COVID is weakening your security posture

 It started out innocuous enough- one of your employees was scheduled to go to a conference in late March, but due to the pandemic the whole thing was moved online. Instead of in a convention center, the conference is being hosted on an online meeting/webinar hosting site, that prior to 2020 was a footnote on the bottom of an article about collaboration tools. 

The day the conference started, you (in your infosec role) get a call that "Security" is blocking it. So you dig into it, and the site needs to open some web sockets and for whatever reason, some of your security controls are breaking it. No big deal, you want to help enable your customers, so you go ahead and disable the rules for this domain, maybe even temporarily if the whole thing seems a bit sketchy. 

Now, that's not a big deal. Not really anyway. It probably won't be the threat vector that sinks your organization. Until you repeat this process on a near daily basis for the next 7 months.

Some vendors don't seem to hire a single network or infrastructure engineer on their product teams, and it shows. I had two vendors in one week ask for firewall rules allowing UDP 1023-65535 allowed. That's it. No IP range or even domain, just "open all the high UDP ports and that should do it".

Granted, all of this stuff goes through governance and risk approval before we can add rules, but getting a complete view of the risk profile of an entire megacorp is pretty difficult. 

Defense in depth means having multiple ways to stop threat actors, but it also means that no single person has intimate details of all the defenses. That's a good thing, but also the thing that makes quantifying risk difficult.

I can't say for certain how any given change effects the cyber risk of an entire organization, but I know 2020 hasn't been kind to it.