At the convergence of digital transformation, an industry-wide focus on SASE, and the effects of the continuing COVID-19 pandemic, there are key forces that security practitioners need to be aware of and operate within. This is the second blog in a series of three detailing these forces and how security leaders and practitioners can adapt to them in a digitally transforming, SASE-enabled world. This blog covers the forces of Organizational Culture and Adversaries and Threats.
Force 3: Organizational Culture
Organizational culture can have a significant impact on the security program. A shift in executive leadership or board often changes the organization’s risk appetite and priority of the security program. Most boards are now requiring a minimum report to the full board and quarterly report to the audit subcommittee of the board.
Impact of the Pandemic
The most significant change we have seen in changing organizational cultures is the rise of the remote worker amid the COVID-19 pandemic. Whilst traditional organizations prefer to see people in the office and collaborate face-to-face, the goal for most employees is to be flexible in their working environment. Pandemic planning aside, most workers will choose their employer and ask questions at the interview stage on this flexibility to ensure they have the best work-life balance. In addition, the next-generation workforce will demand this level of flexibility. With concerns over health, rising house prices, the increasing cost of affordable housing near workplaces, and the costs of travel assessed against salary, most workers will need this flexibility. As organizations reimagine their strategies, understanding their mobilization of the workforce will be critical. The mentality of work from anywhere, at any time, from any device, access any application, and share any information, is supportive of this cultural change. This shift away from the traditional office is evident in most industry sectors today.
Organizations Risk Appetite
With a flexible and innovative workforce, there also comes a shift in an organization’s risk appetite. So, how is that changing? Risk management was traditionally used to block high-risk activities and maintain alignment with company and security policy. It was a simple binary approach that most employees understood. However, as organizations become more complex in the offering of their goods and services through digital transformation that involves complex supply chains, these simple approaches no longer scale. New risks need to be identified based on behavior specifically on the most critical asset an organization has: its data. As more risk management programs become data-centric, so must their measurements on the likelihood and impact of these risks. Organizations today have become more open and willing to take new risks that, when managed appropriately, can increase their revenues.
Changes in Financial Policy
Chief Financial Officers are looking closely at the savings they can realize moving away from capital investments and moving to subscription-based contracts. Investment in technology is no longer a barrier with cloud services on a pay-as-you-innovate model. However, some industries such as critical national infrastructure (CNI) may still have a risk-averse culture and a more restrictive security strategy that is appropriate. Generally, this is where today’s CISO must be able to adjust to new technologies, new controls, more open policies that allow for a more open and collaborative culture to excel.
Force 4: Adversaries and Threats
The threat landscape is a baseline measurement of the current threats observed by most organizations. However, the threat landscape is only accurate if we identify and measure against all threats. One example is that phishing is still talked about at every organization as one of their primary concerns. This is obvious as phishing produces a visual identifier in the form of a phishing email that can be traced to the start of an incident.
Now, let’s talk about other common threats that are not always visible. Both cloud and web-based attacks continue to grow in numbers and according to ENISA (the European Agency for Cybersecurity), are a top-three threat, yet many organizations may not have a true visibility of this threat. For many, encrypted traffic to and from the organization is not always analyzed for threats. Even worse, traffic to and from cloud applications is often overlooked. More than 50% of internet traffic related to SaaS and cloud apps contains business essential information, therefore we should assume that this traffic should be analyzed for threats from not only an external threat actor perspective but also from an insider or accidental threat perspective.
As we broaden our visibility into this traffic we also must ensure we understand that data is no longer on a computer we own or control. The movement from on-premise applications to third-party developed applications provides a new threat kill chain to be considered. New models and updates to existing threat kill chains should also be acknowledged and considered for remote workers when the attack surface is multiplied. Similarly, they should also address how CISOs are required to manage and apply security controls to both remote staff and third-parties that threat actors may use to gain trusted access to the real target.
From an adversarial and threat perspective, an important strategy, control, and measurement should always be to reduce attack surface and dwell time. Dwell time can be measured as the duration a threat actor has undetected access to a network, system, application, device, etc. until access is identified and removed. Measurements for dwell time MUST extend to cloud applications and web services to further protect these environments from a confidentiality and data integrity perspective. Not identifying a threat actor with access to an organization’s IaaS platform or data lake will cause a significant impact to the organization.
Insider Threat
The “insider threat” has been one of the greatest threats since the beginning of IT and over the years, the insider threat still remains dominant. Some of the biggest security breaches are due to an insider being focused on a business process and did not result in a public disclosure of regulated data. These types of breaches go vastly unreported due to the brand damage they bring to the company and, without a requirement, executive teams will often decide to not prosecute the case. Breach notification statistics recognize the number is only a small portion of the actual breaches that occur.