As we prepare for 2020, let’s look forward to upcoming trends that are expected to make a lasting impact in the world of cybersecurity.
A lot of smaller technical or professional services companies are currently being acquired by larger organizations who find it easier to purchase a complementary company in a targeted geographic region than to stand up their own practice. Companies often find strategic acquisition can be a quicker, easier, less expensive and far less risky way to gain resources, core competencies and immediate market access.
Apax Partners, a private equity firm, has recently acquired Coalfire, a cybersecurity advisory and assessment services company. Coalfire supports organizations across financial services, hospitality and other industries. It also has conducted more than 1,500 penetration tests and 2,000 security assessments over the past two years.
If your company is considering a merger or acquisition, you will want to investigate the company’s cybersecurity position prior to purchase. Often, there are cybersecurity issues that are lying undetected or undiscovered from an M&A standpoint. Potential buyers need to understand the critical nature of a thorough cybersecurity review—and often this can be easier to achieve with the help of a professional cybersecurity advisor. You will want to look at how the company you are purchasing is storing—and protecting—its electronic information. Not only will this information help you see the financial viability of a business, but it will also give you a clear look at existing vulnerabilities and potential security concerns.
The information revealed during a cybersecurity investigation can even impact the way a deal is structured. A well-known example of this is what happened when Verizon acquired Yahoo. The offer was ultimately cut by $350 million because of Yahoo’s wide spread cyberbreach. A professional cybersecurity company can assist you through the M&A process, helping you learn as much as possible about a company’s cyber strengths and weaknesses long before you sign on the dotted line.
Another burgeoning trend in cybersecurity is third-party validation. Many companies are seeking assessments for themselves or for their OEM suppliers before they conduct business. You may find that third-party validation is most critical for the vendors you depend on most. For effective validation, you will want to consider the following areas: security governance, manufacturing/operational security, software engineering and architecture, asset management, incident management, physical security and a people-centric security culture.
You will also want to evaluate a company, vendor or supplier on a periodic basis. Once is never enough. You will want to evaluate them a year from the initial assessment to see how things have changed. What’s driving this need for ongoing validation? Think of it this way: An SUV rolls off the assembly line in Michigan every 44 seconds. What if the SUV’s supplier is breached, delaying its supply of just-in-time airbags? The SUV manufacturer cannot stop production and wait for the airbags—that would seriously impact their profitability.
Cyber concerns should be looked all along the supply chain. How well do your vendors vet their service providers? Are your suppliers looking carefully at their own personnel? How well do your vendors check their products and software? In today’s world, companies are outsourcing and globalizing their supply chain more than ever before—making third-party validation increasingly more critical to business.
Communicating the importance of third-party validation to the board is also an ongoing challenge. Savvy IT professionals need to become “boardroom ready,” so they can obtain the funds they need to improve their security posture.
Finally, the third cybersecurity area of focus that continues to gain traction is cloud adoption. The global public cloud services market is expected to grow 17% in 2020, to a total of $266 billion.1 With cloud, there are multitudes of misconfiguration breaches occurring daily. According to Gartner, by 2020, at least 95% of cloud security failures will be the organization’s fault.2
Companies are learning the hard way that they need to review their architecture and have a solid game plan before moving to cloud. Businesses are in such a hurry to get there because of the emphasis on speed-to-market. However, speed-to-market does not translate into cost reduction if you’re migrating your applications too quickly and introducing potential areas of risk.
Cloud breaches are usually caused by misconfigurations. Companies must implement controls quickly to prevent, detect and remediate these errors. Secure cloud configuration needs to be an ongoing process. At the core, there is configuration of cloud infrastructure. You will also need to consider configuration of the CSP’s security controls. Finally, you will want to have your SecOps team address any settings that impact settings. You, as the cloud service provider’s customer, are ultimately responsible for securing how you use your cloud services, including:
Sometimes, the biggest risk of all is someone with a company credit card who decides to spin up a cloud service. Doing this without first going through IT for procurement, or at least allowing IT to review the service, is putting the entire company at risk.
For example, if a senior VP of sales decides to add a new CRM application up in the cloud, imagine what might happen if IT doesn’t have oversight or isn’t able to review the cloud platform to confirm its legitimacy. For only a couple thousand dollars and minimal effort, the VP of sales could place all of the company’s customer data out in cyberspace without IT even knowing about it.
Often, a third-party cybersecurity provider is best positioned to help you get to the cloud as quickly, cost-effectively and securely as possible.
Resolutions for CIOs, CISOs and IT Professionals
Obviously, there are innumerable trends to track in the new year and after—AI, OT, and IoT to name a few. IT professionals are managing thousands of assets daily, and that number is only expected to grow. So, what resolutions can you make to ensure 2020 is a secure new year? Know your data; Develop a strategic, actionable cybersecurity roadmap; Communicate the importance of your company’s security to your board, company leaders and employees; Foster a culture that prioritizes cybersecurity and realizes how essential it is to the business as a whole.