In Forrester's report of critical security recommendations for 2020, the forces at play are wide ranging. There's a good reason for the broad span of issues raised in its annual report: attacks can snipe at organizations from all angles.
Security threats include bad actors exploiting flaws in home networks to climate change-induced wildfires that can put data centers in harm's way.
"We initially put together this report earlier in the year and as we started to complete it, March happened," Sandy Carielli, principal analyst at Forrester, told CIO Dive. "We suddenly had this major external force that was going to change a lot of how security teams view their planning for the next year."
Security organizations at the enterprise level found themselves suddenly battening down the hatches for a workforce that accessed essential company data from unsecured routers. Simultaneously, leaders dealt with a rise in phishing attacks, as hackers took advantage of the increased interest in coronavirus.
As cybersecurity managers gear up for the second half of the year, they contend with the challenge of deploying new technology, updating customers on cybersecurity and scouting for top talent in a crowded market — all while protecting their company's integrity.
Anything that can compromise an organization is on Forrester's radar for this year. Here are nine security recommendations executives should know:
No. 1: 'New normal' is about recovery and response
Suddenly having so many employees work from home created infrastructure and security issues.
"First we have to transform quickly, and then we have to transform safely," Carielli said.
Since the initial COVID-19-related shock has ebbed, companies with bring-your-own-device policies should resolve security issues for employees working from home on those devices. Addressing this helps employees work safely and quickly and can prepare organizations for the possibility of allowing employees to continue to work from home.
Ironing out those details creates an action plan for security risks stemming from climate change-related weather incidents, and the possibility of a second COVID-19 wave in the fall.
"All of those are external forces that, while perhaps not having the immediate sudden effects of what COVID-19 is putting us through, are risks that have to be planned around by the security team and must be considered," Carielli said.
No. 2: Product security in focus
Demand to get products and services to market quickly can't sacrifice security.
"As remote work suddenly became the new normal, Zoom took off and became the go-to," Carielli said. "When security issues became apparent, [Zoom] certainly had setbacks."
Airtight security can set companies apart, and also let them charge a premium, Jimmy Jones, cybersecurity expert at Positive Technologies, told CIO Dive.
Stringent product security also lets companies compete in fresh markets, Forrester said. Meeting Federal Information Security Management Act (FISMA) standards allows organizations to compete for federal government contracts, while expanding documentation that can support customer inquiries.
No. 3: Understanding geopolitical threats
Last year, Forrester recommended getting fluent in geopolitical risk. "It was about becoming knowledgeable and becoming aware," said Carielli. "This year we felt that we needed to step it up and be even more tactical and practical."
That's because of a host of events, including the U.S. airstrike on a senior Iranian military officer, the impact of Brexit, continued rise of digital protectionism and state-sponsored disinformation campaigns.
"The boardroom may look at major threats and newsworthy issues around Iran or North Korea or Russia, but threats can be from all over the place," she said. "It's important to take that interest and turn it into a real threat modeling exercise."
The security team can then go back to leadership to show those risks and help company leaders understand what the treats on the business could be.
"It's about having a plan and building awareness across the team and knowing what data and what assets in your organization are potential targets," Carielli said.
No. 4: Climate change preparation
While COVID-19 might have temporarily shelved concerns about climate change, it hasn't solved the problem. But the two situations do correlate.
The pandemic, while not a climate change issue, the pandemic reflects how health and science developments outside of company control can impact a business, Carielli said.
For climate change, that means thinking about locations of data centers, disaster recovery, "what happens if there's a flood where perhaps you weren't in a flood zone before, or wildfires in areas where that was not an issue before," Carielli said.
Companies should look at what climate models say about flood plans, what changes could be coming in average temperature and frequency and strength of hurricanes.
These are "all things that could certainly impact your business continuity and ability to engage with your customers or impact what your customers need and types of services they would be looking for," she said.
No. 5: Mapping cascading third-party risk
Connected supply chains may be the norm, but they present security risks. It's not just third-party software vendors or IT service providers, but vendors, suppliers, contractors, logistics providers and any other companies that interact with the product or service delivered to customers.
IBM Security found breaches originating from third parties increased the cost of a breach by $370,000.
"You start to peel away those layers and most solutions are like Frankenstein's Monster, made up of so many layers of third-party hardware and third-party software," Jones said.
Third-party capabilities help companies get to market quickly and reduce up front costs, but "any breach can be related in numerous, seemingly unconnected ecosystems that all seem to be using the same resources," he said.
To reduce that risk, Forrester recommends getting an accurate inventory of all third-party relationships. That means going two levels down to third parties who have their own third parties who have their own third parties.
"It might not be your supplier who's hit, but it may be your supplier's supplier, or your supplier's supplier's supplier," said Carielli.
No. 6: Assess the rise of emerging tech
The cybersecurity market evolves at a brisk pace, with new technologies taking over industry discourse regularly.
Navigating the shifting landscape of new technologies requires setting aside time and resources to research the applicability of new technologies, Forrester says It's up to chief information security officers (CISOs) to put in place methods that allow a thorough examination of what's out there.
Establishing internal innovation funds to support proofs of concept and speeding up vendor onboarding processes for experimentation will help this process along.
As IT leaders evaluate a new platform or technology, they "have to map it directly to the business they're in," said Anurag Lal, president and CEO of Infinite Convergence Solutions, in an interview with CIO Dive.
"It's extremely important that you ensure whatever solution you're deploying is secure in every sense of the word," Lal said. Leaders must first seek information about how platforms are kept and built securely prior to deployment.
No. 7: An encryption catalog
The cybersecurity protections cast around critical business applications can quickly topple if an embedded cryptographic algorithm becomes compromised.
Visibility of encryption algorithms at the enterprise level can improve by maintaining an up-to-date catalog of cryptography use, where individual algorithms and cryptographic libraries used in enterprise applications are listed and updated, according to Forrester's report.
Compromised cryptographic algorithms can make their way to applications when developers make use of existing libraries, said Darren Hayes, associate professor and director of the Digital Forensics Research Laboratory at Pace University.
"The problem with doing that is you're often incorporating somebody else's code, which could include some type of malware or connection to another server that could have malware, or you could not be using the best encryption standard," Hayes told CIO Dive.
No. 8: Shaping a talent pipeline
Access to broad stroke tech talent at the enterprise level is challenging enough. For cybersecurity specialists, it's a crisis waiting to happen.
Unfilled cybersecurity jobs will hit the 2 million mark by 2022, Forrester projects. And access to talent is a problem now, with six in every 10 businesses struggling to hire security professionals according to Gartner.
Leaders can design systems that help their companies avoid a crippling talent crunch in the cybersecurity space. Forrester suggests a three-part approach:
- Lean on trusted solutions providers for skills building among existing staffers
- Spot key skills gap, then invest in training for the blind spots
- Nourish team culture and leadership skills
It won't always be practical for organizations to have all the talent they need available in-house, said Lal.
"One piece of advice I would give organizations who are looking to ensure they have access to the right kind of expertise is to partner with a trusted organization," said Lal. "There are many out there that provide a service that will allow them to pull expertise on-demand."
Companies can then turn their attention to business goals while partners ensure cybersecurity efficiency.
No. 9: Including customers in cybersecurity awareness
In the age of data breaches, consumers are wary of having their data stolen, then sold off on the black market. In turn, this may warn them off engaging with companies in the digital realm.
Companies would be wise to put in place a customer engagement plan around cybersecurity practices, Forrester said. Infusing humor into messaging and centering customer outreach around cybersecurity will lead to better outcomes.
In the face of increased scrutiny from regulatory bodies, "it's incumbent upon businesses to detail what types of security they have in place and explain the types of security protocols they have," Hayes said.
