As companies look to transition to a new normal in 2021, the pandemic has put Chief Information Security Officers (CISOs) front and center of their organisations’ path forward. Business continuity, collaboration business and digitalisation plans that may or may not have included remote work have been put to the test. What was a reaction to a situation has now become part of longer-term planning. And with adversaries seeking to capitalize on cyber threats exacerbated by the pandemic, online security finds itself at the heart of business.
“CISOs continue to face a number of challenges – some are new, others have been around for quite some time,” says Fady Younes, cybersecurity director, Middle East & Africa, Cisco. “Navigating the remote work environment has been challenging and companies are embracing more collaboration and digital solutions to adapt. All this will bring major challenges around visibility into what goes on in the IT environment”
The time for passwordless
The password – it's both the cornerstone and the Achilles’ heel of security. Passwords are a pain for users to remember, rotate, and maintain, with an average person having 191 passwords. Passwords are also easily compromised, as 81% of breaches involve stolen or weak credentials, according to the Verizon Data Breach Investigation Report. Furthermore, passwords have hidden costs. Organizations spend millions of dollars and help desk hours a year on password resets, so the cost isn’t simply from breach.
Platforms, industry groups, and service providers have begun to coalesce around a foundation for a passwordless future. Technology has evolved which has made biometrics almost ubiquitous in both consumer and enterprise, and companies have begun to explore what a world without passwords will look like in terms of users and data security.
Collaboration, not control
In many organisations, the traditional approach to security has been to issue instructions and policies. The past months, however, have accelerated a major culture shift. There is a different model emerging, where security professionals work with their business colleagues in a cooperative and collaborative way. As companies move to establish agile and smart workplace, security teams need to ensure that whatever security controls they implement must be easy to use.
On the one hand, control costs money for organizations, on the other hand users are taking more and more control themselves. Consequently, CISOs are increasingly asking questions such as: What do we absolutely need to control? What can we rely on users to take care of? What can we enforce and what do we need to enforce?
Secure Remote Work Accelerated
Working remotely has been possible for decades. However, its prevalence has skyrocketed in even the most technologically conservative of organizations.
During the pandemic, Duo Security at Cisco, a user-centric multi-factor authentication and secure access provider, saw user authentications per month jump from 600M to 800M, largely due to the shift in remote work, and it has remained at elevated levels ever since.
As shown by Cisco’s Workforce of the Future survey, remote work is here to stay, as a form of hybrid working models.
“A significant trend we saw come into play amongst CISO’s during the lockdown was getting the basics and core fundamentals right,” Fady says. “CISOs were implementing fundamental security controls such as multifactor authentication, DNS and VPN security. As we move forward and new team collaboration emerges, CISO’s are taking stock of their learnings to form a strategic view on how their organisations need to be secured in future. This amplifies the need for collaboration technology so that users can also play an instrumental role in security on the frontline.”
Artificial Intelligence, Machine Learning & zero trust security
In traditional security approaches, trust is based solely on the network location the access request originates from, while in a zero trust approach, trust is more dynamic and adaptive. It's a network security model, established for every access request, no matter where it comes from and secures access across apps and networks, and only allows the right users and devices to get access.
More authentication factors, adding encryption, and marking known and trusted devices, make it harder for attackers to collect what they need (user credentials, network access, and the ability to move laterally).
Purpose-built User and Entity Behaviour Analytics (UEBA) is one example how AI & ML can be used to help enable zero trust security. It places the analytics around specific activities rather than the generalized approach taken today.