The CISO’s guide to securely handling layoffs

Today’s economic reality means that most organizations are cutting jobs.

The situation is tough on all involved, but it presents an additional challenge for CISOs who must contend with the heightened security risks posed by laid-off workers who through either inadvertent activity or deliberate actions can harm the company. They might download data that they shouldn’t thinking it could help their career, not realizing that they’re doing anything wrong. They could not return company devices that they took home to work on. Or some of the remaining staff, embittered by the layoffs, might sabotage the company.

CISOs must be prepared for all such scenarios during these times, experts say.

“The CISO is paid to be suspicious,” says Gregory J. Touhill, a retired U.S. Air Force brigadier general who served as the first federal government CISO during the Obama administration. “While the evidence points to the fact that [the] vast majority of people aren’t malicious, the CISO needs to be acting as if every entity could turn into a malicious actor. It’s a very difficult task, particularly if the layoffs are occurring in the CISO’s organization itself.”

To limit the potential for a security incident as layoffs occur, experts offer the following 10 best practices:

Be part of the decision-making team

CISOs should be included as soon as discussions about possible layoffs start, experienced security leaders say. That allows CISOs and their teams to put in place as early as possible their plans to limit risks, something that’s usually needed ASAP as employees often learn about possible job cuts even before they’re formally announced.

“Communication between human resources and the security staff needs to be timely and coordinated, so that when an individual has to part ways with the company, the CIO can be sure they’re safeguarding the organization,” says Touhill, now an adjunct faculty member at Carnegie Mellon University’s Heinz College of Information Systems and Public Policy.

Without that kind of early and ongoing communication and coordination with CISOs, he says, the organization faces a heightened chance that one or more employees could take away sensitive data or make malicious moves that might seem innocuous in regular times but raise red flags on an employee’s last days.

Revisit who can access what

Experts advise CISOs to review their access, authorization and authentication programs well in advance of any terminations and ensure they have adequate controls in place to monitor activity as well as detect anomalies that could indicate data leaks, breaches or threats related to layoffs.

Such work is a bedrock of a solid security program, and as such security teams generally have such policies and controls already in place. And while CISOs should be periodically reviewing them as a matter of routine, they’d be well advised to revisit them now and adjust as needed for these particularly turbulent times and limit access wherever it makes business sense, says Bruce deGrazia, program chair for cybersecurity management and policy at the University of Maryland Global Campus.

“Even if you’re not contemplating cuts, it’s a good thing to do and it should be done frequently,” deGrazia adds.

Document and audit the environment

Similarly, potential layoffs should prompt CISOs to document and audit the environment, reviewing and updating such information if it’s already in place and confirming that they have the appropriate security technologies in place to flag, report and even address suspicious actions, says Chris McElroy, a senior consultant at Swingtide, a management consulting firm.

CISOs need good documentation so they’re confident that as soon as layoffs happen they can eliminate those employees’ access to all systems, whether they’re accessing those systems through a single sign-on or even outside that single sign-on function. This documentation is a particularly important when layoffs involve technologists or senior team members who often have access to IT infrastructure and the most sensitive organizational information, respectively, as well as for employees in departments that have their own budget to buy and run software. CISOs want to make sure a dismissed employee can still access a rouge system holding company data.

At the same time, McElroy advises CISOs to revisit their data loss prevention (DLP) program as well as their DLP software and the rules that govern it along with other controls to be sure that they’re able to monitor and prevent unauthorized access, use, disclosure or leakage of data.

Monitor and detect

The next step is to make those security technologies work overtime, by using the tools to monitor activity to detect unusual attempts to view, copy or move data as well as to flag any attempts to access or modify systems, Touhill says. CISOs should be monitoring for such signs of inappropriate access in the time leading up to layoffs as workers often learn about job cuts in advance.

As workers may be accessing information as part of their regular job duties, CISOs and their teams may have to tease out fine distinctions in access that could alert them to potential data loss. Workers, for example, might access data to complete a task in the office but try to download or email that information thinking it could help them in their next place of employment.

Touhill says organizations need the capacity both to observe normal actions and to identify abnormal ones as well as the capability to complete a forensics investigation in the event that officials discover a data loss after the fact.

Coordinate the timing

Timing is critical when it comes to employee departures, as the security team needs to be ready and able to terminate someone’s access to every and all systems and devices as soon as the layoff happens, says Sounil Yu, the CISO in Residence at YL Ventures. That means shutting off log-in access as well as disabling key cards and the like in a move that’s well-orchestrated with the human resources team, supervisors and business leaders. “You want to synchronize the cutting of access all at the same time,” Yu said. “That includes the obvious things around network log-ins or access to various enterprise services, but [security teams] often forget about cloud services or service accounts.”

Plan for off-site devices and workers as well as today’s unique circumstances

The pandemic has complicated the already difficult job of executing layoffs for all involved in the process, experts say. That means CISOs have some extra items to consider. For example, many CISOs today have to consider how the rapid shift to remote work opened up risks that must be sealed off if and when those employees are terminated. That may include having to physically retrieve company devices that went off site in an unprecedented volume as the pandemic quickly forced employees to work from home.

Yu advises CISOs to work with functional managers and HR to develop a strategy to ensure any off-site devices come back to the organization; they might, for instance, decide to withhold severance pay until those devices are returned.

Yu says CISOs may also want to consider whether they should pause, rather than completely cut, access to systems if workers are just furloughed – something that could smooth their return to work when times get better.

“The circumstances of today significantly complicate the job for CISOs,” Yu says, “which again points to the need for the CISO to be in on all these major management decisions.”

Leverage legal resources

In advance of layoffs, experts say CISOs and their legal department counterparts must work together to reinforce messaging that can be shared with departing workers. Such messages may include, if applicable, a reminder about the rules that the workers agreed to follow when they first joined the company and also could include new information about workers’ expected roles in safeguarding the company’s security even as they part ways.

“Workers should be reminded that there are legal implications to some actions. It might do no good, but you have to cover all the basis,” deGrazia says.

Readjust your team and your security agenda

Another challenging and particularly painful part of layoffs during these times is the likelihood that people on the CISO’s own team will be let go. Experts emphasize the need for CISOs to treat their own team as they would others, terminating access to all data and systems immediately. Moreover, they have to be particularly mindful to shut down any backdoors that their security people may have created as part of their duties.

Additionally, CISOs, like their business-side counterparts, need to have a plan ready to run their security operations with fewer people. Yu says CISOs might invest, if possible, in more automation to help the department do more with fewer people, but he says many CISOs will need to be realistic about the probability that less work will get done with a reduced staff. In that case, Yu says CISOs need to re-evaluate business priorities and then re-align their security resources to those priorities, working with the business so all are clear on the new risk levels that exist as a result of layoffs.

Be mindful of those still left at work

Technical considerations are only part of the task at hand for CISOs. They need to consider the personal impact that layoffs take on people, including the remaining staff who will likely be stressed and possibly angered by the situation.

“Having been through this in the past I can tell you it takes its toll on everyone, so don’t forget to think about what it’s doing to the people that are spending hour after hour turning off the access for friends and colleagues,” says Bil Harmer, a 30-year IT and cybersecurity leader who is now CISO at SecureAuth. “It’s important to have empathy and think of the human impact on those left behind. Monitoring is critical after such an event as it inevitably changes the perception of some of the people that were not let go. This is the time when insider retaliation can be at its peak.”

Still, keep the company’s safety front and center

Even as experts advise CISOs to acknowledge the stress and anxiety that comes with layoffs, Harner says security rules are sacrosanct.

“At no point after an involuntary termination should the employee be allowed to touch any system owned by the company,” Harmer says. “This is for everyone’s protection. If they are emotionally distraught it is not a far leap to hitting the ‘delete’ key on something and ending up in a world of hurt. People do strange things under pressure and removing the possibilities ensures the safety of both sides.”