Over the past several years our company, Schlumberger, has undertaken a massive cybersecurity modernization initiative. As part of our plan we:
- Built a next-generation “autonomous” Cyber Security Operations Center (SOC) in Houston.
- Embraced the cloud as a flexible, fast, cost-efficient and reliable cybersecurity delivery model.
- Moved towards secure network transformation with software-defined networks (SD-WAN), enhanced data analytics, Zero Trust and more.
- Deployed a distributed data lake to ensure we could deliver security protections to our employees wherever they are, whenever they need it.
- Created flexible working conditions so our cybersecurity teams could “follow the sun,” thus eliminating night shifts and encouraging – at times requiring – that our people work from home.
- Empowered other workers to work from home and provided them with tools, processes, controls and – importantly – training to be productive and safe.
We took these steps as part of a corporate-driven, strategic imperative to make cybersecurity a competitive differentiator for Schlumberger in our digital transformation journey. We did not take these measures with the expectation that in the Spring of 2020 there would be a global pandemic that would put all of our efforts to the test at once.
Yet, of course, that is precisely what happened. When our business leaders made the call to have our employees work from home in March 2020, our cybersecurity teams were prepared. Over the approximate course of a weekend, we went from about 25,000 simultaneous remote users to about 80,000, including employees and contractors.
The transition was smooth. There were no business interruptions as a result of scaling up our remote work force, and we maintained business continuity at all times with our customers as they, too, scaled up remote work.
My goal is to pass on some of the key lessons learned in the process: About the importance of business and technology collaboration; being open to new ideas such as next-generation SOC and secure network transformation; setting cybersecurity as a companywide agenda; and, critically, working with all of your teams to stress that everyone is responsible for cybersecurity.
Business and Tech Collaboration
Our board has elevated cybersecurity to a top five priority. This happened because of strong communication and collaboration between the business and technical sides. Our board and executive teams were open to ideas from the tech team, and we on the tech side focused on communicating a risk-based approach to cybersecurity.
Once you understand risk tolerance, you can build a risk-based strategy with the appropriate mitigation controls and technology investments. For example, we focused on technology visibility across the entire organization in order to identify and eliminate blind spots. We honed in on excess privilege as well as awareness, training and basic cybersecurity hygiene to mitigate the impact of human error.
Mobile-first was a critical aspect of our digital transformation strategy because management wanted our people to work from anywhere and still have safe access to all of the resources they needed. Our responsibility was to enable and secure that, not to put up obstacles.
The main impetus for building the next-generation SOC was that our previous solution would not scale. It seemed as if the more people we put on it, the more attacks we would get. And it didn’t matter how many people we hired; we could not handle 100% of the work.
So we looked at the key issues, starting with our people. Even with extensive automation, the SOC is only as good as your people. SOC analysts are a hot commodity, given the industrywide skills shortage. We realized that investing in automation would help our teams, rather than replace them.
Secure Network Transformation
In conjunction with investing in the next-generation SOC, secure network transformation was also a critical area of innovation, including the shift to cloud for cybersecurity and the growing use of technology innovations such as SD-WAN to support and secure a rapidly growing “edge” environment, including remote workers.
Many of the security tools we use in the SOC are in the cloud, which makes it simpler for our teams to have access to current versions, as well as the most up- to-date threat intelligence. With the cloud, we have been able to build a distributed data lake, making it simpler, more efficient and more cost-effective to have distributed security data delivered where it is needed, whenever it is needed.
None of us knows everything there is to know about cybersecurity. Our adversaries are constantly changing and adjusting, seeking to stay one, two, three, four or more steps ahead of us. We have found that working with expert partners, and finding partners that you trust, has been critical. It has given us confidence that we are investing in cybersecurity tools and platforms that not only address current needs, but also position us to react quickly and appropriately to the unknown and the unexpected.
Preparation, Training and Awareness
Everyone is responsible for cybersecurity. If you adopt that as a mantra, it will guide your actions and decision-making processes when it comes to the critical areas of preparation, training and awareness. For our employees, cybersecurity is part of our corporate culture. I consider every employee to be a cybersecurity sensor. We ask key people to take a cybersecurity test every year; if you don’t pass this test, then you have limited privileges.
When we began implementing our cybersecurity modernization strategy several years ago, we didn’t know there would be an event like COVID-19 on the horizon. But by focusing on our people, processes and technologies, we were prepared for virtually anything.
As for the future, we don’t know what it holds, particularly when it comes to the ever-changing world of cybersecurity and navigating the Digital Age. But we do know this; whatever happens, we are prepared to the best of our abilities.
Mario Chiock is a Schlumberger Fellow and former Chief Information Security Officer. This article is excerpted from the book “Navigating the Digital Age, The Definitive Cybersecurity Guide for Directors and Officers, Third Edition.”