About Us | Contact Us
View Cart

The Magnificent Seven 2021

By Dan Hadaway | Monday, December 21, 2020 - Leave a Comment

Seven Trends . . .


that small bank Information Security Officers face in 2021
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .


Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of small banks (under five billion in assets).  My intent: help you organize your thoughts for the upcoming year.

So, what issues do we think Information Security Officers will tackle in 2021?

M-7 Trend #7:  A perennial trend:  Address the Top Seven Risks . . . an annual list we make that we call R7 . . . which are the top seven risks that the typical community based banks face.  And, by the way, one easy way to start addressing them is to present our R7 list to your board of directors.

M-7 Trend #6:  A newer trend:

WAIT WAIT WAIT WAIT WAIT!!

Hold on a second.

Normally we present our top seven trends in reverse order, in the spirit of a typical “David Letterman List,” where we save the best for last. But including responding to risk, as illustrated with trend seven above, we feel the number one trend this year has such a wide-reaching impact that it impacts the other six trends. So . . . no David Letterman Style list this time. Instead, let’s just jump to the number one trend of 2021.

And no, the number one trend is not the pandemic, though it was started and accelerated during the recovery. Instead, the number one trend is what I’m calling The Disappearance. The Disappearance is simply a reverse-way of saying, “the virtualization of everything.”

Everything is disappearing. Servers . . . disappeared. Phone systems. Gone. Conferences and workshops – virtual. Cameras . . . replaced by the webcams in our endpoints. I mean, when is the last time you saw your auditor in person?  Your examiner?

Even our meetings are disappearing.

This started a decade ago, when our servers continued their increase in numbers, but not in physical rack-space, as virtualization became the norm. What started as virtual machines is now virtual meetings, virtual training, virtual phone systems, and even virtual security systems. Taking this further: cloud computing is now in the late majority phase of adoption, and we’re even putting our networks in the cloud with Azure, AWS, etc.

The second trend is actually a superset of the first: the pent-up adoption of new technologies. The momentum of new technology adoption that we spoke of at the end of 2019 is still there. The pandemic exacerbated this trend, and we believe 2021 will see the adoption of many new technologies including the virtualization of everything. As the “late majority” of many technologies was supposed to start a year ago, we see small banks planning everything from finally pulling the trigger on new mobile banking products to identity access management to expanding and upgrading their security capabilities. Meanwhile, the paradigm shift created by the pandemic . . . with implications ranging from the final mobilization of endpoints to working from home . . . The Disappearance . . . is causing us to adopt new controls ranging from Network Access Control or Conditional Access on our perimeters to endpoint security on our laptops. Meanwhile, new technologies leveraging big data, machine learning, neural networks and even the seeds of artificial intelligence tactics are still in the mix. And with an eye on the risk of this, many of us are planning to adopt new technologies as we “finish the recovery.” This leads to the third and fourth trends: MFA Everything, and Endpoint Security. And these two self-explanatory trends will help us when we embark on the fifth trend.

All this adoption of new technologies right during The Disappearance is requiring us to “try a different perspective” on technology risk management. While we were already growing concerned that the FFIEC’s Cybersecurity Assessment Tool was five years old last July, management is growing increasingly apt to “micro-manage” response to the ransomware threat, out of legitimate concern. We worry that the FFIEC is too slow to update its guidance, while we see other organizations maintaining well-refreshed bodies of knowledge. Thus, when we saw the Conference of State Bank Supervisors release the Ransomware Self-Assessment Tool, we started suggesting that even non-state bank ISOs consider answering the 16 questions in an exercise with their management teams. But beyond that, we are starting to see banks look at adopting the NIST Cybersecurity Standard, the CIS Top 20 Controls, or even Cybersecurity Profile published by the ABA endorsed Cyber Risk Institute. Each of these frameworks are updated far more regularly than the FFIEC guidance. The CIS Top 20 has been updated at least seven times since 2014, if I counted right.

All three of these frameworks lead a community-based bank, by the way, to adopt MFA on Everything and Endpoint Security as basic controls. Beware: and maybe by way of disclosure, but each of these frameworks will also lead you to relying more heavily on the production of a good SIEM. While this is self-serving, we maintain the need to try a different perspective can be exuded by the sixth trend.

The sixth trend gives us pause. While 2020 has been a difficult year for most of us, it still proves the adage that every cloud has a silver lining. But the sixth trend, that Management is On Board, was slowly emerging before the pandemic. Then management had to become involved in their first true “disaster recovery,” bonded with the governance process, recognized the need for security and resources, and stepped up to the plate. Sure, there were problems, but I am very proud of what I witnessed as the banking industry showed the rest of the world how to recover from a pandemic, and this would not be possible without the cooperation, faith, confidence, and GOVERNANCE of our management TEAMS. Let’s take advantage of this: while management is focused on cybersecurity, let’s address the top seven risks, safely address the virtualization of everything, put MFA everywhere, invest in network access control or conditional access or endpoint security, and switch to a new framework.

In 2020, the Magnificent Seven is a Sentence:
So, to summarize, the top seven trends for 2021, according to Dan:

1) The Disappearance,
2) as well as Pent-up Adoption of New Technologies,
3) causes us to apply MFA to Everything
4) and revisit Endpoint Security,
5) while we try a different perspective . . .
6) (especially while) Management is on Board . . .
7) so we can Manage the Top Seven Risks!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    Dan’s Semi-Retirement . . . Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . If you follow my blog, you may have already surmised that I am starting to get ready for retirement.  This is actually a result of a long process we have been […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS Dateline: Lafayette, IN, December 5th, 2022 infotex, the Managed Security Service Provider, announces that Dan Hadaway, Founder and Managing Partner of the company for the last Twenty-two years, plans to semi-retire at the end of 2023. Prior to founding infotex in 2000 to serve community banks, Dan Hadaway […]
    A new study highlights the benefits of looking at your network from the other side… An article review. If you were trying to attack your organization’s network, how would you start?  That’s a question you may not have asked yourself, but experts say it’s something that can help you strengthen your security.  That’s according to […]
    Google Ads, Gitlab and OneDrive have been used to distribute the BATLOADER malware… An article review. We’ve always believed that “watch where you click” has always been good advice when it comes to security online, however Microsoft is tracking the spread of malware that has been using legitimate websites to help facilitate its spread, counting […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    Thanks for being interested in our Technology Planning Webinars! The 2022 annual webinar update on technology planning includes a review of the previous years’ movies that are available, as well as alternative tactics that have arisen from recent conferences, forums, and industry experience. Feel free to invite your entire technology committee! Click the Button to […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    Microsoft, Cisco and Uber are among the companies hit by this new threat… An article review.  As more organizations adopt multi-factor authentication to help safeguard their systems hackers have adapted, and several major corporations have been among those hit by this new style of attack.  This new technique, called MFA Fatigue or Push Spamming, involves […]
    A Webinar Movie This presentation is intended for those who are planning to participate in an infotex incident response test. Please let us know what questions you have, when we have our Plan Walkthrough and Test Plan Approval meeting!