Ten years ago, as cloud computing transformed the IT landscape, there was a clear takeaway from the cybersecurity community. Companies had been very eager to adopt cloud solutions, but less eager to examine the security implications. In a way, this was the same story that had played out in IT for a long time. Productivity and convenience almost always win out over security. With cloud, though, the problem ran a little deeper. Cloud solutions were incredibly disruptive to the average IT architecture, and this led to big holes in a traditional security strategy.
Ten years later, it’s not clear that many lessons got learned. For starters, companies have been slow to pick up some of the best practices for cybersecurity in a cloud world, including data loss prevention (DLP) and identity and access management (IAM). Beyond that, the same pattern of cybersecurity as an afterthought repeated itself with the shift to remote work. To be sure, the pandemic was much more critical than the shift to cloud. But there still seems to be a disconnect between how organizations say they prioritize cybersecurity and the actions they actually take.
CompTIA’s State of Cybersecurity 2021 report finds that there is a growing sense of unease with cybersecurity practices. Overall, US workers feel worse about the general state of cybersecurity—69% say the situation is improving compared to 80% in 2020. At the same time, there is less satisfaction with their company’s security posture—70% satisfied compared to 82% in 2020. To really address all the different aspects of cybersecurity, businesses need to rethink their entire approach from the ground up.
Policy
For the purposes of CompTIA’s study, policy refers to the corporate mindset and culture around cybersecurity. For many years, the mindset and culture was defensive, focusing on a secure perimeter to protect assets that were all in one location. Today, with assets far more distributed, a new policy is needed.
Zero trust has emerged as the overarching policy that many post-cloud activities follow. In a zero trust architecture, there are no assumptions made about the authenticity of data or access requests. Instead, each piece is examined individually, and in many cases checked multiple times. This results in a wide array of activities such as multifactor authentication, microsegmentation, and least-privilege access. The activities, though, are less important than the basic understanding of why the activities are needed (and how much investment is required).
Process
Cybersecurity process needs to be both wide and deep. The breadth comes from the number of processes that are needed. This can range from technical areas such as security monitoring and threat intelligence to non-technical areas such as workforce education and risk management. The depth comes from the level of detail that each process requires. For example, security monitoring is not simply setting notifications to search for known attacks. It includes analytics to assess network behavior over time and highlight any anomalies.
People
Obviously, the main way to deal with the level of detail in cybersecurity processes is to ensure the right level of expertise among cybersecurity professionals. With so many different holes to plug, few companies are interested in bringing every skill in-house. There will certainly be a lot of training and hiring, but there will also be expanded use of existing partners and new partnering with specialized firms.This is just the beginning of the security team, though. With technology embedded throughout the organization and cybersecurity as a top organizational concern, every individual in the company ends up being part of the cybersecurity chain, from the board of directors to business staff to IT specialists. The trick is making sure that the cybersecurity message is consistent across all these different groups and that metrics are built to address concerns at every level.
Product
The last piece of the cybersecurity puzzle is the place where most companies started under the old approach. The technology tools used to be the first line of defense, but now they are the final ingredient that allows the people to carry out the processes.
As with every other part of the cybersecurity strategy, the products needed for solid defense and offense have grown in scope. Firewall and antivirus still play a role, but many other tools target specific tactics, such as password managers, packet sniffers or security information and event management (SIEM) dashboards.
It’s not easy to tackle cybersecurity these days. Companies are still wrestling with a shift to strategic IT and generational changes to IT architecture, and proper cybersecurity is a major initiative fighting for dollars and attention. With so much at stake, a haphazard approach can greatly increase risk. The best way to build better cybersecurity is to build from the ground up, working through policy, process, people, and product.
Learn the latest cybersecurity trends in business. Download the 2021 State of Cybersecurity.