RSA’s 2021 virtual conference wrapped up last week and inspired attendees around the theme of resilience. While the definition of resilience is “the capacity to recover quickly from difficulties,” the conference was equally focused on how to adjust an organization’s security posture to focus and prepare for proactive protection and cybersecurity readiness rather than incident response. As we consumed the content from the conference, we saw three common themes that resonated with us around change as a concept, proactive protection versus incident response, and the workforce implications of 2020. Read on as we dig deeper on these subjects.
Cybersecurity at the speed of change
In his RSAC session, Cisco’s Chairman and CEO Chuck Robbins rightly observed that the world transformed over the past year as it adjusted to a new, hybrid workplace model. He pointed to the fact that every organization in every industry focused on keeping their business resilient while facing more complexity than ever before. Speaking of complexity, he points to the security landscape. According to Robbins, employees, by just having 30 extra minutes on their mobile devices, created 20 percent more vulnerabilities than we would have in a normal time, vulnerabilities that could open organizations to breaches, hacks, and bad actors.
With the monetary loss from cybercrime, estimated at $945 billion in 2020 according to McAfee, managing risk should be critically important for all cybersecurity teams. And reportedly CISOs are paying attention by devoting time, attention, and funding to cybersecurity initiatives. Reported in VentureBeat earlier this year, global cybersecurity spending is expected to grow 10% in 2021 as new types of threats emerge along with an increasing volume of attacks. With enterprises adapting their infrastructure to new cloud architectures and new work configurations, the need to address potential vulnerabilities is taking on greater urgency.
With organizations across the country now working through return-to-office and work-from-home issues, one thing is clear: cybersecurity teams must plan for the fact that a portion of tomorrow’s workforce will be working out of their homes permanently. Robbins says that end-to-end encryption is foundational to being able to deal with all users, data and applications in this scenario.
Succeed with a more proactive cybersecurity program
Mary O’Brien, General Manager for IBM Security, and Mauricio Guerra, CISO for Dow Chemical, discussed putting zero trust into action to manage security and enable business. They said that today’s security leaders are now responsible for helping their businesses deliver new capabilities grounded in security – while also managing threats and compliance – with the zero trust security concept a cornerstone of proactive security programs that can help achieve these objectives.
Relatively in its infancy in adoption, CSO Magazine defines zero trust as a security concept centered around the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. Historically, organizations focused on defending their perimeter. Now, however, some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance.
While in support of zero trust planning, we counsel our CISO clients to also develop a business-aligned vulnerability management program that takes into consideration the vulnerabilities that would have the most significant, negative impact on the business. A vulnerability management program looks at the most relevant threats that could exploit those vulnerabilities and remediation strategies as well as the controls needed to counter those threats. Such a strategy is built on a framework that enables, implements, and maintains the program and informs all security initiatives, controls, and processes.
Additionally, adding threat modeling to an organization’s cybersecurity arsenal is also critically important as the process looks at a system from an architectural level and identifies potential security design flaws. This is critical because, based on experience and empirical data, we know that almost 50 percent of security issues are design level flaws. Organizations must start doing threat modeling to uncover the inner workings of how its systems are working and interacting together and whether they pose a threat. It is essential to identify who would want to attack your systems, and where the assets are to understand the potential attack vectors and to best enable the appropriate security controls. This analysis takes place during threat modeling.
Promoting workplace culture without relaxing security
2020 was full of challenges, not only for our NetSPI team, but also for our clients. A prediction of ours heading into 2021 was that there would continue to be more security jobs than people to fill the roles. Even with the pandemic subsiding this has proven to remain true. Security leaders have been challenged to fill roles that require candidates with mid- to senior- level experience, and entry level job openings have continued to be in high demand. Hiring and the workforce and culture implications were popular topics at RSAC.
Jinan Budge with Forrester Research discussed the importance of putting people at the heart of security and aligning vision and approach to achieve strategic organizational security culture change. Further, we also believe strongly in the importance of culture within an organization, and that hiring for skills beyond the technical – like curiosity, memory recall, innovation – will foundationally help organizations grow and excel during times of talent shortages.
As CISOs focus on building strong teams with exceptional culture, organizations must also remain vigilant for insider threats. Protecting against internal threats should be part of any threat detection program; the SolarWinds breach also brought to light this under-discussed application security challenge. The frequency and financial impacts of insider threats—defined as a careless or negligent employee or contractor; a criminal or malicious insider; or a credential thief—has grown dramatically in just the past two years. In a recent Ponemon Institute study, the overall average cost of insider threats per incident increased by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are still a lingering and often under-addressed cybersecurity threat within organizations, compared to external threats.
A thriving future
To quote RSA: “Because being resilient requires infinite strength. There can be no let ups. No breaks. No finish lines. Just an unending passion to evolve, adapt and do everything possible to protect the people and organizations that rely on us as their advocates. We will do more than survive. We will thrive.” Indeed. We stand fully behind RSA’s quote. The reality is that cybersecurity attacks today are inevitable and put organizations at grave risk making it imperative to stay one step ahead of adversaries by focusing on prevention-based security techniques. With a pat on the back to all professionals in this business, the cybersecurity profession not only survived the past 16 months, but all indicators also show that it is thriving.