pass through checkpoints. For anyone traveling, we enacted new airport security measures, including taking our shoes off at security gates. All necessary steps, and they undoubtedly helped to keep us safe amid uncertainty. This became our new normal. And arguably even conceptually, we are still doing many of the same things, in the same manner today, with relatively few adjustments or updates over the past nineteen years.
Now, by contrast, in what I describe as the new now, everything feels different. My instincts tell me that things have changed in ways and magnitudes we could not have imagined. The mood of our organizations, our businesses, and our workforces are very different. New variables are constantly being introduced into the equations of our daily lives, forcing us all to continuously adapt to the here and “new” now.
Our focus has to rapidly shift from regaining normalcy, to real-time adaptation to rapidly changing conditions affecting what we do, and how we do it, now.
The New Now and Cybersecurity
What does this have to do with cybersecurity? Nothing. Well, nothing if you are rooted in traditional thinking around threats, user environments, tools, and processes. But if you appreciate just how much things have changed and will continue to change, then welcome to the new now of cybersecurity. We must rethink how we will leverage cyber capabilities. How we will run and defend operational and business networks, and data critical to the achievement of the near and long-term goals of our organizations.
More than a decade ago, I read a quote from General Stanley McChrystal, who at that time was leading all U.S. Forces in Afghanistan. His lesson was simple but powerful: “We have to start getting comfortable being uncomfortable.”
Although I’ve never had the pleasure of meeting him in person, his thinking resonates with me now more than ever. In the complex environment of COVID, where the dawning of each day introduces new variables into the equation, we can’t allow ourselves to just keep doing things the same way and expecting a different outcome. The conditions never remain static, and new complexities continuously emerge. And those complexities are often so disruptive that status quo is unobtainable.
Over this time, I’ve had many occasions to talk to my colleagues in the enterprise IT and cybersecurity space, including those in corporate America. Initially we were all yearning for the predictability of the pre-COVID good old days where everyone pretty much knew the rules, the structure of the marketplace, and the demands of our jobs. In the past, with few exceptions, we all had the ability to determine what was secure and what was at risk, but now I don’t think we are going to have that comfort for quite a while—or if ever at all.
Whether you are ensuring that your organization can retain its footing, or in my case protecting the U.S. Army’s digital assets, it’s important to understand what “uncomfortable” feels like so you can get comfortable being uncomfortable in the new now.
Let this sink in: As an example, in the Army, overnight we went from defending the traditional network perimeters at 288 posts, camps, and stations and the Pentagon in 143 countries, to literally defending the living room. Who among us could honestly say they saw that one coming? Business and organizations continued to function, many with increased efficiency, but the dramatic expansion of the cyberattack surface, impacted by a teleworking workforce, created a different set of challenges, never before imagined at this speed and scale.
Well, get used to that, because in the new now, at some point there will be no such thing as telework. Having witnessed the rapid acceptance of the virtual space, my prediction is it will be culturally accepted as just work. Almost overnight, “the office” has become wherever the user happens to be. Location is fast becoming irrelevant. Because in the new now, the office is where the user is. This mandates an institutional shift in how we think about cybersecurity in the rapidly changing world of the new now.
Now, we need to deal with some hard truths.
The People Problem: Reimagining the Workforce of the Future in the Race for Talent
If there is a silver lining to the pandemic and its impact on those of us charged with cybersecurity, it is that it has forced us to be more innovative, bold, and resourceful in embracing new ideas. At the very top of that list of new ideas is the need to shift our focus to, what I consider to be, the absolute center of gravity for delivering cybersecurity capabilities and all things related to digital modernization integration: Our people.
Right before our eyes, the values of the future workforce and next generation of leaders is evolving at speed and at scale, and is heavily influenced by how they digest information, mainly in the virtual space.
It is no secret, regardless of your line of business, that sustaining a skilled workforce is a key to our ability to maintain our competitive advantage. In a world where money is no longer the key variable in the race for talent equation, the fundamental question for us all is do we have the talent to compete? If not, how will we adapt traditional HR to rapidly upskill (existing capacity), reskill (legacy capacity), recruit, and retain the very best and brightest in the global race for talent? It’s a very complex question, but my instincts are that the answer lies in our ability to embrace next generation virtual training platforms and a fundamental shift in our thinking that places more institutional training emphasis on skills, rather than legacy certifications.
According to a 2019 report by the Center For Strategic And International Studies, the number of unfilled cybersecurity positions has grown by more than 50% since 2015. We all know about the huge cybersecurity and enterprise IT skills gap that exists, and I can confirm we have the same issues in the military that you face in the private sector. Automation, machine learning algorithms, and AI tools help a lot, but you still need intellectually curious, adaptive, and resourceful people to create and execute our cybersecurity and enterprise IT strategies. That means
recruiting and retaining the best people, and to do that, we all need to pay a lot more attention to creating a better organizational environment, one that accounts for the ideas and issues today’s (and tomorrow’s) workforce cares about. In addition to the work/life balance I mentioned earlier, we need to put in place more substantial, meaningful and committed mentorship programs and commit to an organizational culture that puts more value on skills than on legacy certifications.
This certification issue is an important one to me, and it’s not that I don’t value traditional certifications for cybersecurity or for any technical requirement; I definitely do. But at the end of the day in the new now, all we can count on is that things are going to change, and probably dramatically so. So, certifications that are built on baselines of knowledge and competence will only go so far; in the end, smart people with a passion and superior skills make all the difference.
So how do you transition your organization, to rapidly increase the cybersecurity skillset of the workforce? To properly scale your abilities in the new now, speed, flexibility, and agility matter; you can’t achieve that by simply sending people to traditional certification programs. Think of the Army and its 15,000 IT professionals, and consider how long it would take, and how much it would cost, to upskill and reskill that workforce? What is needed is institutional acceptance of post-COVID AI, machine learning-enabled virtual training platforms that not only leverage online training but also provide a virtual means to assess the current state of skills in our organizations. We need to focus on skills from the start in our training and recruiting efforts, especially in a segment where the rules of the game change so dramatically and so rapidly as cybersecurity. The world of academia is changing and so should we. Nano degrees and AI-enabled online training in the virtual space are critical enablers to winning the race for talent. We also have to keep in mind that although defending traditional enterprise networks is still of the utmost importance, the insatiable appetite for data associated with the ever changing environment of the new now demands more emphasis on protecting our data. We need data scientists, data analysts, data engineers, because data is the common fabric in our cybersecurity defenses. It’s the reason hackers hack—to get at our data. I’ve heard and read a lot in recent years about “data being the new oil” of the global economy, and that makes a lot of sense. But I do have a somewhat different angle on that axiom, one that fits for the military but also for any sector: Data is the new ammunition of the future fight and the fuel in the global era of great power competition.
Cybersecurity in the Business Value Proposition
For business and technology leaders, living and thriving in the new now requires understanding and confronting a few fundamental issues about cybersecurity today:
- Cybersecurity must be integrated horizontally into the culture, mindset, and DNA of your organizations. That means it must be considered as a part of every corporate action, which includes all strategy and investment decisions. From the boardroom to the conference room, especially given the dispersed nature of our workforce, cybersecurity must be horizontally integrated across all workflows and functions.
- Cybersecurity, as well as the broader set of IT initiatives, must stop being viewed through only a technology lens. Whether you run a construction company, a technology company, or a military command post, cybersecurity and IT must be aligned with the organization’s mission and value proposition. I know you’ll probably read about this issue in other chapters of this book, but it is so important and so existential to accomplishing our respective missions that it bears repeating.
- IT and cybersecurity are too important to be left to the technologists (and I say this with full acknowledgement of my status as a “recovering technologist”). Embracing cybersecurity challenges goes far beyond making sure employees don’t write their passwords on sticky notes left on their computer. Just like DevOps quickly evolved into DevSecOps as organizations realized cybersecurity’s critical impact on the business, we must commit ourselves to a greater level of collaboration among and between the business leaders and the techies.
Make Mobility a Core Business Tenet
One of my final thoughts on the new now is the primacy of mobility as a core business tenet, and the mandate to include mobility as a foundational element of future cybersecurity strategies. It wasn’t that long ago that mobility was a way for organizations to make themselves look more attractive to Gen Z and millennial employees. “And you can work from home,” went the HR sales pitch, with the often-unspoken caveat “If your manager OKs it.” That was mobility in the new normal.
In the new now, as I previously mentioned, the office is now wherever the user happens to be. Mobility is an absolute must-have, not a perk. Mobility must be as much a part of business processes as your intellectual property, marketing messages and corporate culture. You can’t operate if you don’t have mobility at the core of your workflows, and you can’t be mobile without the right security mindset at the edge of the enterprise, where the user literally lives.
Again thinking back to the onset of the pandemic, it was astonishing how quickly the cyberattack surface expanded. In the Pentagon, we went from about 1% telework to 90%- plus telework almost over night. We went from traditional boundary cyber defenses to defending our personal space where our kids previously shared our networks, our devices, and our cloud services.
While leaders in business, education, the military, and all walks of life tried to keep up with this exponential rate of change, those who would do us harm have been watching our actions (or inactions) very closely. We must begin our cybersecurity strategies in the new now with that assumption— that all operating spaces will be contested; nothing is safe, and nothing is off-limits to our adversaries.
Let’s set aside any notion that we will return to anything that approaches our traditional definition of normal—not in work, not in many of our usual personal activities, and certainly not in cybersecurity.
Instead, embrace the new now. When you understand that tomorrow may likely be very different from today, and next week and next month and next year will be even more different, you’ll understand and appreciate the strategic shift in our institutional thinking that is required to secure our networks, our data, our identities, and our lives.
To help me reset my ideas and expectations, I still rely on my morning run. It may be one of the few remaining “normal” things in my life, especially as I transition from my life in the military to my life as a private citizen. But I’m OK with setting aside normal. Bring on the new now.
Bruce Crawford is a former U.S. Army CIO and currently Senior Vice President, Strategic Development / Growth and Sales, Critical Mission Solutions at Jacobs Engineering. This article is excerpted from the book “Navigating the Digital Age, The Definitive Cybersecurity Guide for Directors and Officers, Third Edition.”