The CISOs who successfully adapt to the hastened pace of 2020 will most likely succeed in keeping their enterprises secure.
By nearly any measurement, 2020 was a year of tremendous change. The response of businesses to the coronavirus sped up an already accelerating increase in digital transformation efforts. It spurred more enterprises to implement cloud services and forced IT and security teams to scramble to protect a widely distributed workforce. Security threats also changed, as the industry saw increases in ransomware and attacks on cloud and mobile.
How will these trends affect the priorities of chief information security officers in the year ahead? Let’s take a look.
Building remote worker security for the long haul
While 2020 was the year businesses substantially moved to remote work, 2021 will be the year they institutionalize their remote worker security practices for the long term. To get workers productive as soon as possible, many enterprises have relied on staff endpoint security measures, virtual private networks, and little else. In the year ahead, they will focus on filling some of the gaps exposed.
Many enterprises are currently assessing the security gaps between their posture for remote worker security and what they need to improve. This will lead to increased investments in cloud infrastructure, software-defined architecture, and mobile device management. It will also mean increased investments in remote response measures for remote workers who get infected.
According to a Spiceworks Ziff Davis survey of 1,073 business-technology buyers, despite lower revenues as a result of the pandemic, 76 percent are planning on investing in long-term technology changes to meet current and emerging challenges. Those investments will focus on an increased priority on IT projects (45 percent), changes to business operations during the pandemic (38 percent), and better support for remote workers (36 percent).
Locking down IoT risks
As people began hunkering down in their homes, they also began investing in consumer IoT devices, such as security monitoring, connected lights, speakers, home heating and cooling, and video doorbells.
What do consumer IoT devices have to do with enterprise security planning? Quite a bit. Because of the shift to working from home, many workers connect to enterprise resources from their home networks. These home IoT devices are becoming recognized as threats to the home network and indirectly to these networks’ enterprise resources.
Suppose attackers manage to compromise a consumer IoT device on a remote worker’s network. In that case, the attacker can then use the device to capture credentials, use those to access the employee’s endpoint, and from there, access enterprise resources. As was the case with the Mirai botnet, such weaknesses in consumer IoT can lead to denial-of-service attacks against any potential target. The Mirai botnet disrupted many of the largest Internet-based companies.
A survey conducted by Cybersecurity Insiders, sponsored by Pulse Secure, found 41 percent of respondents will move forward with on-premises device security enforcement. Some 35 percent will advance their remote access devices posture checking, and 22 percent will increase their IoT device identification and monitoring capabilities. “For those that have been victims of an endpoint or IoT security issue, the most significant negative impact was a reported loss of user (55 percent) and IT (45 percent) productivity, followed by system downtime (42 percent),” according to Pulse Secure.
Seventy-two percent of those surveyed reported an increase in endpoint and IoT security incidents over the past year.
Push to close skills gap
2020 has been a year of increased investments in digital transformation, along with an increased reliance on technology, faster development timelines, and an expanding attack surface. In such an environment, enterprises will continue to find themselves short on the security skills they need for defense against attacks.
According to Cybrary’s 2020 Research Survey Report, 72 percent of security and IT pros believe that a security skills gap exists on their teams, and 65 percent of IT managers say such weaknesses hold their teams back. What are enterprises going to do about it next year?
They will prioritize more security cross-training within their IT teams, work more closely with training people from within their organizations, and expand on the potential pool of new security hires. Companies that want to succeed in closing their cybersecurity skills gap will reduce job burnout and invest in the careers of those who show an interest in cybersecurity and cultivate that interest.
Identity management and zero trust
Identity credentials are one of the most highly sought ways for attackers to find an entry, and improving security is one of the driving trends behind zero-trust initiatives. With zero trust, enterprises don’t assume that they can trust users and devices by default on their networks. In a zero-trust environment, users, devices, and applications must continually prove they are who they claim to be.
With zero trust, rather than log in and be authenticated once and then trusted, users and devices are constantly vetted for authorization. This can be done by requesting a username and password when a user attempts to access new apps or resources, or it can be done by evaluating user devices and constantly determining that employees are using known and trusted devices. Should a device or application change, the user may be required to re-establish themselves. So that users aren’t continually inundated with login requests, enterprises will increasingly rely on artificial intelligence and machine learning capabilities to monitor for user anomalies and, when necessary, request additional verification.
Increased focus on automation and machine learning
Security is often described as a collection of specific disciplines and technologies: encryption, application security, network security, threat modeling and intelligence, endpoint security, cloud security—the list goes on. For decades, this impacted how security teams functioned in large enterprises and kept them heavily siloed. But in the context of cloud computing, microservice architectures, APIs, and machine learning, security can be thought of as something that can be automated and orchestrated more than ever before.
In 2021, security teams will focus on security automation beyond many areas where security has already been automated, such as in continuous development efforts. This focus will include identity and access management, application testing, vulnerability management, and cloud infrastructure security scans. Teams will also integrate security automation into the automation of infrastructure as code and elastic clouds.
Cloud security consolidation
The pandemic and the rush to work from home accelerated the enterprise data center’s demise as the center of gravity for IT access. As more users, devices, and applications access enterprise resources from outside the network, the traditional methods of securing traffic and data—such as network firewalls, access controls, and network access controls—break down. This phenomenon is driving consolidation in secure web gateways (SWG), cloud access security brokers (CASB), zero-trust network access (ZTNA), and other security services from one vendor, according to Gartner’s report “The Future of Network Security Is in the Cloud.”
“By 2023, 20 percent of enterprises will have adopted SWG, CASB, ZTNA, and branch [firewall-as-a-service] capabilities from the same vendor, up from less than 5 percent in 2019,” the report says. “By 2024, at least 40 percent of enterprises will have explicit strategies to adopt Secure Access Service Edge (SASE), up from less than 1 percent at year-end 2018,” Gartner concludes.
As cloud security continues its consolidation and the market moves toward SASE services, the redefinition of enterprise network security will accelerate. And while 2020 was a year of challenges and changes for IT and security, most of the difficulties—the security skills gap, the shift to cloud, digital transformation, IoT risks, and a growing remote workforce—were trends already underway. The CISOs who successfully adapt to the hastened pace will most likely succeed in keeping their enterprises secure.
In the same way, increasing reliance on cloud services requires a new level of WAN control. Applications can be anywhere, and enterprises need to manage access to and from them. No longer can the security model rely on point controls at data center ingress and egress. All this makes software-defined WAN a 2021 priority for security planning.
It was going to happen anyway
All of these developments and priorities may have seemed inevitable a year ago, but 2020 sped them up. That the cloud has performed so well in 2020, without any notable security crises (so far, fingers crossed), is evidence that we are all on the right track. Continuing to follow through on security for the cloud, including zero trust from the edge to the core of the network, will keep business and people working in 2021.
Lessons for leaders
- IT and the cloud are more important than ever, and so is protecting them.
- Improving security skills among staff is good for both employees and the organization.
- Applications, data, and employees can be anywhere in the world, and you have to plan security with that in mind.