Data Privacy Day: Charles Herring, CTO at WitFoo
This is part of a running series on #DataPrivacyDay.
Charles Herring, CTO at WitFoo: "2020 started with a rapid movement of work from home and ended with a pervasive supply chain attack. As we look at challenges facing the craft of cybersecurity operations in 2021, the two primary difficulties meeting us are degraded human factors and stringent vendor management requirements.
The mental health impact of the COVID-19 protocols is still being inventoried. It is too soon to know exactly what the medium- and long-term impact will be but my 4 years at sea in the US Navy taught me that isolated people exhibit different risks than others. In 2021, we will need to be on guard for employees making ill-advised decisions at conferences and trainings as they let off steam accumulated from months of work from home and balancing family between WebEx meetings. The fatigue, stress and desperation permeating the workforce creates vulnerability by converting an otherwise loyal employee into an insider threat. It also creates several pain points that will encourage poor online hygiene including clicking on links promising “stimulus checks” or other types of relief. Addressing the human factors in organizations should be top of mind for security executives in every organization. Counseling, time off incentives and training reinforcing values and security hygiene will be critical in healing the vulnerabilities created over the pandemic.
The Solarwinds supply chain attack started in the summer of 2020 but was not detected until December. This meant that organizations that retained less than 6 months of raw records were unable to determine if they were impacted by the attack. The evidence in these logs is critical to prosecuting the criminals and determining business impact. Security leaders will need to deliver cost-contained collection, storage, and analysis of these logs to drive business decisions and meet vendor, regulatory and cybersecurity insurance requirements.
This most recent vendor attack also reinforces craft initiatives that started with the 2013 security breach at Target that came via an HVAC contractor. Last November, the US Department of Defense began active enforcement of the Cybersecurity Maturity Model Certification (CMMC), a framework requiring cybersecurity hygiene from all vendors. These types of initiatives are becoming commonplace in many public and private sector procurement offices. These vendor management requirements have created a new generation of managed security service providers (MSSP) to deliver compliance and hygiene as a service to organizations looking to outsource these requirements. For those seeking to outsource to these providers, it will be critical to validate their effectiveness and value via audit.
In addition to managing employee and vendor risks, security leaders need to be cognizant of changes in cybersecurity insurance. Payout of claims for cybersecurity breaches have left underwriters making radical changes to policy packages. Attractive packages are now increasingly difficult to find. Increases in premiums and application diligence coupled with lowered payout caps will make cybersecurity less attractive for the next few years. The best available packages should be executed at the longest possible term in anticipation of sustained degradation of future offerings."