We sat down with Katie Teitler, senior analyst at TAG Cyber to discuss the company's 2021 annual security report. The report is part of an annual series from TAG Cyber that has been published each September since 2016. The report covers the state of the cyber security market, and offers expert guidance, analysis, and education on fifty-four control areas of the cyber security ecosystem. The report is developed and aimed at the working practitioner in the cyber security industry -- including board members, Chief Information Security Officers (CISOs), Chief Security Officers (CSOs), developers, managers, sales professionals, and marketing experts.
More insights from Katie can be found below. For more information about the TAG Cyber 2021 Annual Security report, please visit: https://www.tag-cyber.com/advisory/annuals
What are the top 3 biggest takeaways from the report?
The biggest takeaway is clearly around contingency planning. With the onset of the COVID-19 pandemic, many companies were caught unprepared to support an almost 100% remote office environment. This was problematic from an employee/contractor point of view as well as a customer point of view. Ironically, the mass migration to work from home forced the more-immediate and wider-spread adoption of cloud. Cloud transformation has been happening over the last decade (plus) but it's been happening piecemeal. Today, companies see the business continuity benefits of cloud (in addition to the cost, efficiency, scalability, etc. benefits companies have been realizing for years) and security teams have had to have more confidence in cloud security. There was no "wait and see" with COVID. And the results were positive.
To round out the top three, other takeaways include the need for strong, adaptive, and secure identity and access management (obviously very closely tied to remote work), including the push for passwordless authentication solutions; and the emergence of API security as a standalone category, as more and more of our businesses are run on applications, and as companies want to break down technology silos with an orchestration layer that offers uniform visibility and control.
Did anything surprise you as you were compiling?
Our Annual is an amalgamation of the previous year's conversations and work so there wasn't anything surprising, as such. But in the wake of the global move to near-100% office work, it was interesting to see companies' levels of un/preparedness for remote access and BYOD—things that have been in the security conversation for a long time. I talked to many companies that were struggling to get enough VPN bandwidth as offices were shutting down, and that were turning a blind eye to unmanaged devices—because they'd bet against the probability of having hundreds or thousands of individually owned, potentially insecure devices touching critical business resources at once.
What does the federal side need to focus on in 2021?
Getting an experienced CISO or cyber director—without any political motivation—into the White House. It's unfathomable that we've been going as long as we have without someone in a position to coordinate national cyber defense. The Cyber Solarium Commission is giving it a hard push (as referenced in the Sept. 2020 GOA report), and I hope this and the next administration takes action.
What does the enterprise side need to focus on in 2021?
Zero trust. It's been around for a while, and it's been a buzzword nightmare, but it is the ground floor (or should be!) for cyber security. Least privilege access, adaptive controls, multi-factor authentication, continuous verification regardless of location...a zero trust architecture will allow companies to be flexible, resilient, and drive down cyber risk.
In the last two days, I had a conversation with one company that, pre-COVID, was already architected for zero trust and one that is slowly moving there. The first company was able to transition to remote work without any disruption or added cyber risk. The second one is still evaluating endpoint security providers and next-gen access solutions. They're still concerned about access/unauthorized access and connectivity issues. The contrast between the enterprises is stark.
And, of course, I think I will always say: focus on the basics. Most of the major breaches can be attributed to fundamental security practices—up-to-date asset inventories, continuous vulnerability management, least privileged admin access, secure configurations, continuous monitoring... They're basic, but they're not easy. But that doesn't mean they shouldn't be done.
What are some ways the staffing shortage can be combated in 2021?
Automation! Automation is becoming table stakes for any security product, and if analysts/operators can automate some of their lower-level tasks, it gives them more time to focus on strategic decisions that can't be made by machines. Prioritization and bandwidth are the name of the game in managing security risk, and that's where automation comes in.
From your perspective, how does the election play into cybersecurity in the next 6 months?
It's probably our #1 imperative—and not just from government entities. Private companies and researchers need to be working together to ensure the validity of our election, and right now, we know systems can be tampered with. But it's not just about voting machines. Anything that can have downstream effects—digital misinformation campaigns, ensuring correct voter records, the USPS' ability to process and deliver ballots in a timely fashion—can compromise the election and the future of U.S. politics.