Advice for Executives to Watch Next Year
2020 completely changed the way workforces operate. Digital transformation went from an emerging trend to a necessity for survival. Certain industries were brought to their knees: some didn’t make it, while others thrived. One of those industries that thrived was cyber crime.
As millions scrambled and were hastily deployed to work-from-home environments, organized crime, nation- states, and amateur hackers alike exploited the weaknesses. The arms race was already lopsided – the sophistication of malicious actors had accelerated even before COVID-19 struck; however, the location scramble of the Spring of 2020 exposed flaws that hackers took advantage of. ZDNet covers the worst attacks and flaws here. You can see they range from accidental data exposures (Virgin Media, Whisper) to malware infestations (UCSF, Blackbaud, Carnival), culminating with the attacks on FireEye & SolarWinds.As we look ahead to 2021, there are some trends executives can expect to emerge. Here are my top 5 predictions coupled with some advice for those leaders looking to better prepare their teams for the cybersecurity battle:
1. The Cloud Giveth and The Cloud Taketh Away
The move to the cloud was already in full stride when the pandemic hit. When thousands of companies moved to remote working (practically overnight), cybersecurity teams had to hustle to try and secure as many of these new work-from-homers as possible. More so, many businesses were forced to accelerate their digital transformation initiatives and leverage cloud services to do so. Retailers and restaurants launched new curbside pickup and delivery services, grocers who couldn’t afford to build their own online shopping and delivery service jumped on the Instacart bandwagon (whose sales at one point were up 500% YoY.)
To keep up with an accelerated digital/cloud transformation like this, software security must move to a risk-based focus (vs. a vulnerability-based one.) Automating and orchestrating security as part of the software build/deploy pipeline will become increasingly important. Security teams and development teams, already overburdened and under-resourced, will look to cloud services to help. This means an increased demand for API security, cloud application security, and a consolidated approach to software risk reduction across the teams that build, operate, and defend software.
For all of the scale and automation the cloud provides, it is also a field of misconfiguration landmines that have, and will continue to, lead to massive data breaches and security flaws. The move to the cloud means that teams need to learn new security skills and consider the full deployment infrastructure as part of the development and threat modeling process. When this doesn’t happen, vulnerabilities are introduced. IAM (identity & access management) and service misconfigurations are most commonly deployed with easily exploited security holes.
2. Software Security (née Application Security) Gets Renewed Focus
The acceleration of cloud adoption will permanently shift the software security landscape. The very definition of an application has changed and will continue to do so. The term application security will become a legacy reference as DevOps and CI/CD (continuous integration / continuous delivery) movements continue to gain traction. Enabled by cloud services, demand for even faster delivery velocity can be met – but there is a big impact on software security. DevOps and CI/CD require teams to be more nimble, meaning they won't have time for a lengthy security test cycle. At a minimum, those lengthy penetration tests will have to be complemented by shorter, component-based testing, and that testing will be distributed across the build, operate, and defend teams.
Gone are the days when InfoSec holds all the security knowledge and responsibility. Gone also are the days of focusing on secure coding. Software applications aren’t coded anymore. They are assembled from open-source libraries, 3rd-party libraries, COTS, and glue code. More than 85% of a modern enterprise application is written by someone outside of the enterprise, and for much of that there is no access to source code. 2021 will see a decline in lengthy, after-the-fact software application security testing. We will also see security responsibilities (and the need for training) distributed across the teams that build (dev), operate (IT), and defend (InfoSec.) It’s something we’ve been talking about for a long time as an industry. It finally arrives in 2021.
3. The Robots are Coming
As we continue to improve the volume and velocity of service offerings using automation, we’ll also see malicious actors enhance the sophistication of their attacks using the same. Artificial Intelligence (AI) and machine learning (ML) are enablers here. 2021 sees the arms race escalate with weaponized machine learning attacks that go beyond continuous scanning to identify vulnerabilities. Emerging defenses, such as CART (continuous automated red-teaming), will grow in popularity as enterprises look to keep up with AI-fueled attackers. AI & ML will also be used to supercharge attacks on humans. The “Deep Fake” and AI-enhanced phishing attacks will fool more people, leading to more severe data breaches, IP theft, and malware infections.
On the positive side, Dev, Ops, and InfoSec teams will use AI solutions to build secure infrastructure automatically. Think of building known good templates of deployment environments and then customizing them for specific business applications. Teams will spend less time building secure infrastructures from scratch. They will start from a safe place and build up. Of course, all that building has to be done securely.
4. WFH Continues to Expose Weak Spots
Many security executives used the WTF acronym as much as they used WFH this year. The move to remote working happened practically overnight, forcing many security teams to double-down efforts to ensure their infrastructure was secure whilst also being aligned with the new WFH environment. The transition included an oft-rushed adoption of cloud services, opening the door to more attacks, as mentioned above. As organizations slowly return to the office environment, security teams need to figure out which devices may be out of compliance, in need of updates, or even compromised after having been exposed in WFH settings.
As security professionals, we’ve known about the value of threat modeling for years. In 2021, as software continues to run more and more of our world, Dev teams will finally embrace threat modeling. DevOps is all about collaboration, so 2021 will see security teams (in organizations big and small) break down barriers and imbue security at scale, creating a true DevSecOps environment. This will help companies close the weak spots in WFH environments, which for some companies will remain throughout all of 2021.
5. Continued Rise of Ransomware
Cybersecurity Ventures predicts that a business will be the victim of a ransomware attack every 11 seconds by 2021. Ten years ago, I was known to commonly say that we wouldn’t take cybersecurity seriously until someone died because of it. Unfortunately, that cyber/safety line has been crossed several times, as we’ve already seen the loss of human life as a direct result of ransomware. Sadly, this trend will continue in 2021. Sophisticated, AI-fueled ransomware attacks will continue to lock servers, destroy data, and wreak havoc on critical infrastructure. Security teams need to be uber diligent and prepare for a ransomware attack. What can you do about it? War game, threat model, backup, and encrypt.
Here are a few useful assets to help you prepare:
- Cloud Security
Here you will find live discussions about cloud security with Microsoft, Salesforce.com, and Accenture. Also, the useful tip sheet 7 Sins of Cloud Security and a couple of white papers on building security into cloud applications & teams.
- Ed Talks
Watch panel discussions from experts, such as CISOs, SMEs, and business executives. They debate various topics and offer advice on how to improve your cybersecurity posture.
- Cybersecurity Training Benchmarks
This is data-rich research report from The Ponemon Institute involves 509 organizations in 16 countries. It measures staff security proficiency across 17 different aspects of cybersecurity training programs.