The top security projects for 2020 and 2021 include focus on the cloud, authentication and risk.
Speaking at the Gartner Security and Risk Virtual Summit, Gartner analyst Brian Reed said the initial forecast on projects had changed due to COVID-19, and have been constantly adjusted since then. “We can see that there are areas that have marked a considerable growth from a market standpoint and an annual growth rate,” he said.
Looking back at last year’s top projects, Reed said in 2019, five were new and five were existing; this year there are eight new projects, and these “focus heavily on risk management and understanding process breakdowns.”
He also claimed that “basics” still need to be done before the top 10 projects are considered, and some “may include considerable effort, some may include culture changes and some may include considerable cost.” However, he said these should be considered as the cost of doing business “and there are some basic capabilities here to take advantage of before we get a little bit more sophisticated through any new projects.” The top projects for 2020-2021 were:
Securing the Remote Workforce: Reed said this has become the single greatest imperative for all organizations, and “this must focus on business requirements” and enable users and groups as they deal with their work responsibilities.
Risk-Based Vulnerability Management: Reed said vulnerability management was discussed last year, and we have to understand that systems will never be 100% patched, and aim to patch those vulnerabilities which present the most risk to the organization. This should include vulnerabilities that are exploitable, or have proven exploits in the wild. “This exercise goes beyond the bulk telemetry that most enterprises are using today,” he explained. “It is also worth noting that a significant amount of effort, particularly in this last mile, is going to be on the application owners, or operations or infrastructure side of IT, to take care of patching, and it is security’s job to recommend the patches, while it is someone else who is implementing and putting in these patches.”
Extended Detection and Response: Reed explained that this is different from SOAR and SIEM, as this is a unified incident detection and response platform, that automatically collects and correlates data from multiple proprietary components. This is about improving detection accuracy and threat containment, and improving the overall incident management program.
Cloud Security Posture Management: As part of a focus on cloud and cloud application security tools, Reed said this is about providing management capabilities, including the ability to take action on policy violations, as these deliver risk identifications by reviewing cloud audit and operational events, and can provide a map to frameworks and controls to better enable compliance.
Simplify Cloud Access Control Project: The second cloud project, Reed said this is typically implemented through a CASB tool, which offers real time security controls though either an inline proxy that can do policy enforcement or active blocking, as well as the flexibility to start out in an API or monitoring mode.
DMARC: Reed said this by no means a single answer for email security, but it can provide an additional level of trust and verification. This is because email is easily spoofed, and we rely on it too much, and DMARC can provide verification. “It can be a good tactical project and a quick win in a lot of ways to improve email security; it should really be one part of a holistic approach to email security.”
Passwordless Authentication: Citing a statistic that found 70% of users re-use passwords between the work and personal world, Reed said there are a number of options where a second factor can be used instead of a password, such as a known asset like a phone, tablet, keyfob or smart watch. There are also further examples of using a zero-factor or multi-factor authentication. “Complete elimination of passwords is still far off and we will ultimately never get rid of passwords, but there are a number of innovative approaches that we can take to turn static passwords from a liability into something that can be an asset,” he said.
Data Classification and Protection: This is one way to ensure data is treated with consideration, as not all users and data have the same value or you over or under classify. “We need to have the right level of automated versus manual on data classification and policies, and the answer is to use a bit of both.” He recommended getting the processes and definitions right before layering in the technology.
Planning for Digital Business Initiatives: This should consider the skills of your employees, and having the right people in the right roles. “So the importance of digital competencies is not to be understated,” he said. He claimed there is too much seeking unicorn candidates, and businesses need to realize that the perfect candidate does not exist.
Risk Assessment Automation: The last project relates to risk management, and can help security teams understand risks related to security operations. Reed cited a statistic which showed that 58% of security leaders consistently perform risk assessments for all significant new projects. “There is clearly work to do here, and there is clearly an opportunity to automate some of the risks and provide the business some visibility into where some gaps in a risk assessment might be.”
Reed said the other projects that were also reviewed were:
- Employee monitoring and surveillance technologies
- Threat attribution services
- Automated threat hunting
- Cyber-range and cyber-simulation systems
- Chatbot-based security awareness and education
- Biometric credential detection/protection
- Quantum everything
- Secure Access Service Edge (SASE)
- Cyber-physical security