[BreachExchange] CISO New Year's Resolutions for 2021

Mon Jan 4 11:18:22 EST 2021

https://www.darkreading.com/vulnerabilities---threats/ciso-new-years-resolutions-for-2021/d/d-id/1339815

After such a difficult past year, it'll be only natural for many
people to have a hefty list of aspirational resolutions for 2021. That
includes CISOs, who in the past year have had to deal with the
security realities of suddenly remote workforces, budget freezes,
skyrocketing and increasingly effective phishing campaigns, crippling
ransomware, and extremely dangerous threats to the technological
supply chain.

Amid all of these concerns, they're still called to deal with all of
the other risk management tasks in their bailiwick, from vulnerability
management to application security. So, in order to increase their
effectiveness, expect the best leaders to step up to the plate to
improve their game through the following improvement measures in the
coming year.

Securing the Tech Supply Chain

The SolarWinds attack in December served as a punctuation point in
2020 on technology and software supply-chain security issues that have
grown increasingly visible to cyber pros over the last year. While it
is certainly one of the most dramatic supply chain hacking incidents,
it is by no means singular in its cyber risk - a recent report shows
that next-gen supply chain attacks are up 430%. For example, 2020 also
saw the discovery of Ripple20, a series of flaws in a TCP/IP software
library that impacted dozens of IoT vendors in enterprise and
industrial settings in a "ripple" that industry watchers say will
impact cybersecurity for a long time to come. These types of incidents
highlight a growing supply chain concern that CISOs will need to
address through better software component tracing, asset management,
and vulnerability management practices.

Moving Beyond the VPN

The worldwide shift to a suddenly remote workforce in 2020 exposed a
lot of the weaknesses in remote-access security for enterprises today.
For many organizations, the limitations of virtual private networks
(VPN) have long hampered their ability to expediently enable remote
work while maintaining enough control over how and which assets users
can access from afar. Many CISOs have had to duct-tape and bubblegum
their way through the pandemic, but as we round into a new year,
expect many security leaders to seek out and deploy more permanent
secure remote-access alternatives.

Putting Security-by-Design Front and Center

CISOs seeking to get more of a cultural foothold for security within
their organizations are likely to use 2021 as a jumping point for
building out their efforts to build security by design into their
software and processes. Security by design means reducing security
friction and creating less obtrusive security controls and checkpoints
for internal and external users; it means improving the usability of
security tools within the IT department, and also baking security
fundamentals into development requirements for new builds. Leading
organizations like Bank of America and Nasdaq are taking a security by
design approach to digital transformation initiatives, and
professional organizations like the Information Security Forum (ISF)
say human-centered security training must be backstopped with security
by design to make a difference in helping employees make more secure
choices in the digital and physical worlds.

Leveraging Self-Service Security for Better AppSec

Undoubtedly application-security initiatives will preoccupy many CISO
resolutions in 2020, as the bandaids and half-measures of the past
keep haunting so many security organizations. According to a study in
2020, one in 10 organizations today admit that their Web application
firewalls (WAFs) - sometimes the main staple of some organization's
appsec efforts - allow 90% of attacks to bypass their defenses. Many
organizations have implemented DevSecOps practices to help their
developers and DevOps teams to build more secure software from the
get-go. Successful organizations are learning that a big success
factor in all of this is the use of self-service security and
compliance validation and integration of security through efforts such
as a security-as-code approach to delivering functionality and
requirements to dev teams. DevOps teams with full security integration
and self-service capabilities are 80% more likely to fix critical
vulnerabilities in under a day, according to a recent study.

Implementing DMARC

With incidence of business email compromise (BEC) and phishing
skyrocketing amid the chaos of the pandemic, many CISOs are likely
thinking about getting more serious about deploying the Domain-based
Message Authentication, Reporting and Conformance (DMARC) protocol.
Security pundits have long advised the use of DMARC for enterprises to
cut down on how well attackers can spoof their domains and fool their
customers and employees into thinking they're receiving official
company mail. Unfortunately, while enforcement of DMARC authentication
is growing rapidly, it is still rare. Fewer than one in 10
organizations in most industries utilize the protocol, and in the
Fortune 500, 85% of organizations remain unprotected by DMARC
controls.

Doubling Down on Ransomware Risk Reduction

Ransomware risks continue to multiply and get scarier by the year. In
2020 the ransomware attack world achieved the dubious distinction of
causing actual loss of life when an attack against a hospital in
Germany shut it down to the point where an emergency patient had to be
rerouted somewhere else and died due to the delay. As ransomware
pressure builds, many organizations are taking a multi-pronged
approach to reduce ransomware risks through a combination of improved
detection, better insurance, proactive threat hunting, and a return to
the basics of improved disaster recovery and backup processes and
infrastructure.