About Us | Contact Us
View Cart

The Magnificent Seven 2021

By Dan Hadaway | Monday, December 21, 2020 - Leave a Comment

Seven Trends . . .


that small bank Information Security Officers face in 2021
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .


Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of small banks (under five billion in assets).  My intent: help you organize your thoughts for the upcoming year.

So, what issues do we think Information Security Officers will tackle in 2021?

M-7 Trend #7:  A perennial trend:  Address the Top Seven Risks . . . an annual list we make that we call R7 . . . which are the top seven risks that the typical community based banks face.  And, by the way, one easy way to start addressing them is to present our R7 list to your board of directors.

M-7 Trend #6:  A newer trend:

WAIT WAIT WAIT WAIT WAIT!!

Hold on a second.

Normally we present our top seven trends in reverse order, in the spirit of a typical “David Letterman List,” where we save the best for last. But including responding to risk, as illustrated with trend seven above, we feel the number one trend this year has such a wide-reaching impact that it impacts the other six trends. So . . . no David Letterman Style list this time. Instead, let’s just jump to the number one trend of 2021.

And no, the number one trend is not the pandemic, though it was started and accelerated during the recovery. Instead, the number one trend is what I’m calling The Disappearance. The Disappearance is simply a reverse-way of saying, “the virtualization of everything.”

Everything is disappearing. Servers . . . disappeared. Phone systems. Gone. Conferences and workshops – virtual. Cameras . . . replaced by the webcams in our endpoints. I mean, when is the last time you saw your auditor in person?  Your examiner?

Even our meetings are disappearing.

This started a decade ago, when our servers continued their increase in numbers, but not in physical rack-space, as virtualization became the norm. What started as virtual machines is now virtual meetings, virtual training, virtual phone systems, and even virtual security systems. Taking this further: cloud computing is now in the late majority phase of adoption, and we’re even putting our networks in the cloud with Azure, AWS, etc.

The second trend is actually a superset of the first: the pent-up adoption of new technologies. The momentum of new technology adoption that we spoke of at the end of 2019 is still there. The pandemic exacerbated this trend, and we believe 2021 will see the adoption of many new technologies including the virtualization of everything. As the “late majority” of many technologies was supposed to start a year ago, we see small banks planning everything from finally pulling the trigger on new mobile banking products to identity access management to expanding and upgrading their security capabilities. Meanwhile, the paradigm shift created by the pandemic . . . with implications ranging from the final mobilization of endpoints to working from home . . . The Disappearance . . . is causing us to adopt new controls ranging from Network Access Control or Conditional Access on our perimeters to endpoint security on our laptops. Meanwhile, new technologies leveraging big data, machine learning, neural networks and even the seeds of artificial intelligence tactics are still in the mix. And with an eye on the risk of this, many of us are planning to adopt new technologies as we “finish the recovery.” This leads to the third and fourth trends: MFA Everything, and Endpoint Security. And these two self-explanatory trends will help us when we embark on the fifth trend.

All this adoption of new technologies right during The Disappearance is requiring us to “try a different perspective” on technology risk management. While we were already growing concerned that the FFIEC’s Cybersecurity Assessment Tool was five years old last July, management is growing increasingly apt to “micro-manage” response to the ransomware threat, out of legitimate concern. We worry that the FFIEC is too slow to update its guidance, while we see other organizations maintaining well-refreshed bodies of knowledge. Thus, when we saw the Conference of State Bank Supervisors release the Ransomware Self-Assessment Tool, we started suggesting that even non-state bank ISOs consider answering the 16 questions in an exercise with their management teams. But beyond that, we are starting to see banks look at adopting the NIST Cybersecurity Standard, the CIS Top 20 Controls, or even Cybersecurity Profile published by the ABA endorsed Cyber Risk Institute. Each of these frameworks are updated far more regularly than the FFIEC guidance. The CIS Top 20 has been updated at least seven times since 2014, if I counted right.

All three of these frameworks lead a community-based bank, by the way, to adopt MFA on Everything and Endpoint Security as basic controls. Beware: and maybe by way of disclosure, but each of these frameworks will also lead you to relying more heavily on the production of a good SIEM. While this is self-serving, we maintain the need to try a different perspective can be exuded by the sixth trend.

The sixth trend gives us pause. While 2020 has been a difficult year for most of us, it still proves the adage that every cloud has a silver lining. But the sixth trend, that Management is On Board, was slowly emerging before the pandemic. Then management had to become involved in their first true “disaster recovery,” bonded with the governance process, recognized the need for security and resources, and stepped up to the plate. Sure, there were problems, but I am very proud of what I witnessed as the banking industry showed the rest of the world how to recover from a pandemic, and this would not be possible without the cooperation, faith, confidence, and GOVERNANCE of our management TEAMS. Let’s take advantage of this: while management is focused on cybersecurity, let’s address the top seven risks, safely address the virtualization of everything, put MFA everywhere, invest in network access control or conditional access or endpoint security, and switch to a new framework.

In 2020, the Magnificent Seven is a Sentence:
So, to summarize, the top seven trends for 2021, according to Dan:

1) The Disappearance,
2) as well as Pent-up Adoption of New Technologies,
3) causes us to apply MFA to Everything
4) and revisit Endpoint Security,
5) while we try a different perspective . . .
6) (especially while) Management is on Board . . .
7) so we can Manage the Top Seven Risks!


Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 


same_strip_012513


 

Latest News
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]
    Dubious app store subscriptions bring in hundreds of millions of dollars in revenue… An article review. When it comes to malicious applications you’re probably familiar with things like malware and ransomware, and you have ways to avoid them.  Modern desktop and smartphone operating systems have built-in malware detection tools, and some web browsers even automatically […]
    Another Manifesto A supply-chain manifesto by the author of Never Say Never: A Password Manifesto! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . [Sssshh.  Turn out the lights.  Let’s lower our inner voices, as I have something to propose that might be a bit […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    While malware and security exploits continue to make headlines, the majority of reported security incidents involve phishing… An article review. With all the attention given recently to security incidents involving software exploits and high-profile malware attacks, it would be easy to believe that they represented the most likely incidents you may encounter in the wild.  […]
    Implementing Protective DNS could help your organization avoid attack… An article review. Noting the risks still associated with the Domain Name System (DNS), the National Security Agency and the Cybersecurity and Infrastructure Security Agency (CISA) have recently released new guidance on the selection and use of a Protective DNS service (PDNS). The guidance, released in […]