After nearly two years of the COVID-19 pandemic, you would think we would be used to working in this hybrid environment. However, the world of security is one where huge curveballs can come out of nowhere, thanks Log4J. Getting the basics right is still frustratingly out of reach for many teams despite all their best efforts.
In putting together this list of New Year Resolutions, I would like to pay tribute to all the teams that put in so much effort to keep systems secure and operational. This list is to help you take a step back, work on improving based on your current situation, and support your future development.
Resolution #1 – Complete that asset inventory, and keep it up to date
Asset management is one of the most important things that IT can do, but it often gets overlooked. In a rush to implement new services or support applications the business demands, keeping the lights on can easily get pushed back. The tasks involved here are essential to security. It is still true that you can’t secure what you don’t know about.
It is especially true after COVID led to huge remote working projects getting greenlit virtually overnight. Some employees simply took their corporate assets with them. Others bought new devices. It left some IT teams having to specify and provision devices with little or no hands-on input.
All of those individual decisions add up. Asset estates are larger and more varied than the official asset register suggests. For IT Security teams, dealing with this should be a priority in 2022. Remote and hybrid work will be the normal approach in future.
Keeping your asset inventory accurate will help you prioritise work and keep sudden critical vulnerabilities from swamping your team. Any new threat can lead IT teams to put all hands to the pumps to keep things secure. Importantly, an accurate inventory keeps your overall risk down.
Resolution #2 – Build your Software Bill of Materials
In 2021, we have seen Software Bill of Materials projects become more important. The Biden Government in the US has mandated that all suppliers have to maintain SBOMs as part of what they deliver. It will allow public bodies to know what is in their software supply chain and guard against problems. This approach will expand out to become a best practice for all DevOps and IT Security teams.
What does this mean for IT Security and software development teams? It offers a chance to collaborate to get an accurate inventory of what goes into any software projects that you produce for customers and put the right approach in place to manage SBOMs from suppliers. It can then lead to more work on ‘security by design’ principles being put in place for software development.
As the Log4J security issues have shown in December 2021, companies can have issues in their products and the products they use. That accurate SBOM can make it easier to manage updates where they are needed. It also ensures your defence in-depth process works too.
Resolution #3 – Expand IT Security to cover operational technology too
In December 2021, the UK Government published its cyber security blueprint, including new measures to secure operational technology assets. Operational technology, or OT, describes all the assets used to run processes in industries like manufacturing, utilities and energy.
In practice, OT Security is around ten years behind where the IT Security industry is today. Bringing these best practices up to speed is essential because OT assets are being connected to company networks. This is so companies can access the data from these assets and use it to improve performance. This process is essential for business, but it introduces new risks too.
OT assets are typically big, expensive purchases that have to work continuously for years, even decades. Keeping them up to date is hard due to the cost of downtime. Many of these assets have not been patched for years.
In 2022, IT Security teams will have to take over keeping these assets secure. To achieve this, you should audit your assets and check for known issues as part of any project. It is an opportunity to lobby for putting better controls in place and providing guidance on how to mitigate risks over time. Finally, implement a full defence in-depth approach that stops any unauthorised access from internal networks, based on Zero Trust principles.
Resolution #4 – Look at your team’s future
We rely on technology to keep our operations running smoothly and securely. But these tools are only as good as the people who use them. Even with automation and AI in place, your security team is the most effective resource at your disposal.
According to ISC2, there are 2.72 million open positions for cybersecurity professionals worldwide. The number of roles filled continues to go up, which is good news, but getting people in, is hard work. Similarly, according to research by Randstad, 24 percent of employees are confident they could find a new role in three to six months. This compares to 11 percent of employees moving company during a normal year. It makes managing and supporting your team effectively more important than ever.
One solution is to look at your pipeline for potential talent coming in. Investing time in training and developing people with the right aptitude and culture fit can be more effective and less expensive than recruitment. It can expand the range of viewpoints and backgrounds on your team, helping improve your Security Operations Centre. And it can provide more opportunities to work on your processes across the team.
Alongside investing in your team development, you should also look at your own approach. Understanding people and what drives them is essential to the overall success of your team. Work on your emotional intelligence, so you can support your team members better, spot potential issues, and keep them happier in their roles.
Resolution #5 – Automate and consolidate where you can
As part of your approach in 2022, look at ways to improve efficiency across the team. Automation should be on that list. In practice, this will involve looking at your tools and how they can support your processes with better visibility.
This goes beyond your SIEM and into the wider security toolset. Rather than automating specific tasks, you will have to think about processes and tools in context. This approach comes under the banner of Extended Detection and Response, or XDR. It involves looking at your whole enterprise to integrate and correlate security telemetry across the security stack for threat detection and automated response opportunities, rather than looking at each group of assets in its own silo.
Alongside automating steps where you can, you should also consider how you might consolidate your security tools. This work should not be financially motivated. Even though you might get some savings from cutting out additional license costs, that should not be your primary goal. Instead, look at improving your process and reducing the number of steps that your team has to go through to achieve results.
Staff time is the most precious resource you have available. Anything that can maximise this should be on your list to work on. By looking at your tools, processes, and team, you can make 2022 a better year for your security function.
Founded in 1999, Qualys is a cloud security company that provides a range of information security and cloud compliance solutions. Qualys has established strategic partnerships with leading managed service providers and consulting organisations including Accenture, BT, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT and Verizon. The company is also a founding member of the Cloud Security Alliance (CSA).