Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
Cybersecurity Improvements Can't Wait
By Ed Bassett, Chief Information Security Officer, NeoSystems
Governments and businesses enter 2021 with the stark reminder
that the need for better cybersecurity is pressing and immediate. The
recognition comes in the wake of major events in 2020.
Impactful Events in 2020
- In March 2020, the U.S. Government's Cyberspace Solarium Commission
released a report that recommended fundamental changes to how the United States
deters and responds to cyberattacks as a matter of national security strategy. Key
takeaway: The report's 80+ separate recommendations have broad implications
across government and the private sector.
- The U.S. Department of Defense published its Cybersecurity Maturity Model
Certification (CMMC) initiative in January 2020; it was codified in
regulation in Nov 2020. Key takeaway: Its intention is to improve the
cyber hygiene of the more than 300,000 companies that make up the Defense
Industrial Base and ensure its supply chain is protected.
- In December 2020, government and industry first
became aware of the SolarWinds
hack-a broad-scale attack which has affected many companies and
government agencies. This event has a scale and level of impact that has not
been seen before. Key takeaway: While the full details are not yet
known, this event has highlighted many weaknesses in the U.S. software supply
chain and its resilience against determined attackers.
Government and Industry Respond in 2021
The reverberations from those events will be felt in the new
year and beyond:
1. The incoming Congress and Administration will make
new cybersecurity laws and regulations a legislative priority, driving changes
in how the government executes non-military responses to cyber events. Watch
for some Solarium Commission recommendations to be given the force of law.
2. Business owners, especially in the government
contracting sector, will place more business emphasis on cybersecurity. Having
a robust cybersecurity program will be a recognized and valuable part of a
company's brand, opening doors to new opportunities with customers. Companies
who continue to ignore or pay only minimal lip service to how they protect
their own and their customers' intellectual assets will be left behind.
3. Companies subject to new compliance requirements
will retool their security operations. Many will look at the complexity of the
task, and their in-house resources, and conclude that they'll need to turn to
external resources-managed security services and advisory firms-to help them
dependably reach and maintain their required level.
4. A robust cybersecurity system needs to be able to handle
complex incursion attempts but be simple enough for the end user. The
marketplace will respond with "consumer-ready" solutions such as cloud
services preconfigured for security and compliance, plug-and-play secure
computing enclaves, and turnkey managed services. Standardized solutions will
drive down the overall cost of security operations.
5. Security requirements will drive IT transformation
projects such as adoption of cloud computing, zero trust architectures, and
software modernization. Informed business executives already understand that
making such changes can bring benefits to their enterprises but have balked at
the cost of getting started. The more-stringent security requirements and the
downsides of inadequate security will make it easier for businesses to pull the
trigger on IT transformation.
6. There will be an increased focus on visibility
into what is happening on our computer systems such as detection of unusual
behavior and determining if a system is clean or compromised. Security
technology vendors and security service providers will focus on being able to
demonstrate security and compliance as baked-in features.
Shining light into the "black box"
For its end users, IT has always been an opaque "black box"
activity. How a computer network functions simply isn't thought about until one
malfunctions. And once it's back up, it's out of mind again. But just as
skyjacking and related terrorism has brought about a greater public awareness
of the air-travel system, major cyber breaches such as the SolarWinds hack are
bringing a greater public awareness of IT's complexities and vulnerabilities.
And that awareness will change expectations. More than ever before, agreeing to
do business with a company is going to have as a prerequisite a clear
understanding of how the company keeps data safe.
Are you ready?
##
About the Author
Mr.
Bassett is a senior Cyber Security and Risk Management subject matter expert
with over 32 years of experience in all aspects of security and privacy program
architecture, design, management, and operations. His experience spans
Government, Health Care, Financial Services and other industries and includes
risk management, program planning, application and software security, security
assessments and audits, and security operations.
He built and led a global security consulting practice
specializing in security strategy, assessment and testing, and managed security
services. He has been the principal advisor to many Fortune 500 and government
clients on information systems security, responsible for securing their
critical information assets for e-commerce transactions, sensitive health
records, and classified military communication. Ed is a U.S. Army veteran and a
graduate of Clarkson University where he earned a degree in computer science.