With 2019’s cyber security challenges and breaches tucked away, I wonder just how 2020 will fair?
As we all speculate on what the new year’s cyber security encounters will be, I’d like to add mine. As a very much ’hands on’ CEO of Foresight Cyber Security, I offer a slightly different perspective: focusing on the cyber security domain from an angle of what large enterprises should prepare for in 2020.
The prediction centre around three themes:
Cloud, Cloud and Cloud everywhere
Going back to basics in cyber security
Zero trust architectures shaping well and taking hold
Accelerated move to public clouds for IT workloads
Most CIOs have warmed / are warming to the idea of offloading their workloads to reputable cloud providers. Just as enticing is the move to Office 365 & Azure: having one key provider of cloud services is quite compelling – strategically, commercially and compliance-wise. It is therefore no surprise that Microsoft is winning over enterprises in the cloud tussle. A demand for Microsoft Cloud services, their integration to DevOps processes, and indeed securing the cloud is going to increase substantially. Microsoft understands these trends and is heavily touting their security portals and services, such as the recently introduced Azure Sentinel, a SIEM service. But beware! The biggest obstacle for enterprises moving workloads to the cloud is the lack of specialists to ensure secure designs and implementations of the new architectures. The lack of expertise is also acknowledged by the UK government as expanded on in their recent study (https://www.gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market).
Focus on basics of cyber security
Would you be able to explain the Basic CIS Controls? I am frequently surprised (maybe I shouldn’t be!) by a lack of awareness amongst some security and many IT professionals of what these internationally recognised specific actions can offer in supporting an organisation’s cyber defences. The CIS Controls are recognised by experts as a great guide to implement cyber security policies, processes and technologies. More details can be found here: (https://www.cisecurity.org/controls/). In my opinion, the most critical controls are:
IT Asset inventory and management – CIS controls 1 and 2
Vulnerability management – CIS control 3
Secure Configurations – CIS control 5
Enterprises should rethink investments into advanced ‘blinking boxes’ promising
‘unparalleled’ protection and detection of advanced attacks, because they are often inherently much less effective until the above CIS controls, are robustly implemented. When undertaking any client engagement, Foresight Cyber’s initial focus is on the above controls which, together with other internationally recognised frameworks, create a perfect balance between technical, procedural and administrative activities. My cyber security colleague’s mantra of, “Right first time, secure by design” is so true!
Exploring and trialling zero trust security architecture
The concept of zero trust architectures is not new. During my career, I was briefly engaged in the Jericho forum who had essentially invented the concept. At that time the technology was not mature enough to support ‘zero trust architecture’. I believe that today the technology is at a level ready for enterprises to start moving to architectures without perimeters…watch this space!