The past two years have marked a host of changes for cybersecurity professionals, as the pandemic, the ransomware tsunami, and increasing political and regulatory scrutiny have all created mounting expectations as their role becomes part and parcel with the lifeblood of organizations.
In a session at next week's SecTor 2022 conference taking place in Toronto, Tony Anscombe, chief security evangelist at ESET, will address this recent period of upheaval and role evolution, and what cyberteams can expect going forward. The bottom line? They should be prepared for pressure, pressure, and more pressure.
2020–2022: Cybersecurity Grows in Stature, Pressure Mounts
During his panel on Oct. 5, entitled "Two Years of Accelerated Cybersecurity and the Demands Being Placed on Cyber Defenders," Anscombe will discuss how the importance of implementing a good cybersecurity team and platforms really became a conversation when the COVID-19 pandemic lockdowns sent everyone home — and more importantly, how it marked the beginning of a two-year evolution of cyber-defense having a central role in business discussions.
"The use of cloud technologies and remote desktop protocol (RDP) were hallmarks of 2020 being the year of digital transformation," he tells Dark Reading. "But it was also a year of cybersecurity transformation, because those teams began the move from a back-office role to the front office; they became the business enabler as opposed to the business obstacle. Companies were saying, 'OK, everybody's gone home — how do we keep going?' And realistically it was the security team that was the enabler for remote working, online ordering for the sandwich shops, taking remote payments, and other basic needs."
Thus, 2020 saw cybersecurity teams became far more visible in the daily life of businesses; but that was just the beginning of an ongoing elevation in stature, Anscombe explains — because then, ransomware attacks began accelerating, and ransom amounts started growing.
He explains that this period represents a tipping point for when it became commonplace for ransomware-as-a-service (RaaS) gangs to go after millions of dollars in a single hit, such as $4.4 million for Colonial Pipeline; $40 million for CNA Financial; and $70 million for Kaseya, to name just a few. Thus, ransomware became an important existential crisis for companies, and ransomware gangs became a near-ubiquitous threat.
"We saw an entire evolution of monetization in that particular year, which lured cybercriminals in and made it a business imperative to deal with, and then it became a frontline political issue after the attack on Colonial Pipeline," Anscombe says. "So you saw government stepping up and saying, 'Hey, we need to do something about cybercrime, we have voters lining up outside gas stations.'"
This year, the political aspects of cybercrime have only been exacerbated, he says, thanks to the conflict in Ukraine: "You see all the agencies around the world saying we need to protect critical infrastructure from nation-state attacks etc., so that's upping of the game again."
Defense is meanwhile easier said than done, as ransomware actors continue to grow in sophistication.
"At the moment, I think as a cybersecurity defender ... you've got these ransomware attacks that were once attachments of emails that are now advanced persistent threat (APT)-style attacks exploiting long-term vulnerabilities in systems, putting their markers in networks and coming back to them later on," Anscombe says.
Regulation & Reporting Requirements Up the Ante
Where cyberteams sit within the hierarchy of businesses has also been affected by additional regulation and cyber-incident reporting requirements, which creates the need for a cross-discipline discussion of risk with legal and compliance departments, Anscombe also notes. This creates enormous pressure on cyberteams thanks to fact that the sheer number of requirements is growing, creating thorny complexities.
"Imagine you're a public company, and you're in insurance or the finance industry, and you do business internationally, you've got to comply with privacy requirements for the California Consumer Privacy Act and GDPR, you've got to meet the FDIC's cyber-incident reporting requirements," he explains. "The SEC has proposed others. And if you're a water utility company, you might have to comply with the critical infrastructure reporting. This is becoming very bureaucratic, and it needs to be harmonized in some way."
He adds, "Most importantly, the role of the cyber-defender is about to change significantly again, because you're probably going to have to have a paralegal sitting at the end of the desk during incident response. And, one of the big, big challenges for a lot of businesses will be adhering to their cyber-risk insurance policy, which affects the finance department. It's kind of the backstop, you're going to have to fall back on these policies. And the policies are becoming more stringent."
Meanwhile, all of these increased and new pressures that security teams are feeling are exacerbating some of the existing challenges, such as the workforce-gap issue — which Anscombe believes will create even more change for cyber-defense teams.
"I think all of this change just puts more burden on the cybersecurity resourcing issue, and become even more challenging for companies that to find the right level of people," Anscombe says. "Does that mean companies then go to managed service providers (MSPs)? Does it mean they start dragging in more resource from partners? Does it mean more of it becomes outsourced? I think that's a maybe the thing to watch for the 2023 segment of cyber."