dottedyeti - stock.adobe.com
Earlier in 2020, Computer Weekly and TechTarget published the results of our annual IT Priorities study, a wide-ranging look at what is currently top of mind for IT buyers. Amid overall softening budgets across the IT landscape, the survey reported that security and risk management were easily top of the heap, with cyber security coming to be seen as more important than cost.
The top-level data revealed that 41% of responsible buyers planned to increase investment in security in order to address new threats, and compliance and regulatory requirements as part of wider digital transformation initiatives.
In terms of security to address compliance and risk issues, end-user training emerged in the data as the top priority, cited by just under 70% of respondents. This was closely followed by governance, risk and compliance software and tools, cited by 63%, with fewer respondents considering fraud detection systems, zero-trust technology and digital forensics.
But everything changed when the Covid-19 coronavirus pandemic struck. For organisations that have been able to implement universal remote working during national lockdowns, the initial challenge was to secure home workers accessing corporate networks from beyond the traditional secure perimeter.
Taken at face value, this could be read as security getting back to basics, but in reality this is far from the case. So now that the initial panic has subsided and the business world has settled into something of a routine, how do these priorities differ – and do they differ at all?
Coronavirus accelerates underlying shifts
Terry Greer-King, EMEA vice-president at SonicWall, believes the pandemic has accelerated a transformational shift in cyber security that was taking place anyway, driven by the growth in usage of cloud-based resources, which was noted elsewhere in the Computer Weekly/TechTarget data.
“How people approach security is being turned on its head in a multitude of ways,” says Greer-King. “That trend has been going on for 12 months and is all part of this move towards digital transformation.”
Since it was spun out from Dell at the end of 2016, SonicWall has been cooking up a new business model that it calls Boundless Security.
According to Greer-King, this strategy recognises the ongoing and deep structural change in the cyber security sector as customers pivot away from best-of-breed security solutions from multiple suppliers. This has accelerated in the past few weeks, he suggests.
“Fundamentally, a lot of this shift is taking place around authenticating users and what they can access,” he says. “What has taken place since Covid-19 came along is that everybody has scrambled to allow everybody to work from home, and there was no time to put any thought into how to do that.
“So most people just went ahead and put more VPN resource across their firewall and organisations like SonicWall have seen a massive increase in that business. VPN licensing is up 1,000%, so within SonicWall and our partner base, we’ve been pretty busy.”
As a knee-jerk reaction among panicking CISOs and security teams, this is understandable, says Greer-King. But organisations will soon see a second wave of problems sparked by universal remote working, he points out. Some of these are technical, such as increased processor load on firewall hardware at the edge of the corporate network causing bandwidth problems and outages, but others have more to do with the wave of cyber attacks targeting the remote workforce.
“Is this sustainable?” he asks. “If we all go back to the office soon, maybe we can stick with it. But I don’t think that will happen. We are not convinced things are necessarily going to snap back to how they were before, therefore the approach to security needs to adapt.
“I believe the working environment we’ve moved into will become more the norm, and the norm that we had before, where people travelled into offices, is being turned on its head.”
This is where SonicWall believes an end-to-end, architectural approach, which is also espoused by Check Point and Cisco, comes into its own, and these three suppliers are not the only ones that reckon foundational change is already taking place.
For instance, Don Smith, head of the Secureworks Counter Threat Unit (CTU), believes the coronavirus crisis will be a catalyst that lights a fire under the cyber security industry, propelling it to a position of greater prominence within organisational IT strategies.
“By the time lockdown is lifted, a great many enterprises will have moved themselves towards working from home and borderless networking,” he says. “This will open up a new flexibility in security that didn’t exist before.
“A good CISO will be able to use this to demonstrate that security and security controls are an enabler for the business – another demonstration of security being the can-do people rather than the can’t-do people, which is very important to security professionals.”
IAM to increase in importance
The pre-coronavirus Computer Weekly/TechTarget IT Priorities study revealed that identity and access management (IAM) would be increasingly important during 2020, with multifactor authentication the most popular identity-related security initiative planned by the surveyed buyers, cited by 48%. This was followed by access management, which 34% planned to deploy, and single-sign on, which was of interest to 30%. The data also revealed that privileged identity management or privileged account management (PIM/PAM) is now hitting the mainstream.
SecureWorks’ Smith says he sees no reason why this would change. “There used to be a phrase that identity was the new perimeter,” he says. “Well, it is now. All these forms of flexible working rely on being able to identify that someone is who they say they are, on the equipment they say they’re on, in a similar location to where they were before. Good systems are making compound decisions on that already, and that’s a good thing.”
Adenike Cosgrove, who runs international product marketing across EMEA for Proofpoint, agrees that identity is now fundamental, although she warns that it can be difficult to roll it out appropriately, particularly if the security team is not in lockstep with the rest of the business.
“In some cases, cyber criminals understand businesses better than their IT and security teams,” she says. “They know who is processing invoices, they know people in HR are reading every CV, they know what cloud services you are leveraging.
“And yet the security team doesn’t have insight into people within organisations who are potentially being targeted.
“Identity is actually a great way for security to engage with the board, business leaders and end-users to understand what’s going on, who has access to what, and who is under attack. Based on that, you can implement controls to protect those very attacked people.”
Agility will be key to security readiness
Security teams will also need to become more agile and flexible, says Mivy James, head of consulting for national security and defence at BAE. James says some of the teams she has worked with are already talking about adapting the agile principles they use in areas such as software development to other elements of the IT estate, particularly security.
“It is absolutely essential in order to stay relevant because, as more teams get used to different ways of working, they’re going to be more demanding of security to work in a similar way, to work at the same pace, to be responsive and to have that level of transparency,” she says. “I actually think that’s a positive.”
James says she has been particularly struck in the past couple of months by how adaptable people have shown themselves to be. “I’d love to find ways of making some of that stick when we get back to whatever normal now looks like,” she adds.
Read more about security during the pandemic
- Find out what CIOs and CISOs need to know to enable their end-users to work remotely and stay secure during the Covid-19 coronavirus crisis, and learn how users can help themselves.
- Telecoms will play a key role in controlling the coronavirus through contact-tracing apps that can mitigate its spread. But that will only be the case if people actually use the apps – and that’s not guaranteed.
- Zoom’s rapid rise to prominence has highlighted a score of security problems with the service. Should CISOs try to steer their organisations away from it, or ban it outright?
“It’s actually been really exciting. There’s been an acceleration in innovation, and people feel encouraged to go away and experiment with different tools and technologies. There’s an increased tolerance for that.”
A good example of this has been the rapid and widespread adoption of videoconferencing service Zoom, which sprang to prominence at the end of March 2020 when it became clear that its product contained some serious security flaws. To its credit, Zoom is now proactively and positively addressing this.
“Security teams have had to, very quickly, go away and look at what security features Zoom users need, but it’s not had a negative impact on its popularity,” says James, “which just goes to show that there’s something about the usability of Zoom that really appeals to people. There are lessons to be learned there.”
This is where agility and pragmatism will be needed. The security team must do its utmost to protect the organisation, but this will increasingly have to be balanced with accessibility, lest people are drawn to less secure apps that are easier to use, says James.
The evolution of security
For Redseal CTO Mike Lloyd, who besides 21 patents in cyber security holds a PhD in stochastic epidemic modelling, the future of security after Covid-19 looks uncertain, but then, he adds, isn’t the future always uncertain?
“Everyone’s used to saying we can quantify risk and we know the risk that a breach will occur,” he says. “People have critical assets in their organisation, such as patient records, credit cards, whatever it is, and they’ve already done risk assessments, but they did that in a framework of a given set of rules about what nation states they think are out to get them, what hacktivists, what thieves.
“Everybody’s done a threat model and some risk estimation, but in a world where we know the rules. The challenge is that we’re heading into a world where the rules are going to change some more.”
For Lloyd, this means it is essentially impossible to make concrete predictions about cyber security. It would be pointless, he says, to try to forecast how ransomware will evolve in the next few months, because that would be like trying to predict actual biological evolution down to the individual mutation. There are simply too many factors in play.
“However, the overall patterns are very clear,” he says. “We can expect that we will continue to block certain kinds of threats and get better at that, and as soon as we do, the attackers will find a way around it, just like real viruses do.
“So the only long-term advantage is to maintain adaptability. We can’t win this war with rigidity. We have to be flexible, and we can only do that by modelling and understanding – in effect, to do the equivalent of war games.”
Lloyd suggests that security teams will soon have to start getting very good at the sort of penetration testing exercises that the average company will probably do only once a year.
“You need to be able to do it essentially any day, because every day is different,” he says. “I know that’s not a very concrete prediction, but the whole point is that we’re heading into a world where it’s very clear that even public officials – who are supposed to know these things – openly say they don’t know how to reopen the economy, or by what date we’ll have a vaccine.”
The future of security
Hackers and cyber criminals will continue to develop new ways of attacking their targets, and whatever the world looks like after coronavirus, this won’t change. Nor will the basic tenets of sound cyber security hygiene, so you could say buyers’ priorities will reflect this.
However, what we have clearly demonstrated is that when things do start to return to a new normal, as they must, a rapid cultural shift will have to take place within the world of cyber security, as it will across the rest of the organisational IT estate. It may not be possible to predict with certainty exactly what solutions buyers will want, but one thing is sure – CISOs and security teams will have their work cut out.