Seven Trends . . .

that small bank Information Security Officers face in 2021
Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . .

Welcome to the Magnificent Seven, my annual predictive article about the seven trends in technology that will impact the Information Security Officers of small banks (under five billion in assets).  My intent: help you organize your thoughts for the upcoming year.

So, what issues do we think Information Security Officers will tackle in 2021?

M-7 Trend #7:  A perennial trend:  Address the Top Seven Risks . . . an annual list we make that we call R7 . . . which are the top seven risks that the typical community based banks face.  And, by the way, one easy way to start addressing them is to present our R7 list to your board of directors.

M-7 Trend #6:  A newer trend:

WAIT WAIT WAIT WAIT WAIT!!

Hold on a second.

Normally we present our top seven trends in reverse order, in the spirit of a typical “David Letterman List,” where we save the best for last. But including responding to risk, as illustrated with trend seven above, we feel the number one trend this year has such a wide-reaching impact that it impacts the other six trends. So . . . no David Letterman Style list this time. Instead, let’s just jump to the number one trend of 2021.

And no, the number one trend is not the pandemic, though it was started and accelerated during the recovery. Instead, the number one trend is what I’m calling The Disappearance. The Disappearance is simply a reverse-way of saying, “the virtualization of everything.”

Everything is disappearing. Servers . . . disappeared. Phone systems. Gone. Conferences and workshops – virtual. Cameras . . . replaced by the webcams in our endpoints. I mean, when is the last time you saw your auditor in person?  Your examiner?

Even our meetings are disappearing.

This started a decade ago, when our servers continued their increase in numbers, but not in physical rack-space, as virtualization became the norm. What started as virtual machines is now virtual meetings, virtual training, virtual phone systems, and even virtual security systems. Taking this further: cloud computing is now in the late majority phase of adoption, and we’re even putting our networks in the cloud with Azure, AWS, etc.

The second trend is actually a superset of the first: the pent-up adoption of new technologies. The momentum of new technology adoption that we spoke of at the end of 2019 is still there. The pandemic exacerbated this trend, and we believe 2021 will see the adoption of many new technologies including the virtualization of everything. As the “late majority” of many technologies was supposed to start a year ago, we see small banks planning everything from finally pulling the trigger on new mobile banking products to identity access management to expanding and upgrading their security capabilities. Meanwhile, the paradigm shift created by the pandemic . . . with implications ranging from the final mobilization of endpoints to working from home . . . The Disappearance . . . is causing us to adopt new controls ranging from Network Access Control or Conditional Access on our perimeters to endpoint security on our laptops. Meanwhile, new technologies leveraging big data, machine learning, neural networks and even the seeds of artificial intelligence tactics are still in the mix. And with an eye on the risk of this, many of us are planning to adopt new technologies as we “finish the recovery.” This leads to the third and fourth trends: MFA Everything, and Endpoint Security. And these two self-explanatory trends will help us when we embark on the fifth trend.

All this adoption of new technologies right during The Disappearance is requiring us to “try a different perspective” on technology risk management. While we were already growing concerned that the FFIEC’s Cybersecurity Assessment Tool was five years old last July, management is growing increasingly apt to “micro-manage” response to the ransomware threat, out of legitimate concern. We worry that the FFIEC is too slow to update its guidance, while we see other organizations maintaining well-refreshed bodies of knowledge. Thus, when we saw the Conference of State Bank Supervisors release the Ransomware Self-Assessment Tool, we started suggesting that even non-state bank ISOs consider answering the 16 questions in an exercise with their management teams. But beyond that, we are starting to see banks look at adopting the NIST Cybersecurity Standard, the CIS Top 20 Controls, or even Cybersecurity Profile published by the ABA endorsed Cyber Risk Institute. Each of these frameworks are updated far more regularly than the FFIEC guidance. The CIS Top 20 has been updated at least seven times since 2014, if I counted right.

All three of these frameworks lead a community-based bank, by the way, to adopt MFA on Everything and Endpoint Security as basic controls. Beware: and maybe by way of disclosure, but each of these frameworks will also lead you to relying more heavily on the production of a good SIEM. While this is self-serving, we maintain the need to try a different perspective can be exuded by the sixth trend.

The sixth trend gives us pause. While 2020 has been a difficult year for most of us, it still proves the adage that every cloud has a silver lining. But the sixth trend, that Management is On Board, was slowly emerging before the pandemic. Then management had to become involved in their first true “disaster recovery,” bonded with the governance process, recognized the need for security and resources, and stepped up to the plate. Sure, there were problems, but I am very proud of what I witnessed as the banking industry showed the rest of the world how to recover from a pandemic, and this would not be possible without the cooperation, faith, confidence, and GOVERNANCE of our management TEAMS. Let’s take advantage of this: while management is focused on cybersecurity, let’s address the top seven risks, safely address the virtualization of everything, put MFA everywhere, invest in network access control or conditional access or endpoint security, and switch to a new framework.

In 2020, the Magnificent Seven is a Sentence:
So, to summarize, the top seven trends for 2021, according to Dan:

1) The Disappearance,
2) as well as Pent-up Adoption of New Technologies,
3) causes us to apply MFA to Everything
4) and revisit Endpoint Security,
5) while we try a different perspective . . .
6) (especially while) Management is on Board . . .
7) so we can Manage the Top Seven Risks!

Original article by Dan Hadaway CRISC CISA CISM. Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”