10 Information Security Reflections From 2021
2022 is here and we are excited to hit the new year with new goals and aspirations. To help guide where we want to go, it’s good to reflect on the where we have been. We are a summary of our experiences, and our past will influence the future. This article is a summary of our experience in 2021 with clients of all sizes in the effort to help us reflect and improve upon that in the coming year.
1. SSO is more commonplace
Before Single Sign On (SSO) was reserved for larger companies and organizations with 1000 employees and up, but we’re seeing more and more smaller organizations as small as 100 person shops adopting SSO. With the ubiquity of SaaS apps, it makes sense to to have SSO in place. The biggest blocker though is the SSO Tax SaaS apps have for SSO capabilities.
2. IT As A Service is growing rapidly
It’s (no pun intended! 😂) a relief when we walk into an organization that already has an IT service organization already in place. It makes our job easier and helps us get things done, especially when they include MDM and Endpoint Protection as part of their offering.
What’s interesting is the proliferation of IT-AAS service offerings. Every single one of our clients has a different solution in place, so it’s interesting to see the diversity.
3. Most underestimate the work required for SOC2 / ISO Compliance
Whether you take the DIY approach of solving SOC2 yourself or bring a third party firm to help you understand what needs to be done, the work still needs to be done!
There are a lot of steps towards achieving compliance, and it’s not simply a set it and forget it kind of thing. It’s a continual process that will need investment to start and maintain.
Also, compliance does not equal security. It’s a good step though.
4. Security is still overlooked in budgets (Big or Small)
This one was really interesting. Budget is an interesting word in the startup world, and tends to not exist until a finance person or COO starts looking under the covers. However, for the organizations that do or aspire to have budgets, security budgets are sometimes overlooked until the last second.
Other times, as is startup life, revenue doesn’t meet expectations and changes/cuts have to be made.
We’re seeing security budgets be a challenge with both Series A organizations all the way through Series F.
A couple ways to prevent this:
Ensure a good line of communication with the CEO or CFO
Know the company's fiscal year and bring up budget 3 months prior to year end on a monthly basis
5. Progress is being made, slowly but surely
Unfortunately to the dismay of many, security is not an on/off switch or something that can be purchased and deployed overnight. It’s a process. We try to coach clients about this, especially in the pre-sales process.
That being said, our clients have been enthusiastic adopters of security initiatives and recommendations. This goes along our assumption that most companies want to do the right thing, they just want to know the how.
6. There are a lot of new players in the security space
Fractional CISO’s, vCISO’s, CISO’s As A Service… Oh My!
Holy vCISO batman! Curious if it’s my Selective Attention Bias or not, but there has been a proliferation of vCISO services out there. This is a good thing! We want security to be accessible to more and more organizations, that’s the mission of Cloud Security Labs for example.
What is interesting though is the variety out there towards what exactly a vCISO is. You have the whole gamut from security engineers to retired CISO’s and everything in between.
SaaS Security Apps
With the proliferation of SaaS apps…comes SaaS security! It’s a really interesting space, the gatekeepers are the SaaS apps themselves. If there isn’t a functionality to read or export logs, then it will be will be impossible to access that data via API for example.
However, this is good as it puts pressure on the SaaS app companies to bake in more security capabilities and have some sort of accountability.
Managed Detection and Response is the new term for Managed SOC. Some of us have not been fans of managed SOCs and tend to lean towards hiring security analysts internally and growing the team, but they do serve a purpose, especially for smaller organizations.
More and more MDR organizations are coming online and offering their services. Of course there is always going to be a new buzzword around the corner like XDR and ZDR. Ok, I made that last one up! Thanks for reading this far! 😂
7. Supply chain security is a MONTHLY issue
There is no particular order to all to this list, but if there is one urgent or pressing one it would be this one. Every month last year was spent with at least one client dealing with some sort of supply chain issue. The gamut was wide. Everything from a law office losing it’s documents, to 3rd party bugs that exposed tons of sensitive data, to the latest gift, Log4j. Looks like it would be worth a separate post on its own! Leave a comment if you would like to see that.
One additional item to consider regarding the topic, is Business Continuity and whether you have a critical supplier that could severely impact your operations. For example, a recent hack of a supplier left NJ State with the inability to print checks! So many startups are reliant on 3rd party providers, it’s imperative we have a contingency plan should a catastrophe affect a supplier.
8. Annual pentesting is being done… for the most part
We’re seeing more and more organizations embracing application pentests. It’s one of the few security initiatives that rarely needs explaining, as many understand the need for it. Although, questions do arise when they see the quote!
A lot of compliance frameworks, as well as 3rd party requirements, ask for annual pentest reports, or attestations, of your web application. It’s also a good practice to as well! (See How To Schedule A Pentest Like A Boss)
Keep in mind, a vulnerability scan is NOT a pentest. There are still those out there that sell a pentest but do a vulnerability scan. You often get what you pay for.
9. Bug Bounty is slow to adopt at EVERY size company
As mentioned in our budget article (below), Bug Bounty programs done correctly are a highly effective way to identity security issues in your applications and environment.
The problem is, they are hard to standup and sometimes maintain, at least on your own. If you’ve never had a pentest for example, you will be in for a lot of pain. If your engineering team is not ready to fix a slew of bugs, then you may want to go with a private program at first for example.
The interesting thing though, it’s a challenge for large and small organizations.
10. There is a huge amount of awareness, but folks still don’t know where to start
For better or for worse, more and more people know how important Information Security / Cybersecurity is now. Cybersecurity is in the news practically on a daily basis.
However, it’s still not clear where companies should start to shore up their information security programs.
Information Security as you can see is a complicated beast. There are a multitude of angles to be addressed and there is no one size fits all. Take steps towards a solution, even if they are baby steps. Let’s use the above reflections to help make 2022 an even better and more resilient year! Happy New Year!
Did this resonate with you? Please share it with your friends or whatever social media platform you use. Thanks!