Neos 2021 Predictions: Cybersecurity Improvements Can’t Wait
Cybersecurity Improvements Can’t Wait
By Ed Bassett, Chief Information Security Officer, NeoSystems
Governments and businesses enter 2021 with the stark reminder that the need for better cybersecurity is pressing and immediate. The recognition comes in the wake of major events in 2020.
Impactful Events in 2020
- In March 2020, the U.S. Government’s Cyberspace Solarium Commission released a report that recommended fundamental changes to how the United States deters and responds to cyberattacks as a matter of national security strategy. Key takeaway: The report’s 80+ separate recommendations have broad implications across government and the private sector.
- The U.S. Department of Defense published its Cybersecurity Maturity Model Certification (CMMC) initiative in January 2020; it was codified in regulation in Nov 2020. Key takeaway: Its intention is to improve the cyber hygiene of the more than 300,000 companies that make up the Defense Industrial Base and ensure its supply chain is protected.
- In December 2020, government and industry first became aware of the SolarWinds hack-a broad-scale attack which has affected many companies and government agencies. This event has a scale and level of impact that has not been seen before. Key takeaway: While the full details are not yet known, this event has highlighted many weaknesses in the U.S. software supply chain and its resilience against determined attackers.
Government and Industry Respond in 2021
The reverberations from those events will be felt in the new year and beyond:
1. The incoming Congress and Administration will make new cybersecurity laws and regulations a legislative priority, driving changes in how the government executes non-military responses to cyber events. Watch for some Solarium Commission recommendations to be given the force of law.
2. Business owners, especially in the government contracting sector, will place more business emphasis on cybersecurity. Having a robust cybersecurity program will be a recognized and valuable part of a company’s brand, opening doors to new opportunities with customers. Companies who continue to ignore or pay only minimal lip service to how they protect their own and their customers’ intellectual assets will be left behind.
3. Companies subject to new compliance requirements will retool their security operations. Many will look at the complexity of the task, and their in-house resources, and conclude that they’ll need to turn to external resources-managed security services and advisory firms-to help them dependably reach and maintain their required level.
4. A robust cybersecurity system needs to be able to handle complex incursion attempts but be simple enough for the end user. The marketplace will respond with “consumer-ready” solutions such as cloud services preconfigured for security and compliance, plug-and-play secure computing enclaves, and turnkey managed services. Standardized solutions will drive down the overall cost of security operations.
5. Security requirements will drive IT transformation projects such as adoption of cloud computing, zero trust architectures, and software modernization. Informed business executives already understand that making such changes can bring benefits to their enterprises but have balked at the cost of getting started. The more-stringent security requirements and the downsides of inadequate security will make it easier for businesses to pull the trigger on IT transformation.
6. There will be an increased focus on visibility into what is happening on our computer systems such as detection of unusual behavior and determining if a system is clean or compromised. Security technology vendors and security service providers will focus on being able to demonstrate security and compliance as baked-in features.
Shining light into the “black box”
For its end users, IT has always been an opaque “black box” activity. How a computer network functions simply isn’t thought about until one malfunctions. And once it’s back up, it’s out of mind again. But just as skyjacking and related terrorism has brought about a greater public awareness of the air-travel system, major cyber breaches such as the SolarWinds hack are bringing a greater public awareness of IT’s complexities and vulnerabilities. And that awareness will change expectations. More than ever before, agreeing to do business with a company is going to have as a prerequisite a clear understanding of how the company keeps data safe.
Are you ready?
##
About the Author
Mr. Bassett is a senior Cyber Security and Risk Management subject matter expert with over 32 years of experience in all aspects of security and privacy program architecture, design, management, and operations. His experience spans Government, Health Care, Financial Services and other industries and includes risk management, program planning, application and software security, security assessments and audits, and security operations.
He built and led a global security consulting practice specializing in security strategy, assessment and testing, and managed security services. He has been the principal advisor to many Fortune 500 and government clients on information systems security, responsible for securing their critical information assets for e-commerce transactions, sensitive health records, and classified military communication. Ed is a U.S. Army veteran and a graduate of Clarkson University where he earned a degree in computer science.