By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP, John Martin, CISSP-ISSAP, and Richard Nealon, CISSP-ISSMP, CISSP, SSCP, SCF, CISM, CISA

2020 was a year of change. It changed the way that folks work and how they interact with each other. Wondering what 2021 might look like for information security professionals? This is the first in a series of posts where we will discuss what we believe 2021 may have in store for information security professionals.

Some of the issues faced by security professionals in 2021/2022 will include (but are not limited to) the evolving landscape of privacy, and the ongoing necessity for remote access. The advent of 5G and AI, and the question of whether we will continue to be plagued by ransomware. We will see changes happening with new laws/regulations related to the Internet of Things and the devices that are intended to improve our lifestyle.

Privacy

Work will continue with new laws and regulations being passed daily. Security practitioners will need to stay aware of all the changes as the laws/standards are becoming widespread and continually changing (and sometimes will need to resolve differences for potentially conflicting legislation e.g. in different jurisdictions).

During the last presidential election in the U.S., Californians passed the latest version of the California Privacy Rights Act (CPRA) which enhances the existing California Consumer Privacy Act (CCPA). Changes such as this are key to information security professionals as the new laws have subtle changes that will affect how you protect data.

If you work in a global organization, we found a good comparison of GDPR, CCPA, and CPRA here: https://wirewheel.io/cpra-ccpa-gdpr-and-the-impact-on-your-data-privacy-operations/

We believe that many new Privacy laws and regulations developed in various countries and states (provinces/territories) continue to cause confusion for information security professionals.

In 2021/2022, we envision the merging of privacy and security into one position as many countries and states look or will look to improve/augment their privacy standards and guidance. Security professionals will need to be aware of all changes to the laws. These changes will continue to cause confusion not only for Information Security Professionals but also the organisations that employ them. Global organisations will need to review and understand the various laws in the countries that they do business in, as well as have customers in.

Our best recommendation is that the professional apply the security measures in accordance with the most restrictive law/legislation/regulation.

We see a trend in 2021 of universities offering courses specialising in privacy to highlight the importance of privacy engineering and applying security and privacy by design in a continuous manner. Carnegie Mellon recently announced a new privacy engineering certificate and master’s degree specialising in Information Privacy: https://bit.ly/3lrKWcb

(ISC)² Community member, Paul Guido, CISSP , echoes the sentiments of many, “Privacy should be paramount, but sees too many Senior Executives drunk on the idea that data hoarding is a good thing. Holding on to data that has outlived its usefulness is a large liability that will crush organizations in the future. “

For those who would like to know which countries have privacy laws, this vendor’s site is useful as it provides a high-level view of the laws: https://i-sight.com/resources/a-practical-guide-to-data-privacy-laws-by-country/

Readers are reminded that many local states/territories/provinces also have their own sets of regulations. Please these some before implementing your security program.

Also, (ISC)² has courses available on GDPR: https://www.isc2.org/Development/Immersive-Courses/GDPR-for-Security-Professionals

Remote Access aka Work from Home (WFH)

As we continue to deal with COVID-19, we do not see any decline in the current levels of remote access or work from home. In discussions with many individuals from all industries, people are torn on
whether work from home will become the wave of the future, with many never returning to their office building, or whether employers will physically bring back all staff on-site.

In discussion with one COO, he pointed out that his organization was functioning as well as it once did with employees now working from home, and that there had already been discussions of downsizing the office space such that employees shared office/desk space when they arrived at the office. He believed this move would significantly save on overhead.

Yet, other employers feel that they may be losing employee loyalty.

We believe that there are downsides to work from home and remote access including managing the empty office space that many organizations will be left owning/leasing.

In another discussion, it was pointed out that remote access (WFH) could lead to an increase in insider threats, data leakage, mental health issues, ergonomic issues, etc.

Many questions arise from this ongoing remote access (WFH) model e.g. how does one do contingency planning? As Richard Nealon points out, the recent pandemic has forced businesses to utilize their business continuity objectives, plans, and processes. Most are now running in “continuity mode” because they find all/most of their employees working from diverse remote locations that were “cold sites” previously (i.e. home). The maturity, and adoption of (scalable) Cloud and secure remote access solutions has made this an easier task than it would have been five years ago. Nealon’s prediction is that businesses will adopt this WFH model as the new normal, and will save greatly on real-estate, facilities management, physical controls, etc. that come with running large office environments.

Remote Access does bring up the question of what to do if there is a regional natural disaster (i.e. a power outage, a snowstorm, a flood, etc.) where people are needed at the office premises or may also be affected by the disaster. We see 2021 as a year of planning for many organizations and forecast that WFH will still be in effect for most office employees through most (if not) all the year.

Another question that will remain and fortunately, the InfoSec person will not need to solve is “What do they do with all the empty space, the empty office towers, etc.?” This issue makes us glad that we are not working in physical security, and that we are not commercial landlords!

Insider threats

In discussions between Diana-Lynn Contesti and Richard Nealon, he predicts that the threat from “insiders” (i.e. employees & contractors) will increase. For insider issues to occur, the insider needs to be motivated, have opportunity, and ability.

(https://www.academia.edu/9727365/The_Ability_Motivation_Opportunity_Framework_for_Behavior_Research_in_IS ).

Motivation is often associated with financial gain but may also be increased due to a feeling of corporate abandonment because of the recent pandemic. Ability is often assisted by the plethora of manuals/videos freely available on the Internet/Dark Web. Before Covid19, when many/most employees were working at the organisation’s premises, work supervisors had greater oversight to what employees were doing with their time, whether they were displaying mental health issues, and whether they were interacting well with their fellow workers. Also, workers were easily questioned when something unexpected happened. Not so anymore. The opportunities exist for workers to conduct unauthorised activity using authorised access, without being physically accessible.

Data Leakage

Data leakage will be inevitable. Data leakage is defined as the unauthorized transmission of data from within an organization to an external destination or recipient. The term can be used to describe data that is transferred electronically or physically.

Nealon suggests that there will be an increase in data leakage from the prevalence of data being regularly accessed outside a controlled physical environment. Even with the most sophisticated remote access controls, screens can easily be photographed in the comfort of private homes and data leaked without any ability to detect that leakage. Similarly, sensitive conversations can be easily recorded by either party, and extremely confidential material arising from those conversations disclosed without detection. Needless to say, employees are using shared home computers for work have additional risk associated with them. In any case, eDiscovery (where all copies of corporate data were retained within the organisations information environment) is no longer applicable.

Zero Trust Architecture (ZTA)

Zero Trust is not a new concept and was first coined in 2003 (de-perimiterisation), when the challenges of defending the perimeter of organizations was first recognized.

We anticipate that Zero Trust (ZT) and Zero Trust architecture (ZTA) will not be fully resolved until 2022 or 2023 with many vendors offering many different solutions, but with most of them not following principles such as NIST SP800-207. There is an incredible amount of bias, although ZTA is driven by technology, but in fact it is dependent on the business objectives of the organisation. In fact, ZTA is a journey, which has to be driven from the top down and requires traditional security to be reversed from Outside-in to one of Inside-out.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf .

Organizations will remain confused thinking they are applying ZT, but in fact only a small number will implement a complete Zero Trust Architecture. In actuality, only a small portion of the ZTA will need to be applied to cope with the modern-day attacks. Traditional Security is failing and has failed and will continue to fail. We must reduce or slow down the cyber criminals’ ability to make financial gains out of other organisations inability to do the basics well.

Security Architecture

Richard Nealon believes that in 2021, Security Architecture will come under serious challenge to justify its value. Already, he feels, business confuses architecture with “the plumbing” (i.e. interconnecting systems with no focus on information). Focus will continue to shift from being able to trace information trust through security attributes, services, processes, mechanisms, components, and operational management (the Big Picture). This coincides with the dumbing-down of security strategy and planning in recent years i.e. where the skill of the architect has been replaced in many organisations by the marketing hype of the vendor/solutions provider.

• Security will fall through the cracks with security professionals acting in silos justifying inevitable impacts on information by saying “Well, my systems worked.”
• Solutions will be bought and implemented that have no impact on reducing risk. They will cost wasted money, time and effort, and the important threats, vulnerabilities and impacts will not be properly addressed. Technical solutions will be sourced, implemented, and managed that have no impact on business risk.

However, John Martin states he would counter this argument as an experienced security architect. Despite driving everyone to the cloud through digital transformation, we have allowed data to be distributed widely, and our controls to become fragmented. Especially, putting more emphasis on the Cloud Provider, when inherently the organisation is responsible for protecting that data, wherever it resides and who is permitted access. No matter how complex or how containerised systems become, you still need strong architecture principles and associated processes with full accountability. People are inherently lazy, no matter which methodology they use, i.e. agile stills needs to be used with discipline, alongside DevSecOps.

It seems that 2021 will be a pivotal year for security architecture with some organizations moving away from a standardized method whilst others will embrace and augment their existing infrastructures.

In the next series of articles, we will discuss 5G, IoMT/IoT, AI, Ransomware and Digital Transformation, and how they will affect information.