Back in March, I heard from several CISOs about how COVID-19 was disrupting their cybersecurity programs and changing their priorities. A few weeks later, I connected with some CISO friends, and got an update on phase 2 of their pandemic journeys.
While no one knows when the coronavirus impact will end, we are getting a good perspective on what the new normal will look like. Here are ten changes I anticipate (in no particular order):
- Work from home (WFH) becomes the default model. This one is an obvious assumption, but one we can back up with data: According to ESG research, 79% of IT executives say that their organization will be more flexible about WFH policies after the pandemic subsides. Furthermore, WFH seems to be, well, working: 78% of knowledge workers report being either more productive working from home or having no change in productivity. Between productivity gains and real estate savings, WFH is a winner — and is driving lots of changes to security investment and priorities.
- Any remnant of a security perimeter is now dead. When I started in security nearly 20 years ago, a group of financial services companies started an organization called the Jericho Forum, which pitched the concept of de-perimeterization. While most security professionals agreed with the idea, scaling security remained a challenge, so network perimeters remained and changed slowly over time. COVID-19 may be the final security perimeter coffin nail. To support a more distributed IT infrastructure, security controls will move wholesale to endpoints — users, devices, applications, data, etc. The good news is that cloud-based management planes will make this architecture much easier to scale and operate than in the past. What are the new perimeters? Users and devices (i.e., identities) and data.
- Hail to the cloud. Cloud workload migration accelerated due to COVID-19 as it was easier to administer cloud infrastructure than on-premises servers, networks, and storage devices. To keep up, CISOs must ramp up cloud security hiring, training, and skills development on their teams. It’s also clear now that the public cloud is the de facto infrastructure for network security controls, consolidating SD-WAN and security services. The same is true for security analytics with data and analytics engines moving quickly to the cloud. Finally, security management planes are heading in the same cloudy direction. CISOs will need new skills for migrating data and tools and managing cloud subscriptions.
- The mainstreaming of attack surface management (ASM). CISOs will need better ways to collect, process, and analyze data for cyber-risk management as users and assets become more distributed and remote. This should happen quickly since most organizations have no idea about all the connections to their network and regularly discover things like previously unknown devices, misconfigured servers, default passwords, partner connections, etc. ASM will evolve from an esoteric area to an enterprise requirement. Vendors like BitSight, Bugcrowd, CyCognito, Randori, and others will benefit from this transition.
- Doubling down on policy management. With everything distributed, CISOs will need to work with business managers to determine who can do what from where and really (and I mean really) tighten up their security policies with granular and dynamic rule sets. Once policies are determined, they’ll also need the CIO's help to build an infrastructure for policy enforcement and monitoring. There is a tremendous opportunity for security technologies here — vendors that build intuitive, flexible, and scalable policy management engines will clean up.
- Identity management gets an overhaul. Distributed security controls and policy management must be anchored by a modern identity management infrastructure — not the organically grown patchwork we’ve kludged together over the past 20 years. To ease this migration, identity will also migrate to the cloud in a hurry. This is good news for JumpCloud, Okta, and Ping, but I believe cloud service providers like Amazon, Google, VMware, and obviously Microsoft will make a big play here as well.
- Cyber threat intelligence at scale. COVID-19 is a global opportunity for the cyber-underworld, leading to a wave of new scams and attacks. To counteract this trend, organizations need to be able to operationalize, analyze, and hunt for threats at an unprecedented scale. This should represent a growth opportunity for threat intelligence platforms and investigation tools like Anomali, King & Union, Palo Alto Networks, RecordedFuture, ThreatConnect, and ThreatQuotient at the high end of the market. Smaller enterprises will likely dive deeper into threat intelligence services from the likes of Cisco, FireEye, IBM, and Secureworks.
- AI and ML, the next generation. Security teams will need to make sense of more assets, more connections, more movement, and more threats — all at once. Business management's push for a permanent WFH structure make this an absolute certainty, and there isn’t a security team on the planet that will be able to keep up with the new reality without help. We are currently driving up the AI/ML on-ramp, and we’ll need to get up to speed quickly. This is a wide open opportunity, but somehow, I think that companies like Devo, Google (Chronicle), IBM, Microsoft, SAS, and Splunk will play.
- On to serious security training. WFH and coronavirus-related scams mean the days of security awareness training as a “checkbox” exercise are over. Moving forward, I believe security aptitude will be required for most employees with compensation incentives or penalties associated with performance. Business managers will also be accountable for employee education and penalized when their team’s ignorance leads to a security breach. On the supply side, vendors will need to supplement basic compliance training with more thorough course work designed for knowledge workers.
- Tighter security and IT operations cooperation. Provisioning secure endpoints, cloud workloads, or network infrastructure will require security to be “baked in” rather than “bolted on.” Additionally, security policy enforcement and monitoring will need to be coordinated all over the place. In the past, security and IT operations teams had different objectives, metrics, and compensation structures. Given all the work ahead, it’s likely that organizations will measure these teams based upon common projects rather than disparate goals. This should be good news for vendors like ExtraHop, Netscout, ServiceNow, and Tanium, that have technologies and experience in both areas. Security vendors will need to improve their IT operations chops if they want to keep up.
There’s lots of changes and lots to think about. More soon from me as I’m following the impact of COVID-19 closely.