For CISOs, 2020 was not a normal year. Instead, CISOs had to make multiple decisions very quickly around security, remote working and keeping the lights on. The impact of these decisions has caused a shift in how companies operate. It leaves CISOs facing a big task around aligning with the business while still maintaining good risk tolerance and policy.
Over the next twelve months, CISOs will contend with budget stress, a new work economy and adopting new approaches to security. They will also have all the traditional IT security management tasks that they had in the past. Ben Carr, CISO at Qualys, provides some New Year Resolutions to help.
1: Focus on the basics
2020 was spent scrambling to cope with COVID-19. We should now take a moment to reflect on its impact at the start of 2021. We should want to double down on doing the basics well over the next year.
Why is this? We have so many new threats, new challenges and new technologies to consider in the race to keep our businesses secure, why should we re-evaluate? All the changes that took place in 2020 are still bedding down, and some of them may become permanent. The rush to equip people with the right IT at home meant that many assets went out the door without full preparation. In the next year, we will have to deal with the consequences of those decisions.
Getting the basics right is about good best practices and security hygiene. If you don’t have a program in place or have found your existing processes broken in the rush to remote working, use this as the opportunity to put new workflows in place that will cover how to scan, investigate, prioritise and neutralise threats.
Making this work in practice will mean your teams having accurate asset inventory lists. It is something that went out of the window for many companies in the rush to deal with COVID. Legacy approaches that focused solely on assets connected to the network won’t be able to cope with the new remote working approaches that will be in place. This should be a reason to look at your overall approach to asset discovery and inventory, and think ‘cloud-first.’
2: Think through your budget for consolidation opportunities, not cuts
As we emerge from the pandemic, I doubt that the cheque books will be opened quickly. While security should be effectively ring-fenced in enterprise IT budgets, the situation is not predictable. There will be a hesitancy to commit to unwarranted expenditure.
With staff reductions or new staffing, it is going to be challenging to focus on anything new. However, we will see organisations continuing to pivot to the cloud as that is a survival requirement. In fact, we’ve seen an acceleration in the move for those organisations that weren’t there already.
Look at what you already have. Can you can make better use of these assets, whether these are individual devices or security solutions? The need to stay budget-sensitive will lead to discussions around consolidating platforms to avoid unnecessary spending or overlap. It’s a chance to potentially do more with less. As CISOs, we can look at interoperability and integration. This allows us to use the right products and services to achieve what we want. Rather than ten software agents performing discrete jobs, we can reduce this down to cover as many tasks as possible with fewer agents. This approach should keep costs down and productivity high.
It can also help us keep our staff levels the same. Reducing headcount might be an option, but making existing staff more efficient through automation and consolidation can help find cost savings that can make this unnecessary.
3: Make secure remote working the default
We will see companies that decide that they are not going back to the office in the foreseeable future. It means that office working will be occasional rather than mandatory. Supporting these decisions will involve making remote working the norm and gearing our security strategies to deliver this. To achieve this, we should look for cost-effective ways to gain visibility, understand what our assets are and what their attack surface looks like.
As we’ve seen during work from home orders, the workforce requires controls. There’s going to be a permanent pendulum swing from network security to networked agents. In a remote working setting, the onus has to be where company data is located. Control factors then need to be in place to manage security where this data is.
It will be crucial to monitor these remote hosts for security hygiene for several reasons:
- This will minimise the downtime of assets or users.
- It will reduce a company’s exposure to the breaches or exploits from malware or advanced persistent threats.
- This monitoring serves as evidence for our compliance and risk audits.
For next year, we will have to think about visibility everywhere in order to be secure everywhere.
4: Create a health metric that the board can understand
Security is being seen less and less as a silo, which means the role of the CISO is changing. Both sides want this change. CISOs want to participate more in the business and offer more value. The business is starting to realise that our roles need more support and authority to achieve everything needed.
To make it easier for the business to understand what is going on, another resolution for this year is to create a simple metric that can explain an enterprise’s security posture. For many companies, going into too much technical detail around threats blocked or attacks prevented is overkill. Instead, you can provide more effective insight by making the data simple to understand at a high level and then dive into detail when there are specific problems.
Using a health metaphor can make this easier too. We all know that going to the dentist should help us stay healthy and prevent bigger problems over time. Applying this same approach to IT security can help over time in defining what “good security” looks like for the specific organisation. It also helps provide evidence that your strategy is effective.
5: Consider Zero Trust Methodology
One group of technologies that vendors seem to be doubling down on is Zero Trust. It’s important to treat this as more of a methodology and less about specific products. Zero Trust prioritises data classification and understands the data flows within your organisation.
As the name suggests, it’s a model that centres around not trusting anything inside or outside an organisation’s perimeter and cutting off all access by default. Zero Trust is popular because of the challenges that come with remote working. Disparate settings, from the traditional office and home office to coffee shops and co-working spaces anywhere in the world, mean there is a need to identify a user and confirm them as authorised before anything else happens. When considering authorisation, it’s not just about username and password, CISOs need to be thinking about a change in authentication based on location, time and even variables like velocity.
For Zero Trust approaches to work successfully, CISOs will need to have trust in our approaches, the vendors we work with and who supports them to achieve this. In 2021, consider which partners can provide you with data to help your decision-making process, and how you can use this over time as part of any move to adopt Zero Trust.
2021 will involve a lot of refocusing on security basics, such as ensuring visibility into assets, security hygiene and integrating solutions effectively. Looking at these resolutions can help us to weather the storm and ensure our operations are effective.
Founded in 1999, Qualys is a cloud security company that provides a range of information security and cloud compliance solutions. Qualys has established strategic partnerships with leading managed service providers and consulting organisations including Accenture, BT, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT and Verizon. The company is also a founding member of the Cloud Security Alliance (CSA).