This is a contributed article by Ben Carr, Chief Information Security Officer, Qualys.
The role of CISO is changing as security is treated less and less as a silo. Businesses are starting to see that in order to protect their organisation they need a true business leader in the role. In an unprecedented year, the CISO has had to make many decisions very quickly that both align with the business while maintaining good risk tolerance and policy.
This is unlikely to change in 2021, where they will face budget stress, new risks and a new work economy. For CISOs, what will 2021 hold, and where should they put their efforts to have the most impact?
Prediction #1 - cleaning up after the pandemic means back to basics
After 2020 was spent scrambling to cope with COVID-19, CISOs will want to double down on doing the basics well over the next year. They will want to get ahead of malware and recognise that security hygiene is vitally important, so those that don’t have a program in place will want a workflow in place that will cover how to scan, investigate, prioritise and neutralise threats.
Making this work in practice will mean having accurate asset inventory lists, something that went out the window for many companies when they had to rush into dealing with COVID. Getting this accurate list in place and keeping it up to date will be on many to do lists in 2021. With this comes an issue with legacy technologies, for instance, in asset management. This is reflected in the changes to vendor models, where ‘cloud first’ approaches will become more popular.
As to be expected, COVID-19 has had an impact on spending and companies will want to tighten budgets and assess the efficacy of programs they have in place. CISOs are going to want to be good corporate citizens and likely seek to either make their existing budgets stretch further or trim costs where they can. This is an area where some of the trend towards consolidation by vendors can reap benefits and demonstrate the emergence of the business aligned CISO.
As we emerge from the pandemic, I doubt that pocketbooks will be opened quickly as the situation is prone to changing in waves and there will be a hesitancy to commit to unwarranted expenditure. Next year organisations will want to refocus what they already have.
With staff reductions or with new staffing, it is going to be challenging to focus on anything new, but we will see organisations continuing to pivot to the cloud as that is a survival requirement. In fact, we’ve seen an acceleration in the move for those organisations that weren’t there already.
Prediction #2 - Remote working is here to stay
There will be a big push for those companies that aren’t fully all-in with cloud to respond to new and cost-effective ways to gain visibility and understand what their assets are and what their attack surface looks like. The fact is that we are also going to see companies that decide that they are not going back to the office. This trend towards a more diverse, disparate and distributed workforce will have a huge impact on cybersecurity. The cost benefits are going to be a factor in this as the need for costly office space and travel will start to come under greater scrutiny, as a result expect the change to remote work to become the new norm for many.
As we’ve seen during work from home orders, the workforce requires protection everywhere. This will involve a permanent pendulum swing from security focusing on the network to looking for networked agents that are on each device, wherever they happen to be. The onus has to be where company data is located and that is where the control factors need to be in place.
It will be crucial to monitor these remote hosts for security hygiene for a number of reasons: first, this will minimise the downtime of assets or users, but, second, it will reduce a company’s exposure to the breaches or exploits from malware or APTs. Thirdly, this monitoring serves as evidence for your compliance and risk audit.
For next year, CISOs will have to think about visibility everywhere in order to be secure everywhere.
Prediction #3 - Doubling down on Zero Trust
If there is one group of technologies that vendors seem to be doubling down on, it’s Zero Trust. This really is an area where value can be obtained, but it's ultimately more of a methodology and less of a product. This describes a model for how you run your security program and infrastructure which prioritises data classification and understanding the data flows within your organisation.
As the name suggests, it’s a model that centers around not trusting anything inside or outside an organisation's perimeter and cutting off all access by default. Zero Trust is popular because in our old scenario, we used to say Bob’s in the trusted office environment and has access to what he needs, but Bob’s not coming into the office anymore. He can now work from home, or a coffee shop in London, or from a ski resort in Colorado for a month. In these disparate settings, there is a need to identify a user and confirm them as authorised before anything else happens. When considering authorisation it's not just about username and password, CISOs need to be thinking about a change in auth based on location, time and even variables like velocity.
For Zero Trust approaches to work successfully, CISOs will need to have trust in their approaches and in who supports them to achieve this. This has to be addressed holistically to really be effective. Security vendors are already jockeying for position in this area as they see the market opportunity and the dollar signs, but companies will quickly conclude that they need to plan ahead under this model. Companies, for instance, won’t want ten separate agents on a device, each covering a specific security need - it will slow down systems and dent productivity. Faced with budget cuts they will want to achieve this visibility and control by doing more with less. Again, consolidation seems to be the new trend that CISOs will want to look for where it makes good business sense.
Prediction #4 - Ransomware will remain a serious threat
This year we’ve seen the growing prevalence of ransomware and, unfortunately, it is likely to increase in 2021. This is primarily down to the monetisation factor. With people laid off or potentially impacted by COVID-19, and markets affected by the pandemic, we are seeing a trend towards increased monetisation both from Advanced Persistent Threat (APT) teams, such as nation-state and state-sponsored groups, and criminal organisations. In particular, ransomware will continue to impact the healthcare sector, where bad actors have concluded that the threat to life makes this sector more likely to pay.
The scale of the problem was recognised in the guidance from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) in October. In an effort to clamp down on ransom payouts and the use of ransomware insurance, US organisations were reminded that they are prohibited and civilly liable if they engage in transactions, even indirectly, with individuals or entities that are either on the Specially Designated Nationals and Blocked Persons List (SDN List) or from countries covered by country or region embargoes, such as Iran and North Korea.
I expect we will see high-profile cases next year where OFAC follows through on its warnings when companies don’t comply. For CISOs, this financial threat for paying fines should put the emphasis on better preparation for ransomware attacks through better asset visibility and in-depth business continuity planning around data. It is probably a prudent idea to revisit backup and recovery plans and procedures after they have not been a primary focus as many feel the transition to cloud mitigates the need to some extent, this is proving to be a misconception.
There have been so many events that were out of their control in 2020, but those CISOs that had a good program in place made the transition to a remote workforce relatively easily. Those that didn’t, struggled during 2020. Next year will provide an opportunity to take stock both literally and figuratively on how those projects went.
Business challenges that affect security will come at CISOs thick and fast in 2021. By refocusing on the importance of the basics, such as ensuring visibility into assets, security hygiene and integrating solutions effectively, CISOs can enable their businesses to weather the storm. In the change and uncertainty that CISOs are trying to navigate, given the current situation and likely continued forecast for 2021, use this as an opportunity to better align with the business and seek inroads that may offer a bigger seat at the table.