Coronavirus pandemic has severely impacted our organizations, including security teams. Moreover, scientists predict that it will stay with us for the next 18 to 24 months. As CISOs, we need to adapt to this new reality and change our cybersecurity focus to keep our companies secure.
In response to the economic crisis that follows the COVID-19 pandemic, businesses take a series of measures to allow them to survive. Key actions include changes to essential business operations, organizational structures, and technology environments. As the dust after the first pandemic wave is settling down, we now have a chance to adjust our security capabilities before the next waves test us once again. We have a unique opportunity to align the security efforts with our changing business climate. However, there are so many influencing factors that we need to prioritize our activities.
Where should we focus our attention in the coming months? I tried to answer this question based on a broad reflection on current market circumstances and potential future trends. However, please treat the following ideas as a rough guideline. You still need to prioritize your security measures based on your business objectives, technology environment, regulatory obligations, and threat landscape specific to your organization.
Where should we focus our attention in the coming months? I tried to answer this question based on a broad reflection on current market circumstances and potential future trends. However, please treat the following ideas as a rough guideline. You still need to prioritize your security measures based on your business objectives, technology environment, regulatory obligations, and threat landscape specific to your organization.
Table of contents
Employment lifecycle
Companies that do not have sufficient contingency funds and are not supported by governmental aid programs are making difficult decisions to limit their operating expenses. They include employment and salary cuts. In the long run, we will also see many mergers and acquisitions that will create difficulties characteristic to transition environments.
If not properly managed, those transitions will lead to erosion of confidence in company management, increased distrust, and a drop in employee loyalty. Additionally, team reductions will leave survivors disorganized. Roles and responsibilities will shift, leading to initial chaos.
These challenges and accompanying risks need to be properly managed from the security perspective. We need to strengthen our controls related to the employment lifecycle with a laser-sharp focus on aspects of data security and intellectual property protection. We also need to take care of people that will carry on. We will have to ensure that new responsibilities are precisely stated and that all organizational structure changes are reflected in all relevant security processes.
Cybersecurity awareness
Times of crisis and chaos are ideal for cybercriminals. We are observing a surge in phishing and ransomware attacks that revolve around COVID-19 topics. To prevent them, many of us will concentrate on the implementation of more advanced security solutions like Endpoint Detection and Response supported by User and Entity Behavior Analytics. But we cannot rely only on technology when many attackers try to exploit human factors.
We still need to rely on the vigilance of our employees and increase it through awareness programs. They should aim to raise the understanding of potential threats, techniques, how to recognize them, and how to respond to them. The modern programs should be targeted, centered around critical risks, and delivered in most effective ways based on the demands of current workforce generations. Long presentations rich in text passages will not work anymore. Practical exercises that present real-life attacks, including phishing simulations, will be a better option. Undoubtedly better than another boring e-learning with lots of slides.
Remote working
Working from home became visibly popular. CTOs had to deliver the required solutions quickly and with sufficient capacity. Under the time pressure, security was not always the top concern.
Now we have some time to revise those solutions and implement additional controls to protect them against cyber attacks. We should review our network infrastructure’s secure configuration, including VPN gateways, terminal services solutions, and bastion hosts. We should give extra attention to all group work applications, including video conferencing, document collaboration, file sharing, and others.
Mobile computing
Usage of laptops, tablets, and smartphones increased when remote work became a default response to closed offices. We use them to access sensitive corporate data and do our jobs in remote locations. However, mobile devices can be easily lost or stolen, leading to data breaches.
Security practices in this area include secure configuration, security monitoring, managing device connectivity to corporate networks, patching, antimalware protection, and encryption. Managing those controls might be challenging without modern Enterprise Mobility Management, Endpoint Protection, and Security Event Monitoring solutions. They simplify and automate the majority of those activities and apply the security baseline configuration to all types of devices in a consistent manner.
Cloud security
During the pandemic, many companies started migrating their assets to the cloud environment. Their infrastructures appeared to have limited capacity to handle increased online traffic because of changes to customer behaviors or initial chaos caused by lock-downs.
Migration to cloud requires many of us to rethink our frameworks, investigate native cloud security solutions, and decide how to translate our security controls into code that is understood by cloud platforms. The objective is to have the same level of information protection in the cloud as well as in a traditional data center.
In some instances, you may consider the implementation of Cloud Access Security Broker solutions. They will help you analyze your cloud usage, manage user access, monitor user activities, and keep your data secure using encryption or tokenization techniques.
Information privacy
In the new environment, the data flows freely between corporate servers, remote user devices, client, and third-party endpoints. The security model based on the traditional network perimeter guarded by firewalls is detached from reality.
We may see more investments in Data-Centric Audit and Protection technologies and Information Rights Management solutions that help to protect unstructured data when stored on employee devices or when shared with external parties using authentication, access control, and encryption mechanisms. Implementing those technologies may require mature capabilities in areas of information classification, access management, and encryption.
Software development lifecycle
Recently, we have seen more and more teams altering their software development methodologies to focus on speed and automation. They embraced agile project management techniques to shorten the time-to-market. They implemented the DevOps approach to optimize collaboration between development and operations teams.
Nowadays, I assume this trend will speed up because of migration to the cloud. The most prominent cloud players are recognizing the market needs and are investing heavily in continuous integration and deployment automation.
These changes have enormous implications for security. Traditional processes of managing security requirements, code reviews, and security testing will fail under continuous deployment conditions. Agile development often starts without a complete risk assessment and a full definition of security requirements. Conventional security tools operate in testing environments and require testers to review a considerable number of exceptions manually. This approach is too slow to be agile.
It leaves us with a need to redesign our software development lifecycles. Testing speed, testing automation, integration with continuous integration and deployment tools, and risk-based prioritization of vulnerabilities will be critical success factors.
In our new lifecycle models, we will have to shift code review to the left – as early as possible, using Static Application Security Testing software integrated with the development tools and code repositories.
On the right side of the lifecycle, automation will also help. You can achieve it using modern solutions in areas of Dynamic Application Security Testing and Interactive Application Security Testing.
Application security
COVID-19 pandemic changed the behaviors of our customers. They now understand that they can buy and use many services online using modern and user-friendly web applications. As a result, the confidentiality of client information and the availability of online systems gain paramount importance.
Additionally, our applications’ architecture is changing significantly because of the rising usage of mobile devices and cloud adoption. Technology teams are building applications using microservices, containers, and serverless functions to ensure that they are portable between different types of environments.
As security officers, we will have to ensure that API security, container security, and security of serverless solutions are addressed in our policies and standards. Implementation of Runtime Application Self-Protection tools, Web Application Firewalls, and API Gateways may be necessary to increase the security and availability of business-critical applications.
Access management
Increasing usage of cloud services and remote working solutions requires changes to basic access management practices. Multifactor authentication is not a delighter anymore. It is now an essential security control in a dispersed data processing environment where multiple solutions are exposed to the Internet. Now, it is also more user friendly than it was before. Users can click simple popups on their smartphones to confirm their authentication.
Network security
The traditional network boundary is not in place anymore. Of course, you will still need to manage your network perimeter controls, including next-generation firewalls, Intrusion Detection / Prevention, and Network Access Control. But it is not enough anymore when we are moving our applications to the cloud environments and allow users to connect to internal resources from almost any place in the world.
We will focus more on solutions that do not rely on perimeter security, allow granular access control based on user context, and dynamically adapt your security policies. Therefore we will see more implementations of BeyondCorp and Zero Trust Security approaches.
Supplier security
Covid-19 pandemic brutally broke supply chains around the globe. As a result, organizations are revising their outsourcing strategies, including the closer location of the suppliers and better diversification.
As security officers, we will have to focus stronger on the risks related to the business continuity of services provided by third parties. We may require more suppliers to develop and test their business continuity plans, including pandemic and mass absence plans. In some cases, we may require service owners to develop exit strategies to manage the risk of critical suppliers going out of the business.
Business continuity
For organizations that did not consider pandemics as one of the scenarios in their business continuity and crisis management plans, recent months were a time of improvisation. But there will be no excuse for security officers for lack of planning when the second wave hits.
Summary
I hope that this article sparked a couple of ideas when it comes to prioritization of your activities for the following months. If you would like to support sharing these ideas with a broader audience, please use the social media buttons below. If you would like to be notified about similar articles or exchange thoughts on recent security challenges and trends, please join my network on LinkedIn.