BreachExchange mailing list archives
CISO New Year's Resolutions for 2021
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 4 Jan 2021 10:18:22 -0600
https://www.darkreading.com/vulnerabilities---threats/ciso-new-years-resolutions-for-2021/d/d-id/1339815 After such a difficult past year, it'll be only natural for many people to have a hefty list of aspirational resolutions for 2021. That includes CISOs, who in the past year have had to deal with the security realities of suddenly remote workforces, budget freezes, skyrocketing and increasingly effective phishing campaigns, crippling ransomware, and extremely dangerous threats to the technological supply chain. Amid all of these concerns, they're still called to deal with all of the other risk management tasks in their bailiwick, from vulnerability management to application security. So, in order to increase their effectiveness, expect the best leaders to step up to the plate to improve their game through the following improvement measures in the coming year. Securing the Tech Supply Chain The SolarWinds attack in December served as a punctuation point in 2020 on technology and software supply-chain security issues that have grown increasingly visible to cyber pros over the last year. While it is certainly one of the most dramatic supply chain hacking incidents, it is by no means singular in its cyber risk - a recent report shows that next-gen supply chain attacks are up 430%. For example, 2020 also saw the discovery of Ripple20, a series of flaws in a TCP/IP software library that impacted dozens of IoT vendors in enterprise and industrial settings in a "ripple" that industry watchers say will impact cybersecurity for a long time to come. These types of incidents highlight a growing supply chain concern that CISOs will need to address through better software component tracing, asset management, and vulnerability management practices. Moving Beyond the VPN The worldwide shift to a suddenly remote workforce in 2020 exposed a lot of the weaknesses in remote-access security for enterprises today. For many organizations, the limitations of virtual private networks (VPN) have long hampered their ability to expediently enable remote work while maintaining enough control over how and which assets users can access from afar. Many CISOs have had to duct-tape and bubblegum their way through the pandemic, but as we round into a new year, expect many security leaders to seek out and deploy more permanent secure remote-access alternatives. Putting Security-by-Design Front and Center CISOs seeking to get more of a cultural foothold for security within their organizations are likely to use 2021 as a jumping point for building out their efforts to build security by design into their software and processes. Security by design means reducing security friction and creating less obtrusive security controls and checkpoints for internal and external users; it means improving the usability of security tools within the IT department, and also baking security fundamentals into development requirements for new builds. Leading organizations like Bank of America and Nasdaq are taking a security by design approach to digital transformation initiatives, and professional organizations like the Information Security Forum (ISF) say human-centered security training must be backstopped with security by design to make a difference in helping employees make more secure choices in the digital and physical worlds. Leveraging Self-Service Security for Better AppSec Undoubtedly application-security initiatives will preoccupy many CISO resolutions in 2020, as the bandaids and half-measures of the past keep haunting so many security organizations. According to a study in 2020, one in 10 organizations today admit that their Web application firewalls (WAFs) - sometimes the main staple of some organization's appsec efforts - allow 90% of attacks to bypass their defenses. Many organizations have implemented DevSecOps practices to help their developers and DevOps teams to build more secure software from the get-go. Successful organizations are learning that a big success factor in all of this is the use of self-service security and compliance validation and integration of security through efforts such as a security-as-code approach to delivering functionality and requirements to dev teams. DevOps teams with full security integration and self-service capabilities are 80% more likely to fix critical vulnerabilities in under a day, according to a recent study. Implementing DMARC With incidence of business email compromise (BEC) and phishing skyrocketing amid the chaos of the pandemic, many CISOs are likely thinking about getting more serious about deploying the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol. Security pundits have long advised the use of DMARC for enterprises to cut down on how well attackers can spoof their domains and fool their customers and employees into thinking they're receiving official company mail. Unfortunately, while enforcement of DMARC authentication is growing rapidly, it is still rare. Fewer than one in 10 organizations in most industries utilize the protocol, and in the Fortune 500, 85% of organizations remain unprotected by DMARC controls. Doubling Down on Ransomware Risk Reduction Ransomware risks continue to multiply and get scarier by the year. In 2020 the ransomware attack world achieved the dubious distinction of causing actual loss of life when an attack against a hospital in Germany shut it down to the point where an emergency patient had to be rerouted somewhere else and died due to the delay. As ransomware pressure builds, many organizations are taking a multi-pronged approach to reduce ransomware risks through a combination of improved detection, better insurance, proactive threat hunting, and a return to the basics of improved disaster recovery and backup processes and infrastructure. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- CISO New Year's Resolutions for 2021 Destry Winant (Jan 04)