Virtualization Technology News and Information
Qualys 2021 Predictions: Enterprise security in 2021 - Cloud, COVID and supply chain

vmblog 2021 prediction series 

Industry executives and experts share their predictions for 2021.  Read them in this 13th annual series exclusive.

Predictions for enterprise security in 2021 - Cloud, COVID and supply chain

By Ben Carr, Chief Information Security Officer, Qualys

For CISOs, 2021 will be an interesting year. After COVID initially hit, we saw a big swing to the cloud and more remote work implementations, which will have an impact on what will take place in the next year. 2021 will see CISOs follow up on those changes, as well as dealing with some new issues that have now come to light.

Prediction #1 - Getting the basics right will become more important again

2021 will be a time for reflection - did we do the right thing around our implementations last year, and did our responses keep security in mind? Did our digital transformation projects keep security in mind when they were installed? And how can we keep those in mind over time?

Answering those questions will be at the front of every CISOs mind in 2021, and that will mean looking at getting the basics of security right. This will therefore mean that CISOs will want to look at how well their teams are doing around issues like patching, asset management and visibility over assets.

This will be a great reason to look at the current approach that the organization has, and either build or start again on asset control. With so much IT moving to the cloud, think ‘cloud first' and ensure that you can get full visibility across everything you have.

After all the changes that took place in 2020 and the rush to equip people with the right IT at home, many IT assets went out the door without being set up properly. 2021 will then involve dealing with the consequences of those decisions, so CISOs should expect their teams to plan ahead.

Prediction #2 - Budgets won't get cut, but consolidation will be needed

According to analyst predictions by the likes of Gartner and IDC, spend on security as a whole won't go down. In fact, many companies may have to up their spending alongside their shiny new cloud and digital strategies. However, that won't mean that CISOs will be given carte blanche to acquire new solutions straight away.

Instead, that budget will be going into keeping everything secure. With economic pressure around the corner due to the pandemic, there will be calls within the wider organization to cut costs and make things leaner. This normally gets linked to possible staff reduction too. However, skilled IT security people are in demand and currently extremely busy.

What will this mean in 2021? CISOs will be looking at how to change their approaches to budgeting and managing security teams to protect the staff that they have and ensure they can function effectively. This will put pressure on vendors to supply services in ways that support those new goals.

This will mean some consolidation of solutions and services where it makes sense. Rather than running multiple overlapping solutions, CISOs will want to reduce their costs and run with fewer vendors where they can, while still delivering all the security and resilience needed.

Prediction #3 - Supply chains for software will get a lot more attention

The attacks on FireEye and Solarwinds were publicised in December 2020, but they originated much earlier. The issue around software supply chains is therefore top of mind right now due to the severity of the problem and the organizations that have been affected.

However, it will be all too easy for this issue to be condemned as a single company's problem and to slip back down the priority list. The whole industry around software development and security will need to improve in order to stop future issues affecting other companies. This will involve more scrutiny of suppliers involved in IT management and operations, as well as for internally developed applications that include third party components too.

For CISOs, putting in more checks on the companies that they work with will be a new default. Asking questions of suppliers can help determine if they take security seriously. Example questions will include "Do you have a CISO? Who do they report to?" so that you can get an initial reading on whether security is a priority, while "How often do you conduct code reviews?" and "How do you audit your software suppliers?" can provide more detail.

Prediction #4 - Remote working will be the default

It won't be a surprise that remote working will be necessary in 2021. Companies like Google have already decided that they are not going back to the office until September 2021. Office working will be occasional rather than mandatory, and employees will have more flexibility in how they carry out their work.

In the next year, remote working will go from a sticking plaster brought in to get through the pandemic to becoming the norm. Security strategies will evolve to support and deliver this. CISOs will look for cost-effective ways to gain visibility, understand what assets their companies hold and what their attack surface looks like in 2021.

Monitoring and security hygiene for remote hosts will therefore be important. It will help to minimise any potential downtime for users and for assets. It will also reduce potential exposure to breaches or exploits from malware or advanced persistent threats. This visibility will also be critical for compliance and audit when everyone is working remotely.

Prediction #5 - Boards will want to understand security more effectively

All companies are becoming more digital. With so many systems relying on online services, applications or cloud systems to function, IT is crucial to how companies function today.

For leadership teams, keeping these operations going and secure will be essential for them to function. So security will become more important than ever. However, understanding how security works in practice is not especially well done. Providing simple security insight to boards should therefore be on the list of objectives for CISOs.

For many companies, going into too much technical detail around threats blocked or attacks prevented is overkill. Instead, this will involve creating simple metrics for companies that can explain an enterprise's security posture. Using a health metaphor can make this easier - we all know that going to the dentist should help us stay healthy and prevent bigger problems over time.

2021 will involve a lot of refocusing: on the basics of security, on the building blocks of applications, and on improving the understanding of security within the business. By embedding security across operations, CISOs can improve results for the whole organization.


About the Author

Ben Carr 

Ben Carr is the Chief Information Security Officer at Qualys. He is an information security and risk executive with more than 25 years of experience in developing and executing long-term security strategies. Ben has demonstrated global leadership and experience, through executive leadership roles of advanced technology, high risk, and rapid-growth initiatives, at companies such as Aristocrat, Tenable, Visa and Nokia. While at Aristocrat, Ben built a world-class global cybersecurity program from the ground up as part of a digital transformation. As a senior cybersecurity executive at Visa, Ben was responsible for developing and leading Visa’s Global Attack Surface Management Team and capability. Prior to Visa, he led all security programs for Nokia corporate IT as the Global Head of IT Security. Ben holds a certificate in Risk & Information Systems Control (CRISC), is a Certified Data Privacy Solutions Engineer (CDPSE) and pursued a bachelor’s degree in computer science from The College of New Jersey.

Published Tuesday, January 12, 2021 7:48 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2021>