“Are you trying to ensure security for your remote workforce but don’t want to hinder business productivity?” “Are you struggling with identifying risks and gaps in security capabilities?” “Where should CISOs focus time and resources?”
Security and risk management experts constantly ask these questions, but the real question should be what projects will drive the most business value and reduce risk for the organisation in a constantly shifting security landscape.
“We can spend too much precious time overanalysing choices we make about security, striving for this notion of perfect protection that just simply does not exist,” said Brian Reed, Sr. Director Analyst, during the virtual Gartner Security & Risk Management Summit, 2020. “We must look beyond basic protection decisions and improve organisational resilience through innovative approaches to detection and response and, ultimately, recovery from security incidents.“
The key is to prioritise business enablement and reduce risk — and communicate those priorities effectively to the business.
This year’s top 10 security projects, based on Gartner forecasts and adjusted for the impact of COVID-19 — feature eight new projects, focused heavily on risk management and understanding process breakdowns. These projects, which aren’t listed in order of importance, can be executed independently.
No. 1: Securing your remote workforce
Focus on business requirements and understand how users and groups access data and applications. Now that a few months have passed since the initial remote push, it’s time for a needs assessment and review of what has changed to determine if access levels are correct and whether any security measures are actually impeding work.
No. 2: Risk-based vulnerability management
Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organisational risk.
No. 3: Extended detection and response (XDR)
XDR is a unified security and incident response platform that collects and correlates data from multiple proprietary components. The platform-level integration occurs at the point of deployment rather than being added in later. This consolidates multiple security products into one and may help provide better overall security outcomes. Organisations should consider using this technology to simplify and streamline security.
No. 4: Cloud security posture management
Organisations need to ensure common controls across IaaS and PaaS, as well as support automated assessment and remediation. Cloud applications are extremely dynamic and need an automated DevSecOps style of security. It can be challenging to secure the public cloud without a means to ensure policy uniformity across cloud security approaches.
No. 5: Simplify cloud access controls
Cloud access controls typically are done through a CASB. They offer real-time enforcement through an in-line proxy that can provide policy enforcement and active blocking. CASBs also offer flexibility by, for example, starting out in monitoring mode to better ensure fidelity of traffic and understand security access.
No. 6: DMARC
Organisations use email as the single source of verification, and users struggle to determine real messages from fakes. DMARC, or domain-based message authentication, reporting and conformance, is an email authentication policy. DMARC is not a total solution for email security, and should be one piece of a holistic security approach. However, it can offer an additional layer of trust and verification with the sender’s domain. DMARC can help domain spoofing but will not address all email security issues.
No. 7: Passwordless authentication
While employees may not think twice about using the same password for their work computer as they do for the personal email, it can cause major security headaches. Passwordless authentication, which can functionally work in a few different ways, offers a better solution for security. The goal should be to increase trust and improve the user experience.
No. 8: Data classification and protection
All data is not the same. A one-size-fits-all security approach will create areas of too much security and others of too little, increasing the risk for the organisation. Start with policies and definitions to get the process right before beginning to layer in the security technologies.
No. 9: Workforce competencies assessment
Install the right people with the right skills in the right roles. It’s critical but challenging to combine hard technical skills with softer leadership expertise. There are no perfect candidates, but you can identify five or six must-have competencies for each project. Assess competencies in a range of ways, including cyber-ranging and cybersimulations and softer skill assessments.
No. 10: Automating security risk assessments
This is one way to help security teams understand risks related to security operations, new projects or programme-level risk. Risk assessment tends to be either skipped entirely or done on a limited basis. These assessments will allow for limited risk automation and visibility into where risk gaps exist.