As we start into the New Year, the United States is obviously in both unprecedented and unforeseen times. Hopefully in the next few weeks, as a new Administration starts to take shape, things will start to become much clearer and much more focused, especially given the worsening pandemic that we have going on right now.
I pray that there will be plans in place not only to get the great economy of the United States moving, but also to give the American people a sense of clarity, optimism, and a brand-new hope for the future.
Anyways, as we now turn our attention to the world of Cybersecurity, there are many top things on the minds of both the C-Suite and security leaders. And that is, how to guide their businesses through the craziness of the Cybersecurity Threat Landscape.
Whether they like it or not, the CISO will be primarily under the microscope, as employees look to him or her for guidance as to how best they can protect the digital assets of their company. Obviously complicating the factors are still the issues that need to be worked with the Remote Workforce and still tightened budgets.
But here is a laundry list of what the CISO really needs to pay attention to, especially during Q1.
Here we go:
*The Supply Chain will be a bigger great:
When one hears this specific term, the images of UPS, FedEx, highways, and Union Pacific trains are often conjured up. While this is the Supply Chain in one sense, there is the Cyber Supply Chain on the flip side of the coin. It is not necessarily physical in nature, but rather, it is virtual. A good example of this is the recent Solar Winds hack. Many companies were dependent upon others for their particular business processes to get done, and one area got impacted by the Cyberattack, others fell to in a cascading fashion. In fact, Cyberattacks like this were up by an astonishing 430% just in 2020 alone, but nobody knew about it, because it never made the news headlines. This is an area where the CISO needs to be pay very careful attention to in 2021, especially when vetting out for external, third parties. A further breakdown on these stats can be seen here at this link:
*The Remote Workforce will never go away:
When COVID19 first hit the shores of the United States exactly one year ago, many corporate leaders thought that the WFH issue would just be a temporary one. But seeing how long this pandemic has been going, the Remote Workforce is now going to be a permanent fixture here in Corporate America. True, human beings are social in nature and we all need human interaction of sorts, a majority of Americans actually now prefer to WFH, and businesses are now starting to see the benefits of it as well, especially when it comes to the cost savings perspective of it. While this might be all great, it has been a total nightmare for the CISO. There are still many Cyber related issues that need to be yet worked out, especially when it comes to using traditional technologies that have now literally reached their breaking points (such as the Virtual Private Network), and the intermingling of both the home and corporate networks.
*Safety in numbers will no longer matter:
As I have written before, before the COVID19 pandemic hit, the traditional thought with CISOs was that the more that you threw out there in terms of tools and technologies, the safer you are. But this is now proving to be a huge falsehood. Not only is this an expensive proposition to take, but the ROI is now quickly eroding with all of the false positives that are coming in from all of these gadgets that have been procured from so many different vendors. Also, it greatly expands the attack surface for the Cyberattacker. So in 2021, the CISO now has to literally take a 360 degree turn on this stance and determine where their tools and technologies can be strategically deployed in fewer numbers. For example, instead of deploying 10 firewalls, it is probably far more effective to deploy perhaps just two, at locations where they are needed the most at. This concept is technically referred to as “Security By Design” and will quickly evolve this year.
*The Big “Kahuna” of threat variants will still persist out there:
By this, I mean that Phishing although one of the oldest threat variants, will still be one of the most favored attack vectors, but coming in new variants, and becoming even more powerful in nature. For example, the Cyberattacker is now resorting to using Phishing based Emails to launch not only extortion attempts, but also for domain heisting as well. It’s not just a matter anymore of donating to a fake charity; these days it is almost impossible to tell what a real website is and what is not. Also, the sense of urgency that is so often used to strike a fear in the victim has become even graver in nature so that they will comply with it. In this regard, one tool that the CISO can implement quickly and fairly easily is what is known as the “Domain-based Message Authentication, Reporting and Conformance Protocol”, also known as the “DMARC” for short. Essentially, by making use of this, an employee of a company will now have much better safeguards in place in only getting legitimate and authentic Emails, and businesses will have a lot less to worry about when it comes to domain heisting. But given the power and the advantages that this protocol has to offer, a recent study found that only 1/10 make use of it, and in the Fortune 500, only 15% make full utilization of it.
*Risk Mitigation will be one of the biggest buzzwords:
For the most part, we all have heard of the term “Cyber Risk”, and the importance of mitigating it. But in 2021, the CISO will be held totally accountable for this by their respective Board of Directors. Given the powers of both the GDPR and the CCPA, they will want to know what controls are being put into place in order from being audited and facing huge financial penalties. But in this regard, one of the biggest areas in which the level of Cyber Risk has to be cut down on is when it comes to Ransomware attacks. Not only are they getting nastier just like Phishing emails, but the odds that a victim will actually pay the ransom is now actually growing. In the end, we all are prone in becoming a victim of a security breach, but the key here is to maintain a proactive mind set to help reduce that level of Cyber Risk from actually happening. And this is what people really want to see in the end: A clear vision and plan from the CISO for reducing the level of Cyber Risk, and have it communicated down in a transparent format, in the clearest and most understandable way that is possible.
My Thoughts On This:
Well, here you have it, some of my ideas and thoughts on what the CISO really needs to pay attention to NOW. While the buck does stop with the CISO, achieving these goals is an entirely team effort. The CISO cannot and should not shoulder all of the responsibility for this.
But also keep in mind that the trend now in Corporate America is not just to hire a full time, direct hire CISO. It is now to hire what is known as a “vCISO”, in which an individual or a team of them are hired on fix term contracts to fill the role of a traditional CISO.
In this regard, IMHO, a company should make use of a vCISO in order to meet these objectives quickly as outlined in this blog, as opposed to getting the traditional CISO. After all, they come in, get the job done, and leave. And if you need them again, it is just a matter of coming up with a new contract, and best of all, they cost a mere fraction of what it takes to hire a full time CISO.