Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
December 20, 2019
Preparing for 2020: Make Your New Year Cyber-secure

As we prepare for 2020, let’s look forward to upcoming trends that are expected to make a lasting impact in the world of cybersecurity.

3 Areas of Focus for 2020

1. Expansion through M&A

A lot of smaller technical or professional services companies are currently being acquired by larger organizations who find it easier to purchase a complementary company in a targeted geographic region than to stand up their own practice. Companies often find strategic acquisition can be a quicker, easier, less expensive and far less risky way to gain resources, core competencies and immediate market access.

Apax Partners, a private equity firm, has recently acquired Coalfire, a cybersecurity advisory and assessment services company. Coalfire supports organizations across financial services, hospitality and other industries. It also has conducted more than 1,500 penetration tests and 2,000 security assessments over the past two years.

https://www.msspalert.com/investments/private-equity-acquires-coalfire-cybersecurity-advisory-firm/

If your company is considering a merger or acquisition, you will want to investigate the company’s cybersecurity position prior to purchase. Often, there are cybersecurity issues that are lying undetected or undiscovered from an M&A standpoint. Potential buyers need to understand the critical nature of a thorough cybersecurity review—and often this can be easier to achieve with the help of a professional cybersecurity advisor. You will want to look at how the company you are purchasing is storing—and protecting—its electronic information. Not only will this information help you see the financial viability of a business, but it will also give you a clear look at existing vulnerabilities and potential security concerns.

The information revealed during a cybersecurity investigation can even impact the way a deal is structured. A well-known example of this is what happened when Verizon acquired Yahoo. The offer was ultimately cut by $350 million because of Yahoo’s wide spread cyberbreach. A professional cybersecurity company can assist you through the M&A process, helping you learn as much as possible about a company’s cyber strengths and weaknesses long before you sign on the dotted line.

2. Third-party Validation

Another burgeoning trend in cybersecurity is third-party validation. Many companies are seeking assessments for themselves or for their OEM suppliers before they conduct business. You may find that third-party validation is most critical for the vendors you depend on most. For effective validation, you will want to consider the following areas: security governance, manufacturing/operational security, software engineering and architecture, asset management, incident management, physical security and a people-centric security culture.

You will also want to evaluate a company, vendor or supplier on a periodic basis. Once is never enough. You will want to evaluate them a year from the initial assessment to see how things have changed. What’s driving this need for ongoing validation? Think of it this way: An SUV rolls off the assembly line in Michigan every 44 seconds. What if the SUV’s supplier is breached, delaying its supply of just-in-time airbags? The SUV manufacturer cannot stop production and wait for the airbags—that would seriously impact their profitability.

Cyber concerns should be looked all along the supply chain. How well do your vendors vet their service providers? Are your suppliers looking carefully at their own personnel? How well do your vendors check their products and software? In today’s world, companies are outsourcing and globalizing their supply chain more than ever before—making third-party validation increasingly more critical to business.

Communicating the importance of third-party validation to the board is also an ongoing challenge. Savvy IT professionals need to become “boardroom ready,” so they can obtain the funds they need to improve their security posture.

3. Cloud Adoption

Finally, the third cybersecurity area of focus that continues to gain traction is cloud adoption. The global public cloud services market is expected to grow 17% in 2020, to a total of $266 billion.1 With cloud, there are multitudes of misconfiguration breaches occurring daily. According to Gartner, by 2020, at least 95% of cloud security failures will be the organization’s fault.2

Companies are learning the hard way that they need to review their architecture and have a solid game plan before moving to cloud. Businesses are in such a hurry to get there because of the emphasis on speed-to-market. However, speed-to-market does not translate into cost reduction if you’re migrating your applications too quickly and introducing potential areas of risk.

Cloud breaches are usually caused by misconfigurations. Companies must implement controls quickly to prevent, detect and remediate these errors. Secure cloud configuration needs to be an ongoing process. At the core, there is configuration of cloud infrastructure. You will also need to consider configuration of the CSP’s security controls. Finally, you will want to have your SecOps team address any settings that impact settings. You, as the cloud service provider’s customer, are ultimately responsible for securing how you use your cloud services, including:

  • Proper configuration of identity and access management (IAM)
  • Storage and compute settings
  • Threat analysis and defense
  • Security of the overall application
  • Security of the data you are processing and storing in the cloud

Sometimes, the biggest risk of all is someone with a company credit card who decides to spin up a cloud service. Doing this without first going through IT for procurement, or at least allowing IT to review the service, is putting the entire company at risk.

For example, if a senior VP of sales decides to add a new CRM application up in the cloud, imagine what might happen if IT doesn’t have oversight or isn’t able to review the cloud platform to confirm its legitimacy. For only a couple thousand dollars and minimal effort, the VP of sales could place all of the company’s customer data out in cyberspace without IT even knowing about it.

Often, a third-party cybersecurity provider is best positioned to help you get to the cloud as quickly, cost-effectively and securely as possible.

Resolutions for CIOs, CISOs and IT Professionals
Obviously, there are innumerable trends to track in the new year and after—AI, OT, and IoT to name a few. IT professionals are managing thousands of assets daily, and that number is only expected to grow. So, what resolutions can you make to ensure 2020 is a secure new year? Know your data; Develop a strategic, actionable cybersecurity roadmap; Communicate the importance of your company’s security to your board, company leaders and employees; Foster a culture that prioritizes cybersecurity and realizes how essential it is to the business as a whole.

Content Sponsored by
IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to effectively manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 15 billion security events per day in more than 130 countries, and holds more than 3,000 security patents.
About the Author
Chris Burrows
Chief Strategy Officer
Chris Burrows is Chief Strategy Officer at CBI. He provides CISO level advisory services and partners with clients to discover security gaps within current infrastructure, process, staffing, risk management, cybersecurity, compliance standards and business continuity plans. Prior to joining CBI, Burrows was chief information security officer for the national award-winning Information Security Program at Oakland County. He has 29 years of experience in risk management, information security and IT operational roles. He holds a CISSP and GICSP certification along with an MBA from Lawrence Technological University. He serves on many IT security volunteer organization boards: vice president for the Michigan InfraGard Chapter, Michigan Cyber Civilians Sector Chief, Cyber Patriots advisor and Walsh College’s Cybersecurity Advisory Board.
I Need To...
S
Safeguard my data and my brand
Solutions
E
Envision my cybersecurity program
Digital Forensics & Incident Response
C
Comply with regulations
Strategic Services
U
Uncover what I have
Advanced Testing Services
R
Run my cybersecurity operations
Managed Security Services
E
Elevate my business
Why CBi