About Us | Contact Us
View Cart

The Magnificent Seven 2021

By Dan Hadaway | Monday, December 21, 2020 - Leave a Comment

Seven Trends . . .


that small bank Information Security Officers face in 2021
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .


Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of small banks (under five billion in assets).  My intent: help you organize your thoughts for the upcoming year.

So, what issues do we think Information Security Officers will tackle in 2021?

M-7 Trend #7:  A perennial trend:  Address the Top Seven Risks . . . an annual list we make that we call R7 . . . which are the top seven risks that the typical community based banks face.  And, by the way, one easy way to start addressing them is to present our R7 list to your board of directors.

M-7 Trend #6:  A newer trend:

WAIT WAIT WAIT WAIT WAIT!!

Hold on a second.

Normally we present our top seven trends in reverse order, in the spirit of a typical “David Letterman List,” where we save the best for last. But including responding to risk, as illustrated with trend seven above, we feel the number one trend this year has such a wide-reaching impact that it impacts the other six trends. So . . . no David Letterman Style list this time. Instead, let’s just jump to the number one trend of 2021.

And no, the number one trend is not the pandemic, though it was started and accelerated during the recovery. Instead, the number one trend is what I’m calling The Disappearance. The Disappearance is simply a reverse-way of saying, “the virtualization of everything.”

Everything is disappearing. Servers . . . disappeared. Phone systems. Gone. Conferences and workshops – virtual. Cameras . . . replaced by the webcams in our endpoints. I mean, when is the last time you saw your auditor in person?  Your examiner?

Even our meetings are disappearing.

This started a decade ago, when our servers continued their increase in numbers, but not in physical rack-space, as virtualization became the norm. What started as virtual machines is now virtual meetings, virtual training, virtual phone systems, and even virtual security systems. Taking this further: cloud computing is now in the late majority phase of adoption, and we’re even putting our networks in the cloud with Azure, AWS, etc.

The second trend is actually a superset of the first: the pent-up adoption of new technologies. The momentum of new technology adoption that we spoke of at the end of 2019 is still there. The pandemic exacerbated this trend, and we believe 2021 will see the adoption of many new technologies including the virtualization of everything. As the “late majority” of many technologies was supposed to start a year ago, we see small banks planning everything from finally pulling the trigger on new mobile banking products to identity access management to expanding and upgrading their security capabilities. Meanwhile, the paradigm shift created by the pandemic . . . with implications ranging from the final mobilization of endpoints to working from home . . . The Disappearance . . . is causing us to adopt new controls ranging from Network Access Control or Conditional Access on our perimeters to endpoint security on our laptops. Meanwhile, new technologies leveraging big data, machine learning, neural networks and even the seeds of artificial intelligence tactics are still in the mix. And with an eye on the risk of this, many of us are planning to adopt new technologies as we “finish the recovery.” This leads to the third and fourth trends: MFA Everything, and Endpoint Security. And these two self-explanatory trends will help us when we embark on the fifth trend.

All this adoption of new technologies right during The Disappearance is requiring us to “try a different perspective” on technology risk management. While we were already growing concerned that the FFIEC’s Cybersecurity Assessment Tool was five years old last July, management is growing increasingly apt to “micro-manage” response to the ransomware threat, out of legitimate concern. We worry that the FFIEC is too slow to update its guidance, while we see other organizations maintaining well-refreshed bodies of knowledge. Thus, when we saw the Conference of State Bank Supervisors release the Ransomware Self-Assessment Tool, we started suggesting that even non-state bank ISOs consider answering the 16 questions in an exercise with their management teams. But beyond that, we are starting to see banks look at adopting the NIST Cybersecurity Standard, the CIS Top 20 Controls, or even Cybersecurity Profile published by the ABA endorsed Cyber Risk Institute. Each of these frameworks are updated far more regularly than the FFIEC guidance. The CIS Top 20 has been updated at least seven times since 2014, if I counted right.

All three of these frameworks lead a community-based bank, by the way, to adopt MFA on Everything and Endpoint Security as basic controls. Beware: and maybe by way of disclosure, but each of these frameworks will also lead you to relying more heavily on the production of a good SIEM. While this is self-serving, we maintain the need to try a different perspective can be exuded by the sixth trend.

The sixth trend gives us pause. While 2020 has been a difficult year for most of us, it still proves the adage that every cloud has a silver lining. But the sixth trend, that Management is On Board, was slowly emerging before the pandemic. Then management had to become involved in their first true “disaster recovery,” bonded with the governance process, recognized the need for security and resources, and stepped up to the plate. Sure, there were problems, but I am very proud of what I witnessed as the banking industry showed the rest of the world how to recover from a pandemic, and this would not be possible without the cooperation, faith, confidence, and GOVERNANCE of our management TEAMS. Let’s take advantage of this: while management is focused on cybersecurity, let’s address the top seven risks, safely address the virtualization of everything, put MFA everywhere, invest in network access control or conditional access or endpoint security, and switch to a new framework.

In 2020, the Magnificent Seven is a Sentence:
So, to summarize, the top seven trends for 2021, according to Dan:

1) The Disappearance,
2) as well as Pent-up Adoption of New Technologies,
3) causes us to apply MFA to Everything
4) and revisit Endpoint Security,
5) while we try a different perspective . . .
6) (especially while) Management is on Board . . .
7) so we can Manage the Top Seven Risks!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Questions about China’s new disclosure laws only highlight the uncertainty about disclosure in general… An article review. China recently made waves in the security world by announcing a new set of data security laws, one of which has added new fuel to a long running debate: how and when should security vulnerabilities be disclosed…and to […]
    Four Conditions … …For Why a Network Can be Anything But a Network! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . I have to admit that infotex is being called into engineering meetings with larger organizations these days that are NOT community based banks.  We […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    If Zero days need Zero clicks, are there any secure devices in the mix? Tanvee Dhir explores the Pegasus spyware. Another technical post, meant to inspire thought about IT Governance . . . . Introduction Over the past couple of weeks, we have seen multiple stories regarding a powerful piece of spyware called Pegasus sold […]
    Our Lead Non-Technical Auditor takes a look at the new AIO Guidance… Architecture, Infrastructure, and Operations (AIO) is the latest booklet released by the Federal Financial Institutions Examination Council (FFIEC) in their line of  IT Examination Handbooks. It is an update to their 2004 Operations booklet and, as the name implies, expands into the areas […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Many organizations still fail to consider the unique risks posed by cloud computing… An article review. Last month thousands of Western Digital MyCloud device owners learned about the risks of cloud-based solutions the hard way: their data had been wiped remotely due to a flaw in the internet-facing component of their external hard drives. While […]
    infotex does not use Kaseya… We are protecting our Clients! Another blog post meant to inspire thought about IT Governance . . . . To all infotex managed security service Clients: As you may be aware there was a large ransomware attack recently that leveraged a remote management tool called Kaseya that is used by many […]
    While we’re not a news service, we often use current events to comment on trends and our services. This blog is intended to get people thinking about topics and trends in Technology Risk Management, through our article reviews, as well as through original blog articles about current events and our MSSP services (such as our […]