What should CISOs prepare for in 2021?

By Neil Daswani, Co-Director of Stanford's Advanced Security Program and Author of upcoming book, Big Breaches

The year 2020 has been unprecedented in so many ways, including COVID-19's impact on information security. Many CISOs were in positions where they had to enable business operations with 90% or more of their employees working remotely from home almost immediately, whereas they may have only been provisioned to support 20% of their workforce coming in remotely. That is no small feat as virtual private networks (VPNs) were pressed for bandwidth to support remote work, and a majority of home routers are not as closely managed or as secure as enterprise networks.  

Concurrently, attackers immediately took advantage of the situation via phishing and other email attacks leveraging COVID-related subject lines, attacks against home routers with COVID-malware, and propagation of COVID-related misinformation over social media.  Within 45 days of a public health emergency being declared in the US on January 30, COVID-related email threats grew by a factor of 14 times. Over 1,200 Linksys Smart Wi-Fi home routers were hacked in April and redirected users that attempted to visit disney.com as well as other legitimate websites to a purported World Health Organization website offering up a COVID-19 information app that was actually Oski malware. The increase in attacks and spread of misinformation was so significant that a COVID-19 Cyber Threat Coalition was formed (https://www.cyberthreatcoalition.org/) and provided a blocklist of malicious websites that were propagating COVID-19 related cybersecurity threats.

Given where 2020 has left most organizations, CISOs have much to prepare for in 2021. Although many changes were made in a rush this past March to enable a remote workforce, CISOs may need to engage their CEOs and board to claw back the information security risk that was taken, especially as they expect to have more steady-state remote workers. Following are a few specific recommended initiatives:

• Get back visibility. Due to the lack of VPN bandwidth to support remote workers, and that many organizations did not spring for new VPN bandwidth to fully tunnel all employee traffic through enterprise security appliances, many organizations switched to allow for "split tunneling." When traffic emanating from corporate devices is split, some goes through the VPN and some does not, resulting in CISOs losing visibility of threats in traffic that is not tunnelled.
  
  Due to rising numbers of remote workers (even once the pandemic subsides), the expected percentage of permanent remote workers is expected to double from 16% pre-COVID to 34% post-COVID. CISOs and security teams that did not buy secure home routers for their employee base and did not have a fully zero trust network will need to work to get back visibility into what is happening within their networks. They will need to switch back to full tunnelling or deploy new solutions that help them manage security of corporate devices in remote work environments.
  
  
• Further accelerate zero trust initiatives. A pure zero trust network allows one to dispense with a VPN entirely. In such networks, all internal applications are made accessible via the public Internet from a network perspective, and employees and endpoints are authenticated upon login and continuously thereafter. There is no need to set up a VPN in which devices are trusted just because they can join or are on the network. Rather, devices and users are continuously authenticated irrespective of what network they are coming in from. 
  
  Developing a pure zero trust network takes time and investment, and most organizations are still on a path to do so. Accelerating zero trust initiatives will help organizations to more scalably manage a remote workforce without the cost and complexity of the VPN.
  
  
• Prepare for more insider attacks. 2020 was the year that several high-profile organizations including Twitter, Tesla, and Shopify announced that insiders attempted to do everything from poison fleets of automated cars to steal customer transaction records. The shift to work from home due to COVID-19 led to many organizations providing access to internal applications at home and that contributed to insider attacks.  For insider employees who turned grey or black (or were already so and were waiting for the right timing), they felt more "comfortable" in attempting their attacks from the privacy of their own homes. For attackers that were external, but wanted to take over accounts of insider employees, the loss of visibility that occurred helped the attackers. Although Ed Snowden's theft of thousands of classified documents in 2013 in support of his whistleblowing was perhaps the largest insider attack of all time, 2020 has seen a resurgence of these types of attacks.
  

There are many aspects of cybersecurity that CISOs should consider for 2021 in addition to the above, such as aggressively continuing to automate given the relative lack of supply of cybersecurity professionals. Although technologies such as SOAR (security orchestration, automation, and response) can help organizations do the necessary automation, the adoption of these technologies is not happening fast enough or at a scale that can help defenders win the cybersecurity game yet. As a result, big breaches continue on a regular basis, and defending against their root causes will be even more critical in 2021.

Given the world changes that have occurred in 2020, the above three initiatives -- getting back visibility, further acceleration of zero trust initiatives, and defending against insider attacks -- are some of the more critical aspects that CISOs need to consider in 2021.

##

About the Author

Dr. Neil Daswani is Co-Director of the Stanford Advanced Security Certification program, President of Daswani Enterprises, his security consulting and training firm and Author of upcoming cybersecurity book Big Breaches: Lessons for Everyone. He has served in a variety of research, development, teaching, and executive management roles at Symantec, LifeLock, Twitter, Dasient, Google, Stanford University, NTT DoCoMo USA Labs, Yodlee, and Telcordia Technologies (formerly Bellcore). At Symantec, he was Chief Information Security Officer (CISO) for the Consumer Business Unit, and at LifeLock he was the company-wide CISO. Neil has served as Executive-in-Residence at Trinity Ventures (funders of Auth0, New Relic, Aruba, Starbucks, and Bulletproof). He is an investor in and advisor to several cybersecurity startup companies and venture capital funds, including Benhamou Global Ventures, Firebolt, Gravity Ranch Ventures, Security Leadership Capital, and Swift VC. Neil is also co-author of Foundations of Security: What Every Programmer Needs to Know (Apress).

Neil's DNA is deeply rooted in security research and development. He has dozens of technical articles published in top academic and industry conferences (ACM, IEEE, USENIX, RSA, BlackHat, and OWASP), and he has been granted over a dozen US patents. He frequently gives talks at industry and academic conferences and has been quoted by publications such as The New York Times, USA Today, and CSO Magazine. He earned PhD and MS degrees in computer science at Stanford University, and holds a BS in computer science with honors with distinction from Columbia University.