Now that the system shock to IT systems and organizations from the pandemic (not to mention the horrible human toll) has started to ease up, we're seeing the emergence of a whole new landscape for cybersecurity. Before last year, most organizations relied mostly on an in-person workforce in company-owned or leased buildings, with remote work reserved for contractors or traveling execs and salespeople.
Then along came a global pandemic that, among other things, made working face-to-face a real danger. Many companies had to switch their entire workforces over to working from home, literally overnight. As terrible as it was, one silver lining of the pandemic is that it may have been the dam-breaking event that makes widespread work-from-home the new standard.
However, the pandemic has also accelerated the disparity between large cybersecurity frameworks like ISO 27001 and the NIST Cybersecurity Framework and the reality of most modern organizations, even ones that haven't gone 100% virtual. This has been happening for years, but as the gaps widen between the security standards we have to follow and the actual security challenges on the ground, the frameworks are going to have to become more agile or risk becoming standards that cost a lot of money to comply with but have little to no effect on actual security.
For example, risk assessments are a big part of these regimens and often serve as the starting point for aligning your organization's security efforts to the risks facing the business. Much of NIST's and ISO's recommended risk assessments focus on physical threats to locations. For instance, an entire section of NIST — the Physical and Environmental Protection (PE) controls, with 23 items — is dedicated to this area. This made sense when everyone worked in a company office. However, with many companies adopting distributed workforces, localized disasters now have a much smaller potential impact on a company's operations. Larger disasters like pandemics, which were once thought to be outside edge cases that needed minimal remediation and controls, have been shown to be much more impactful and likely than we thought before. New versions of the security frameworks need to recognize this, possibly by having different risk-assessment tools for companies with largely remote workforces.
Alternate processing sites are covered in the security frameworks. But for many cloud-native companies, this simply means another region or zone of a cloud provider, or even an alternate cloud provider. These arrangements are far more flexible, powerful, and cost effective than true physical hot sites ever were, and they can be set up with a couple clicks of a mouse. Even companies that still own physical data center infrastructure often use the cloud as their backup. The days of massive, company-owned alternate sites are waning, and security frameworks and regulations should be updated to recognize that.
What Is Important for Modern Security Frameworks?
- Software-as-a-Service (SaaS) Infrastructure
SaaS software and infrastructure may represent 70% to 80% or more of a company's IT these days. Between Microsoft 365, Google Workspace, Salesforce, AWS/Azure, and even software development tools, most of the digital crown jewels of companies today might exist on someone else's infrastructure. Current frameworks either don't even mention SaaS or just lump it in with all third-party access. NIST finally released a Cloud Computing update in 2018 (SP 500-322), but it was already outdated when it came out. Different approaches and controls are required for this type of infrastructure; encryption is often built in, but it may require special backup services or custom settings within the SaaS setup. The built-in security features and tools are often impressive but offer limited customization. Frameworks need to adjust for this and update their guidance for these widely used platforms.
- Better Endpoint Protection
Most frameworks are happy if you have some form of anti-malware loaded on endpoints and do disk-level encryption (not all even require that). But endpoint protection is the endgame and always has been. Most breaches come from mistakes or intentional actions on an endpoint. A good first step is protecting them better with more sophisticated software that isn't signature-based but rather behavior-based. Data loss prevention (DLP) and more extensive ingress/egress filtering and monitoring could also be emphasized more.
- Remote, Wireless Access
Security frameworks need to acknowledge that for many organizations, most endpoints will be remote and/or wireless. Right now, NIST has just one line about remote access (AC-17) and just one about wireless access (AC-18). These areas need to be expanded because in the future, most access will be coming in remotely and over the air rather than being the edge case it was considered before. Even in physical offices, local network access is often wireless to make it more flexible.
Making things worse, most of these large security frameworks take years or even decades to update. The bureaucratic committees, public comment periods, and revisions take lots of time. In the case of laws and regulations, multiple stakeholders can gum up quick changes in public policy. Policies need to become more agile, just like the organizations they are regulating. Until they do, companies will continue to have to jump through unnecessary compliance hoops that don't improve actual security while gaining little improvement in their security posture from these important and often required security frameworks.