Drop Everything and Secure Remote Workforce, Gartner Warns10 Top Near-Term Security Projects Start With Revisiting Security for Remote Workers
"Securing your mobile workforce has now become the single greatest existential imperative," Brian Reed, a senior Gartner analyst, said at last week's virtual Gartner Security & Risk Management Summit 2020.
Before the COVID-19 pandemic, numerous organizations had many other security priorities. But the outbreak has upended all of that, forcing organizations to take a good, hard look at what is now achievable.
"As a CISO, there's a number of top new projects that you're going to look at, but you want to be sure what you're looking at is projects and not programs."
Reed put it this way: "We can't be doing everything, so what should we be doing, and how should you define project success?"
His view on what you should be doing is encapsulated in a list of 10 top projects for 2020-2021 - not ordered by importance - published by Gartner.
Reed said it's more important than ever to focus on discrete projects designed to achieve specific objectives, rather than big-picture programs.
"As a CISO, there are a number of top new projects that you're going to look at, but you want to be sure what you're looking at is projects and not programs," he said. "For instance, identity and access management is a program. We certainly don't want to go chasing market buzzwords. What we want are projects that are real, with supporting technologies, and not science fiction projects or never-ending proofs of concept."
In other words, don't think too big. "We want things that are budgetable and stackable, especially in a 2020 and post-2020 world," he said. With the exception of securing the remote workforce, "we also want projects that have not achieved widespread enterprise adoption - that 90% of people aren't already doing."
10 Top Security Projects for 2020-2021
With that in mind, here are Gartner's picks for what organizations should consider pursuing in the short term. Reed says this list isn't is meant to exhaustive, but rather it's designed to help organizations' decision-making process by pointing them toward projects that will likely help them quantitatively achieve a positive business impact while reducing risk - as quickly as possible.
- Remote workforce security: Now is a great time to review existing controls and potentially recalibrate them to ensure employees' productivity isn't being hampered - for example, by struggling with legacy access controls - and also ensure that things aren't too open. Two frequent problems, Reed said, are organizations routing cloud-based application traffic via corporate networks - cue traffic degradation - and being ill prepared to truly support workers, for example, with zero trust network access and cloud access security brokers.
- Risk-based vulnerability management: This project is about the "last mile effort" involved not just in already common, bulk vulnerability assessment and telemetry, but also bringing in additional information in the form of threat intelligence, attacker activity reports and internal asset reports to help organizations better identify which flaws to fix first.
- Extended detection and response: XDR is "a unified security and incident response platform" meant to streamline and simplify security management by consolidating data-gathering products.
- Cloud security posture management: How do you secure and manage cloud usage - including infrastructure and platform "as a service"? "CSPS delivers risk identification and alerting capabilities by reviewing different cloud audit and cloud operational events," Reed said.
- Simplified cloud access controls: Implement CASB to handle real-time enforcement of security controls, including - when necessary - active blocking of suspect traffic.
- DMARC: Domain-based message authentication, reporting and conformance helps organization block domain spoofing.
- Passwordless authentication: Too many people reuse passwords. So organizations should pursue one or more methods for avoiding passwords - potentially via tokens, multifactor authentication and biometrics - to "increase trust and improve the user experience," Reed said.
- Data classification and protection: Lots of people talk about data being the new gold or oil, but Reed - paraphrasing a comment from a Twitter user - says data is more akin to uranium: "Just like uranium, data can be expensive, it can be hazardous and it has the ability to do great harm without practicing due care." To minimize risk and avoid wasting resources, never take a "one size fits all" approach. Set policies and definitions - and use both automated and manual controls - to avoid storing what doesn't need storing and protecting what doesn't need protecting.
- Workforce competencies assessment: Avoid cybersecurity employee "unicorn hunting" in search of "perfect candidates." Instead, focus on the five or six must-have competencies for any given project and attempt to staff accordingly.
- Automate security risk assessments: This is one way to help security teams understand risks related to security operations, new projects or program-level risk and where gaps in defenses might exist - but too often this gets ignored or skipped, Reed said.
Among other projects, Reed says pursuing secure access service edge - aka SASE - is top of mind for many organizations, and he predicts that "cyber-physical security as we look to make a return to office life" will also gain in importance, encompassing temperature checks for employees, safe physical spaces and even drone detection and mitigation.
But if your organization can only pursue one project, the mandate is clear: Focus on securing the remote workforce by continuing to ensure security controls are in place and properly configured.