Investment bankers don’t normally work from home. “Well, they do now,” says Jeffrey Wheatman, VP analyst at Gartner, while presenting a webinar on The Top Security Projects to Focus on for 2021.
Wheatman is talking about his cousin, an investment banker, who had to pivot to a WFH model during the pandemic. “But the company didn’t have any laptops for them, so they raided their research lab and they sent people home with very old computers with old versions of operating systems, missing patches, no endpoint protection,” he says.
This may sound familiar. No one saw the pandemic coming and many organizations — and IT pros — were left scrambling to accelerate planned projects, initiate massive transformations and ensure security throughout.
And while some employees started to cautiously head back to the office this summer, now that COVID-19 cases are on the rise across North America, those employees may have to consider working at the kitchen table a little while longer.
Gartner’s top IT security projects
The top 10 security projects identified by Gartner to focus on for 2021 reflect the incredible amount of change brought on by COVID-19: there are eight new or modified projects and only two repeats from last year.
They’re heavily focused on process and risk management — and often require thinking beyond the technical aspects to consider the broader business and the people who are interacting with these technologies.
For most organizations, it won’t be possible to do all 10 or even more than one of these projects in the coming year. But, “if you only do one of them, enabling and securing remote workforces should be the top of your list,” says Wheaton. He also recommends developing a Zero Trust network access strategy that secures your remote workers while keeping the business up and running.
That means thinking about which data and applications employees need to do their jobs, and if these are located on-prem or in the cloud, he says. Users in different jurisdictions may be subject to different labour and privacy laws — and lockdowns. IT pros also need to think about the massive shift to cloud and how that might affect user support.
Rethinking risk management
Along with the shift to remote work, one of the major issues facing organizations is a need to rethink how they look at risk (such as taking a risk-based approach to vulnerability management and aligning it with the business).
Not all risks are equal so the focus can’t just be on the technical problem; it should also take into account the business problem, says Wheaton.
And only a fraction of vulnerabilities are actively compromised. “So, while you do want to pick a common framework for vulnerability management, you want to focus on things that already had exploits and you want to prioritize based on business impact,” he says.
Cloud security posture management
The pandemic has accelerated the move to cloud; at the same time, the cloud is also maturing. These days more applications are native to the cloud (as opposed to being ported), so organizations should consider engaging in a cloud security posture management (CSPM) project.
The goal is to make sure you have common controls across Infrastructure-as-a-Service and Platform-as-a-Service, as well as supporting automated assessment and remediation.
This is even more important as organizations build heterogeneity into their cloud architecture to avoid over-reliance on a single cloud provider, says Wheaton. For CSPM initiatives to be successful, he says, they can’t just be about technology — they have to incorporate policy, process and culture.
Gartner forecasts that through 2025, 99 per cent of cloud security failures “will be the customer’s fault,” so organizations should also look at simplifying cloud access controls. For example, users should only have access to what they need, and certain systems and data sets should have limited access.
New authentication measures
And speaking of access: We’re all tired of passwords — even more so now that our lives have moved almost entirely online. About 80 per cent of cyber attacks are the result of a compromised password, says Wheaton. So, clearly, getting rid of passwords would benefit both users and organizations.
“This is not an easy project to do, especially if you have a lot of legacy systems, but it is a high-value project,” says Wheaton. Areas to look at include authentication using single-factor tokens, biometrics and analytics for Zero Factor access.
Rounding out Gartner’s top 10 security projects for 2021 are: taking a platform approach to detection and response, domain-based message authentication, reporting and conformance (DMARC), data classification and protection, workforce competencies assessments and automation of security risk assessments.
As organizations rethink risk and businesses adapt to new work models, security will be more important than ever — and IT pros will be more overworked than ever. Prioritization is key, and Gartner’s top 10 can be a helpful start in identifying and prioritizing high-value projects for the uncertain year ahead.