It's always good to look back at the year that was. When you're in the middle of it, it's sometimes hard to get a perspective on what the most salient lessons will be.
Now that it's all in the rear-view mirror, here's what we learned about Cyber Security from over 100 audits we conducted in 2021.
The time when we used to blame the Board for their lack of awareness and involvement in Information Security is gone. With a significant increase in the number of board-level presentations we did, here at Secure Forte, we can confidently announce a substantial increase of knowledge of the importance of Cybersecurity amongst the leadership team. If you are thinking about starting your presentation with slides such as “why Information Security is important”, you will miss the mark big time. Instead, demonstrate to them that as a security advisor, you understand their business objectives and direction and keep hammering home those objectives with a pragmatic roadmap to heighten the effectiveness
of Information Security capabilities.
Among the clients who had a well-established cybersecurity framework in place, some were lacking an equally well-formed compliance measuring and management system, and as management guru, Peter Drucker once said, “If you can’t measure it, you can’t manage it”.
With the increased number of compliance and contractual obligations being pushed by upstream customers and privacy regulators, we saw companies hopelessly burning their cash to catch up with those compliance needs.
The result? Bad governance and an increase in unnecessary expenditure. Let's look at the intention of regulations such as ISO2700, NIST and GDPR: the compliance requirement is in place to protect the data - not to make auditors happy. To overcome this, compliance must be achieved through a more holistic approach, involving the whole company, directed by the leadership team, as opposed to organised and tackled like a project, by one person or team.
Vendor Risk Management
Looking at our larger client organisations, we see that typically, leadership teams have a good understanding of the inherent risks of third-party suppliers. However, the Vendor Risk Management process is frequently little more than a tick-the-box approach that assesses the supplier’s capabilities at a point in time (still an outstanding achievement and awareness developed by the Security team).
But what about going to the next level? Many of those third-party suppliers are reseller companies and are really just the tip of the iceberg. It is crucial to identify high-impact fourth-party suppliers and ensure they have been contractually obligated to protect the confidentiality of the information they collect, and that their Information Security capabilities have been thoroughly reviewed by qualified assessors.
With incidents like SolarWinds and Log4j, the risk status of your technology providers is constantly changing, and you should also proactively monitor their threat profile by leveraging threat intelligence feeds.
Incident Response is an area for improvement
We noticed substantial improvements in Incident Response process documentation. However, we will temper our excitement until we have fully reviewed the frequency of these reports. The responses were six months to one year old, which, in our view, demonstrates a poor detection mechanism due to uncoordinated log management and lack of threat intelligence feeds.
We also noticed insufficient Involvement and overseeing of the whole Incident Response process from leadership teams. Our takeaway, those documented processes were only made for compliance auditors without being properly understood and executed throughout the company environment.
Application Security challenges
The key challenges observed through collaborating with the development and leadership teams include:
Finding a fit-for-purpose off-the-shelf solution has become a real challenge due to the variety of vendor solutions. This is also hindered by a lack of a true independent spirit in our fellow independent software review companies.
There is a greater number of offshore contract developments due to cost-saving benefits. This has increased the risk of IP theft, backdoors, and of course, exposure of sensitive data to nation-state actors.
Increased dependencies amongst software companies through API integration. We could say that Log4Shell 0-day was the ultimate wrap-up of 2021 and has taught us the importance of a proper understanding of the impact of API and technology partners over the Supply Chain risks.
The good news is that we also noticed improvements in this area. The importance of knowledge and awareness in secure coding has become a must-have criterion when hiring a new software developer. Security has been addressed as a primary component in the software development lifecycle and is reviewed independently by qualified senior members of the team. Companies, especially in FSI, have a dedicated budget for regular penetration testing and regular independent software code review (thank you PCI!).
Next wave: companies must ensure that software assets are understood and valued by the leadership team.
For press comment or additional information please contact
Mani Amini at Secure Forte 1300 272 182