Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
Predictions for enterprise security in 2021 - Cloud, COVID and supply chain
By Ben Carr, Chief Information Security
Officer, Qualys
For CISOs, 2021 will be an interesting year.
After COVID initially hit, we saw a big swing to the cloud and more remote work
implementations, which will have an impact on what will take place in the next
year. 2021 will see CISOs follow up on those changes, as well as dealing with
some new issues that have now come to light.
Prediction
#1 - Getting the basics right will become more important again
2021 will be a time for reflection - did we do
the right thing around our implementations last year, and did our responses
keep security in mind? Did our digital transformation projects keep security in
mind when they were installed? And how can we keep those in mind over time?
Answering those questions will be at the front
of every CISOs mind in 2021, and that will mean looking at getting the basics
of security right. This will therefore mean that CISOs will want to look at how
well their teams are doing around issues like patching, asset management and
visibility over assets.
This will be a great reason to look at the
current approach that the organization has, and either build or start again on
asset control. With so much IT moving to the cloud, think ‘cloud first' and
ensure that you can get full visibility across everything you have.
After all the changes that took place in 2020
and the rush to equip people with the right IT at home, many IT assets went out
the door without being set up properly. 2021 will then involve dealing with the
consequences of those decisions, so CISOs should expect their teams to plan
ahead.
Prediction
#2 - Budgets won't get cut, but consolidation will be needed
According to analyst predictions by the likes
of Gartner and IDC, spend on security as a whole won't go down. In fact, many
companies may have to up their spending alongside their shiny new cloud and
digital strategies. However, that won't mean that CISOs will be given carte
blanche to acquire new solutions straight away.
Instead, that budget will be going into
keeping everything secure. With economic pressure around the corner due to the
pandemic, there will be calls within the wider organization to cut costs and
make things leaner. This normally gets linked to possible staff reduction too.
However, skilled IT security people are in demand and currently extremely busy.
What will this mean in 2021? CISOs will be
looking at how to change their approaches to budgeting and managing security
teams to protect the staff that they have and ensure they can function
effectively. This will put pressure on vendors to supply services in ways that
support those new goals.
This will mean some consolidation of solutions
and services where it makes sense. Rather than running multiple overlapping solutions,
CISOs will want to reduce their costs and run with fewer vendors where they
can, while still delivering all the security and resilience needed.
Prediction
#3 - Supply chains for software will get a lot more attention
The attacks on FireEye and Solarwinds were
publicised in December 2020, but they originated much earlier. The issue around
software supply chains is therefore top of mind right now due to the severity
of the problem and the organizations that have been affected.
However, it will be all too easy for this
issue to be condemned as a single company's problem and to slip back down the
priority list. The whole industry around software development and security will
need to improve in order to stop future issues affecting other companies. This
will involve more scrutiny of suppliers involved in IT management and
operations, as well as for internally developed applications that include third
party components too.
For CISOs, putting in more checks on the
companies that they work with will be a new default. Asking questions of
suppliers can help determine if they take security seriously. Example questions
will include "Do you have a CISO? Who do they report to?" so that you can get
an initial reading on whether security is a priority, while "How often do you
conduct code reviews?" and "How do you audit your software suppliers?" can
provide more detail.
Prediction
#4 - Remote working will be the default
It won't be a surprise that remote working
will be necessary in 2021. Companies like Google have already decided that they
are not going back to the office until September 2021. Office working will be
occasional rather than mandatory, and employees will have more flexibility in
how they carry out their work.
In the next year, remote working will go from
a sticking plaster brought in to get through the pandemic to becoming the norm.
Security strategies will evolve to support and deliver this. CISOs will look
for cost-effective ways to gain visibility, understand what assets their
companies hold and what their attack surface looks like in 2021.
Monitoring and security hygiene for remote
hosts will therefore be important. It will help to minimise any potential
downtime for users and for assets. It will also reduce potential exposure to
breaches or exploits from malware or advanced persistent threats. This
visibility will also be critical for compliance and audit when everyone is
working remotely.
Prediction
#5 - Boards will want to understand security more effectively
All companies are becoming more digital. With
so many systems relying on online services, applications or cloud systems to
function, IT is crucial to how companies function today.
For leadership teams, keeping these operations
going and secure will be essential for them to function. So security will
become more important than ever. However, understanding how security works in
practice is not especially well done. Providing simple security insight to
boards should therefore be on the list of objectives for CISOs.
For many companies, going into too much
technical detail around threats blocked or attacks prevented is overkill.
Instead, this will involve creating simple metrics for companies that can
explain an enterprise's security posture. Using a health metaphor can make this
easier - we all know that going to the dentist should help us stay healthy and
prevent bigger problems over time.
2021 will involve a lot of refocusing: on the
basics of security, on the building blocks of applications, and on improving the
understanding of security within the business. By embedding security across
operations, CISOs can improve results for the whole organization.
##
About the Author
Ben Carr is the Chief Information Security Officer at Qualys. He is an information security and risk executive with more than 25 years of experience in developing and executing long-term security strategies. Ben has demonstrated global leadership and experience, through executive leadership roles of advanced technology, high risk, and rapid-growth initiatives, at companies such as Aristocrat, Tenable, Visa and Nokia. While at Aristocrat, Ben built a world-class global cybersecurity program from the ground up as part of a digital transformation. As a senior cybersecurity executive at Visa, Ben was responsible for developing and leading Visa’s Global Attack Surface Management Team and capability. Prior to Visa, he led all security programs for Nokia corporate IT as the Global Head of IT Security. Ben holds a certificate in Risk & Information Systems Control (CRISC), is a Certified Data Privacy Solutions Engineer (CDPSE) and pursued a bachelor’s degree in computer science from The College of New Jersey.