Gone are the days of a tidy perimeter and an orderly firewall. In a cloud-based world, every digital endpoint poses a vulnerability. Security leaders are left to adapt and respond.
There's more at risk. By 2025, the WEF anticipates there will be more than 42 billion IoT devices deployed around the world, representing a vast technology landscape to target and exploit. Each device serves as a potential access point to a system or an intrusion into the physical.
"Cyber is starting to impact the physical world," said Peter Firstbrook, research analyst at Gartner, speaking during the Gartner IT Symposium/Xpo Americas last week. "Security is starting to become more about safety than it is just about information security, which most people have been thinking about in the past."
The Department of Defense, for example, is concerned about CAD drawings and information stored on factory floor machines, according to Firstbrook. Malicious actors can also toy with building infrastructure, locking people out or messing with the HVAC system.
Involved in information and physical security alike, cybersecurity is evolving into a broader discipline. Businesses need strong centralized leaders who can influence stakeholders across departments, while reporting risk to CEOs and the board. Throughout, it requires close collaboration with the CIO regardless of reporting structure.
Through the end of 2020 and into 2021, here are five trends in cybersecurity and risk management to watch:
Rapid modernization, a new perimeter and the need for zero trust
The pandemic accelerated the adoption of cloud- and SaaS-based service models, which shifts technology access outside the corporate network and neatly-defined perimeter.
"The elephant in the room this year has been COVID[-19]," Firstbrook said. "Organizations are really struggling with 100% remote access and everybody moving off the LAN."
It becomes even more of a challenge when legacy processes, tools and procedures are involved. Companies that had modernized their IT infrastructure were not as dramatically impacted by the remote technology requirements the pandemic highlighted, according to Firtstbrook.
The rapid shift to working remotely had businesses scaling processes overnight, transitions unthinkable without access to cloud-based systems. Now, a company's technology stack is accessible from anywhere, which is good for a remote workforce — and for those trying to exploit it.
No matter the perimeter, IT hygiene remains imperative, said James Carder, CSO and VP of labs at LogRhythm. If businesses were previously bad at configurations, locking systems down, managing privileges and protecting sensitive data, they've pushed everything to the cloud and made it internet-accessible.
Businesses basically multiplied their risk by an order of magnitude, Carder said. It increases the risk of having a breach or a compromise.
Risk is something businesses are becoming intimately familiar with. There is no avoiding the multiple attack vectors and threats businesses face. Maturity of a security organization is defined by how it can respond.
The risks of digital transformation, the pandemic and a rearchitected perimeter have enforced the need for zero trust.
The methodology dictates companies not "trust anything or anybody," whether a person or a laptop, until they can validate that trust, Carder said. "It is picture perfect to deal with a pandemic and riddle workforce as a way to maintain security."
The dark side of digital transformation
As IT modernizes and the security function adapts, attack vectors are changing. More than half of cyberattacks now use a victim's digital infrastructure to island hop, according to VMware's Global Incident Response Threat Report. Island hopping leverages a company's supply chain to launch attacks once access is gained.
A business's "digital transformation has been commandeered and the adversary turns the burglary into a home invasion," said Tom Kellermann, head of cybersecurity strategy at VMware and global fellow at the Wilson Center.
The threats should shift how businesses defend, Kellermann said. "The island hopping fact really should be a wakeup call for CIOs because CIOs need to realize now that this amazing digital transformation that they have ushered in — that they have nurtured, that they have pioneered in that organization — it can and will be used to attack the customers now."
The threats highlight the size of the cybercrime economy. With resources readily available, malicious actors can strategize and plan attacks, testing what works, what doesn't and what can be repeatedly deployed.
It leaves security organizations with little recourse. Total prevention is unattainable — improved response is required.
"The board needs to recognize now that the brand of the organization will be used to attack their customers, it's the dark side of digital transformation," said Kellermann. "Cybersecurity governance must be improved."
Evolving role of the security function
Outright defense is a pipe dream placing pressure on security to evolve, meet and respond to risks head on.
"I think, for too long, people have cobbled together security," Kellermann said.
Whether it was for the purposes of perimeter defense or compliance with standards, businesses purchased and failed to integrate products, many of which required humans to monitor and manage. It put a strain on the already limited workforce, he said.
Now, security is taking on more responsibility and needs to operate in a strategic way. Businesses require security advice in context, without the department stonewalling progress. In the same way, security needs to become more knowledgeable about the business and its priorities.
From contracts to technical configurations, security has its hands in everything, Carder said. IT's responsibilities and involvement lessons once they make digital transformation happen or cloud deployments are executed. That's when security moves forward, even into the spotlight of the board.
"Even if you're buried under the CIO or chief technology officer, you generally still present to the board nowadays," Carder said. The key is communicating from a perspective of risk and outlining recommendations.
Moving away from security jargon, CISOs should mostly communicate the ramifications on what makes businesses money or impacts operations, he said.
The new architecture order
Cyberattacks against businesses have a certain amount of inevitability. What's evolved is the need for intrusion suppression, not prevention.
"Intrusion suppression is really, can you detect, deceive, divert, contain and hunt an adversary unbeknownst to an adversary in your environment," Kellermann said. "If you can get there, which is all about decreasing dwell time and assuring that your infrastructure is not used to island hop, that is success nowadays. And I know that's sad."
As the perimeter falls away, businesses require modern tools to detect and respond. According to Kellermann, the most important security controls include:
Endpoint protection platforms
Tool suites layered atop IT infrastructures allow businesses to adapt but as with other technology functions they require orchestration.
That network of tools has led to the emergence of extended detection response architecture, according to Firstbrook.
Extended detection response architecture unites all security tools into a common data format in one location, allowing business to start making correlations between related events. One of the advantages is it improves event detection and security automation.
"We're starting to see a lot more vendors invest in process automation to address the skills gap and to make it easier to get repetitive tasks done," Firstbrook said.
From LAN to WAN
Digital transformation has more workloads running in the cloud, introducing more APIs.
Businesses are "changing the technology landscape for where security is going from where it came," Carder said. A lot of those traditional security controls and tools may not carry over into this new cloud-centric model.
Rather than repurpose on-premise security, businesses need to rethink their architecture for the cloud. That means doing away with legacy security investments.
"A lot of the investments we've made in LAN-based security really aren't showing any value today because everything's moving to the WAN," Firstbrook said.
Businesses have to undergo a mindset shift when it comes to the cloud, one where they understand what falls under their control or the vendor's.
"Look, not all clouds are equal," Kellermann said. "People need to understand when you move to a public cloud environment, it's like you're moving to a luxury apartment building in a tough neighborhood and the building is responsible for the security of the lobby and the perimeter of the building. That's it."
Businesses have to secure their apartment while being situationally aware of the elevator or the hallway, he said.
At a minimum it is businesses' responsibility when moving to the public cloud to secure endpoints, applications, access and have the capacity to respond and hunt for cyber anomalies in internal systems in real time.
In part, companies are adopting secure access service edge tools to modernize their security standards. The tool secures WAN architecture to look and operate more like LAN architecture, Firstbrook said.
Correction: This article has been updated to credit Cybersecurity Ventures, which was cited in a World Economic Forum report, with determining the cost of the cybercrime community.