2020…2?
5 things that won’t change in Information Security — and why that’s a Good Thing.
This is the time of year for predictions. What will the next 12 months look like? What should we expect? What do we need to prepare ourselves for in the months ahead?
Thinking about the future, looking into a crystal ball, is an important activity for information security leaders. We need to be not only thinking of the threats and solutions for today, but also what we will face in the almost-foreseeable future. We need to be cybersecurity sherpa, guiding our companies through the dark and misty forests of technology risk.
Who has time for that?
Let’s face it — we are all tired. 2020 became 2021 and is now 2022. There were no breaks in between. Cybersecurity events touched all of us. Our efforts to keep on doing our thing while the pandemic changed the way we live our lives, professionally and personally, became harder and harder. Security teams did more with less. Some teams received a budget boost — and an expectation that they would accelerate or add to their projects as a result. Some teams received a budget cut — their funds funneled to other parts of the business even as the cybersecurity threats increased. Security programs continued even as security teams turned over and subject matter experts left without looking back. There is no end in sight.
And now for the good news
If you’re a security leader looking for the story to tell your executives, to inspire your teams, to guide your programs, look no further:
Nothing. Will. Change.
I’m serious — nothing is going to be any different in 2022 than you experienced in 2021 or 2020. This is a story that will ease the minds of your executives (“I’ve seen this before”) and relieve your employees (“I’ve done this once I can do it again”). The fact that 2020 and 2021 were complete dumpster fires just means that yes, 2022 will be hard. Not surprisingly so. Your opportunity with your community is to say “Look! You’ve seen this before, you know how this works, you know what it will take to make it less painful than the first time…now go!”
I can see you’re not convinced. Here are five things that you’ve dealt with in the past couple of years that I guarantee you’ll be dealing with for the next couple:
Ransomware is still here
It’s here, and it’s here to stay. It doesn’t matter what industry you’re in, what kind of data you have, or whether you’re a start up or a long established company. Ransomware can certainly be targeted, but is more likely to be randomly impacting anyone hanging out on the internet (aka all of us). As a security leader, you can confidently predict that ransomware is a threat you will have to manage.
Supply chain risk will still be a thing
Even if you have all your own internal controls optimized (liar liar pants on fire) you will have vendors, open source software and other supply chain inputs to worry about. The Security Bill of Materials (SBOM) may be the promised land for all supply chain problems, but we haven’t operationalized it yet. For now, you’ll need to keep an eye on your supply chain. Oh wait, you can’t keep an eye on your supply chain? Well then, be prepared to do a lot of incident response. As a security leader, you can confidently predict outages due to supply chain weaknesses. Like you did for the last few years. Get ready to do it again.
Asset management will still be elusive
The security mantra is “you cannot protect what you don’t know about” — and I agree. I also know that getting and operationalizing complete asset management (note my SBOM comments, above) is impossible. It’s not just the stuff you own and control, it’s the people, devices, applications and other asset classes that you don’t own or control, where your data resides. Your CMDB won’t include all of those, and even if you can identify all those assets, you probably can’t manage them without bumping into privacy, licensing or compatibility issues. This has always been a problem for security, and nothing says that will change in 2022. As a security leader, you can be assured that your data is on some asset somewhere that you don’t know about and don’t control. Count on it.
Non-security people will have other priorities
Shocking, I know. Just like every other year since the beginning of time, folks in your business whose primary job is not security will treat security as an afterthought unless you give them no other choice. Giving them no choice will make them very unhappy. No amount of phishing simulations will make them change their mind. They will continue to look for the easiest and most rewarding ways to do their work, regardless of the impact on the company’s threat profile. This perspective will occur from the c-suite to the interns. As a security leader, you can continue to find ways to make people want to do security, or you can force them to do it. Either way, you will be working on “security awareness” for the foreseeable future.
Vulnerability management will still be hard
More correctly, patching will be hard. The program of vulnerability management has got much better at prioritizing vulnerabilities to address the highest risk — great! The follow-on IT operational process of patching those vulnerabilities continues to be a mess, made more difficult by hardware/IOT manufacturers who make it impossible to patch a device. Security teams will continue to be frustrated by the age and variety of known vulnerabilities across all asset classes. Emergency patching will continue to be an important skill for everyone to master, as more supply chain risks will impact more unknown assets with ransomware variations. As a security leader, you can be comforted knowing that vulnerability management will still be a time suck in 2022 and beyond.
I’m guessing that you’re thinking that this isn’t really good news. More of the same? Again? Wasn’t 2020 like, two years ago? Why are we still dealing with the same issues?
There is no parallel universe where everyone makes security a priority, asset management is easy, patching happens automagically, and ransomware is eradicated. There’s a reason why security professionals are in such high demand, and why job security is practically guaranteed for anyone who can stick it out through year after year of the same issues.
There are glimmers of change on the horizon: changes in regulations to enforce board engagement in security; wider adoption of zero trust philosophies; SBOM development; international cooperation in ransomware gang prosecution; etc., etc. All these things are great — but they won’t be here in any meaningful way for a while.
In the meantime, take comfort in knowing what to expect, where to spend your energy, and how to bring your organization forward, bit by bit. 2022 may just be a repeat of 2021, but in repeating the work you can do it just a bit better the second time around. Learn from your mistakes, make incremental improvements, keep moving forward.
Happy New Year!
