Business continuity and security collided this year — 2020 overhauled operating models and though security lagged, it followed the trend.
An investment bank in London, which typically didn't work remotely, had no other option but to send employees home at the onset of the pandemic, said Jeffrey Wheatman, VP analyst at Gartner, while speaking during the virtual Gartner 2020 Security & Risk Management Summit Monday.
The bank didn't have a supply of laptops to give employees; it sent employees home with whatever they had, said Wheatman.
The computers provided to employees didn't meet the bank’s security standards and the security team had to close "all the gaps they opened up," said Wheatman.
The bank's security team had a reckoning similar to what many businesses experienced in the early months of lockdown. Security is actively changing existing operating models, including platforms, people and services.
As companies adapt to changes made in March and changes anticipated for the next 12 months, Brian Reed, senior director analyst at Gartner, wants the focus on projects, not programs. Identity and risk management is a program, not a project, he said while speaking at the virtual conference.
Gartner expects investments in cloud access security broker (CASB) will see a 41% compound annual growth rate, followed by encryption software (24%), and threat intelligence (20%), between 2018 and 2023. Last year's top 10 security projects were a reflection of the expected long-term investments:
Privileged access management
CARTA-inspired vulnerability management
Detection and response
Cloud security posture management (CSPM)
Business email compromise
Dark data discovery
Security incident response
Security ratings services
The top security projects for 2020-2021 look nothing like last year, but Reed said businesses still need to accomplish the basics of security — system protection, user controls, security infrastructure, information handling — before they can address the top 10.
When ready to tackle the top security issues, Reed encourages security leaders to make it relatable to their organizations. If a company wants a secure remote workforce without a hiccup in productivity, it needs to update legacy access controls while simplifying cloud access controls.
"If you can only do one project, focusing on securing your remote workforce and going back and looking at some of those changes we might have made earlier in the year would be a really good use of time," said Reed.
Difficulty level of 2020-2021 security projects
|Degree of difficulty
Securing the remote workforce
Risk-based vulnerability management
Platform approach to detection and response
Cloud security posture management
Simplify cloud access controls
Data classification and protection
Workforce competencies assessment
Security risk assessment automation
If there's time and resources for more projects, here are Gartner's top security projects through 2021:
1. Securing the remote workforce:
Companies "turned on" remote capabilities in March, but they are now facing "requirements gathering and needs assessment," said Reed. Security teams need to know if they opened too much access for employees.
Reed rated the difficulty level of this project between easy and medium because it touches on connectivity, productivity and measurability.
2. Risk-based vulnerability management:
Every patch will never be deployed, said Reed. Instead, security teams need to shift focus to vulnerabilities that pose the greatest risk to the business or vulnerabilities with proven exploits in the wild.
The "last mile effort" of patching is on the owner of applications in the IT infrastructure, not security, Reed said. It's the security team's job to recommend how to prioritize patches, not to apply them.
3. Platform approach to detection and response:
This project is different from security information and event management (SIEM) and security orchestration, automation and response (SOAR) because it focuses on security integrations at the time of product deployment, as opposed to an afterthought, said Reed.
The project is rated at a medium difficulty level, as Reed warns it takes considerable promise to take on extended detection and accuracy, it also runs the risk of vendor lock-in.
Prerequisites for the project include "Centralization of normalized data and a centralized incident response capability," according to Gartner. The capabilities have to be able to "change the state of individual security products as part of the remediation process."
4. Cloud security posture management:
This project is at the intersection of policy, process and culture, making for a medium difficulty level. "While one of the top projects is not around people and process, people in process are an important overlay to any cloud security strategy," said Reed.
This project centers around management capabilities, including those for providers. Cloud security posture managers deliver "risk identification and alerting capabilities by reviewing different cloud audit and cloud operational events. A CSPM platform, in turn, can visualize frameworks or control catalogs.
Reed encourages security leaders to engage with their cloud operations team and rely on cloud-native platforms first.
5. Simplify cloud access controls:
Typically simplifying cloud access controls "is done through the implementation and use of a cloud access security broker," said Reed. CASBs give companies real-time security control enforcement or enough flexibility to "start out in an API mode or a monitoring mode of operation."
That flexibility can help security teams understand a cloud security event before blocking is initiated. To simplify cloud access, companies need compliance reporting and usage monitoring.
Domain-based message authentication reporting and conformance (DMARC) is "by no means a silver bullet or a complete answer for email security," said Reed. However, it helps deflect direct domain spoofing.
"We use email far too often as the single or sole source of trust and verification. And it's incredibly easy to spoof," Reed said.
This is an easy project and can be integrated into existing email security practices. DMARC falls short of protecting other areas, such as "lookalike domains," but it's a "quick win," said Reed.
Reed advises companies to begin in "monitor mode" and graduate to "reject" emails.
7. Passwordless authentication:
Passwords have troubled security programs for years. Passwords and single credential use is an outdated form of security today.
Employees likely reuse or commingle personal and business passwords, but businesses have options for passwordless authentication. Known assets can be used as tokens, which supports extending authentication flexibility and improves the user experience.
"You could look at using multifactor authentication, you could look at even cases of zero factor authentication," said Reed. Passwords will always exist to some degree, but alone they are liabilities.
Reed rated the project as difficult for implementation because the education process is ongoing.
8. Data classification and protection:
When data is mismanaged, it's dangerous. Data "has the ability to do great harm without practicing due care," said Reed. "Not all users and data have the same value."
Because of the nuances in data — the sensitivity some data versus other data — companies can't rely on a "one-size-fits-all" strategy. If companies are over-classifying and over-protecting data that doesn't need it, redundancies occur and business operations are hampered.
Reed classified the project as medium to difficult because users have to grasp a well-defined classification scheme and know the pros and cons of an automated or manual process.
"We need to really have this good balance of automated versus manual data classification protection and the right answer is to use a bit of both," said Reed.
There are vendors that can provide services dedicated to this, but "we want to start with policies and definitions and really get the process right before we start layering in the technology," said Reed.
9. Workforce competencies assessment:
This project takes medium effort as it forces companies to perform an "honest assessment" of culture, according to Reed. Dramatic digital transformation efforts require a variety of competencies across verticals; cloud security, development, threat detection.
While vendors can provide a degree of tools to sharpen competencies, like cyber simulations, the security organization is primarily in charge of its direction. Reed recommends companies focus on four to six competencies, instead of "unicorn" candidates.
In cybersecurity, an industry with an already-dismal talent shortage, companies aren't doing their due diligence. "The top coders out there that have both leadership skills and cybersecurity skills are really a rare breed and they can demand salaries in excess of $200,000 a year," said Reed.
10. Security risk assessment automation:
This is another medium to difficult project for companies to take on. However, only 58% of security leaders regularly perform risk assessments for new projects, according to Gartner.
Reed advises companies to automate workflows extracting data from data sources "critical to risk assessment." The automation can improve confidence in how risk is articulated across the company.
"There's clearly an opportunity to automate some of the risks and provide the business some visibility into where some gaps in risk assessment might be," said Reed.