About Us | Contact Us
View Cart

The Magnificent Seven 2021

By Dan Hadaway | Monday, December 21, 2020 - Leave a Comment

Seven Trends . . .


that small bank Information Security Officers face in 2021
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .


Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of small banks (under five billion in assets).  My intent: help you organize your thoughts for the upcoming year.

So, what issues do we think Information Security Officers will tackle in 2021?

M-7 Trend #7:  A perennial trend:  Address the Top Seven Risks . . . an annual list we make that we call R7 . . . which are the top seven risks that the typical community based banks face.  And, by the way, one easy way to start addressing them is to present our R7 list to your board of directors.

M-7 Trend #6:  A newer trend:

WAIT WAIT WAIT WAIT WAIT!!

Hold on a second.

Normally we present our top seven trends in reverse order, in the spirit of a typical “David Letterman List,” where we save the best for last. But including responding to risk, as illustrated with trend seven above, we feel the number one trend this year has such a wide-reaching impact that it impacts the other six trends. So . . . no David Letterman Style list this time. Instead, let’s just jump to the number one trend of 2021.

And no, the number one trend is not the pandemic, though it was started and accelerated during the recovery. Instead, the number one trend is what I’m calling The Disappearance. The Disappearance is simply a reverse-way of saying, “the virtualization of everything.”

Everything is disappearing. Servers . . . disappeared. Phone systems. Gone. Conferences and workshops – virtual. Cameras . . . replaced by the webcams in our endpoints. I mean, when is the last time you saw your auditor in person?  Your examiner?

Even our meetings are disappearing.

This started a decade ago, when our servers continued their increase in numbers, but not in physical rack-space, as virtualization became the norm. What started as virtual machines is now virtual meetings, virtual training, virtual phone systems, and even virtual security systems. Taking this further: cloud computing is now in the late majority phase of adoption, and we’re even putting our networks in the cloud with Azure, AWS, etc.

The second trend is actually a superset of the first: the pent-up adoption of new technologies. The momentum of new technology adoption that we spoke of at the end of 2019 is still there. The pandemic exacerbated this trend, and we believe 2021 will see the adoption of many new technologies including the virtualization of everything. As the “late majority” of many technologies was supposed to start a year ago, we see small banks planning everything from finally pulling the trigger on new mobile banking products to identity access management to expanding and upgrading their security capabilities. Meanwhile, the paradigm shift created by the pandemic . . . with implications ranging from the final mobilization of endpoints to working from home . . . The Disappearance . . . is causing us to adopt new controls ranging from Network Access Control or Conditional Access on our perimeters to endpoint security on our laptops. Meanwhile, new technologies leveraging big data, machine learning, neural networks and even the seeds of artificial intelligence tactics are still in the mix. And with an eye on the risk of this, many of us are planning to adopt new technologies as we “finish the recovery.” This leads to the third and fourth trends: MFA Everything, and Endpoint Security. And these two self-explanatory trends will help us when we embark on the fifth trend.

All this adoption of new technologies right during The Disappearance is requiring us to “try a different perspective” on technology risk management. While we were already growing concerned that the FFIEC’s Cybersecurity Assessment Tool was five years old last July, management is growing increasingly apt to “micro-manage” response to the ransomware threat, out of legitimate concern. We worry that the FFIEC is too slow to update its guidance, while we see other organizations maintaining well-refreshed bodies of knowledge. Thus, when we saw the Conference of State Bank Supervisors release the Ransomware Self-Assessment Tool, we started suggesting that even non-state bank ISOs consider answering the 16 questions in an exercise with their management teams. But beyond that, we are starting to see banks look at adopting the NIST Cybersecurity Standard, the CIS Top 20 Controls, or even Cybersecurity Profile published by the ABA endorsed Cyber Risk Institute. Each of these frameworks are updated far more regularly than the FFIEC guidance. The CIS Top 20 has been updated at least seven times since 2014, if I counted right.

All three of these frameworks lead a community-based bank, by the way, to adopt MFA on Everything and Endpoint Security as basic controls. Beware: and maybe by way of disclosure, but each of these frameworks will also lead you to relying more heavily on the production of a good SIEM. While this is self-serving, we maintain the need to try a different perspective can be exuded by the sixth trend.

The sixth trend gives us pause. While 2020 has been a difficult year for most of us, it still proves the adage that every cloud has a silver lining. But the sixth trend, that Management is On Board, was slowly emerging before the pandemic. Then management had to become involved in their first true “disaster recovery,” bonded with the governance process, recognized the need for security and resources, and stepped up to the plate. Sure, there were problems, but I am very proud of what I witnessed as the banking industry showed the rest of the world how to recover from a pandemic, and this would not be possible without the cooperation, faith, confidence, and GOVERNANCE of our management TEAMS. Let’s take advantage of this: while management is focused on cybersecurity, let’s address the top seven risks, safely address the virtualization of everything, put MFA everywhere, invest in network access control or conditional access or endpoint security, and switch to a new framework.

In 2020, the Magnificent Seven is a Sentence:
So, to summarize, the top seven trends for 2021, according to Dan:

1) The Disappearance,
2) as well as Pent-up Adoption of New Technologies,
3) causes us to apply MFA to Everything
4) and revisit Endpoint Security,
5) while we try a different perspective . . .
6) (especially while) Management is on Board . . .
7) so we can Manage the Top Seven Risks!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    New changes will decrease the amount of time an organization has to report incidents to regulators and customers… An article review. Citing the increasing frequency and pace of cyberattacks in recent years, the FDIC, Federal Reserve Board of Governors and the OCC have issued a Final Rule requiring financial organizations to notify their primary regulator […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Thanks for being interested in our Webinars! The FFIEC’s latest guidance: The Architecture, Infrastructure, and Operations, has brought many changes to exactly how a small financial institution may look at their Technology Planning for 2022. Included in that will be the opportunity to write your first Architecture Plan and we intend to show you what […]
    Has the security effectiveness of VPNs passed? Another Technical Article by Tanvee Dhir! Why under scrutiny? VPNs (Virtual Private Networks) have been a cardinal piece for secure internet browsing for decades. They offer a secure and encrypted tunnel to transfer your data over the network whether in a home or an enterprise environment. Different vendors […]
    Happy Halloween! Here are some scary facts that you probably don’t want know about cybersecurity!
    How Do We Know What We Know? Making Sure You Can Understand What Happened in an Incident. Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Until I reclined on my front yard, looking at the sky, following the instructions on how not to look […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    President Biden recently signed a bill tasking the agency with evaluating the unique risks that schools face… An article review. Taking note of the unique challenges educational institutions face in securing their networks, President Biden has signed a bill into law directing the Cybersecurity and Infrastructure Security Agency (CISA) to look into ways that they can […]
    Thanks for being interested in our Technology Planning Webinars! This year‘s annual update to our annual Technology Planning webinar will include a panel discussion, a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent conferences as well as the impact of the AIO […]