Cybersecurity Trends For 2021: Five Predictions For Executives To Watch Out For In The New Year
COUNCIL POST| Membership (fee-based)
Innovation
2020 turned lives upside down and completely transformed the way entire workforces operate. Digital transformation went from an emerging trend to a necessity for survival. Some companies didn’t make it; some industries were brought to their knees, and others thrived. One industry that thrived was cybercrime. As millions were hastily scrambled and deployed to work-from-home environments, organized crime, nation-states and amateur hackers alike exploited the weaknesses.
As we look ahead to 2021, executives can expect some trends to emerge. Here are my top five predictions, coupled with advice for those looking to better prepare their teams.
- The Cloud Giveth; The Cloud Taketh Away
To keep up with this accelerated digital/cloud transformation, software security must move to a risk-based focus (versus a vulnerability-based one.) Automating security as part of the software build-deploy pipeline will become increasingly important. Security and development teams, already overburdened and underresourced, will look to cloud services to help. This means increased demand for API security and a consolidated approach to risk reduction across the teams that build, operate and defend software.
For all the scale and automation the cloud provides, it’s also a field of misconfiguration land mines that’ll continue to lead to massive data breaches and security flaws. The move to the cloud means that teams need to learn new security skills and consider the full deployment infrastructure as part of the development and threat modeling process. When this doesn’t happen, vulnerabilities are introduced. Identity and access management (IAM) and service misconfigurations are most commonly deployed with exploitable security holes.
- The Robots Are Coming
We continue to improve the volume and velocity of service offerings via automation. Malicious actors will enhance the sophistication of attacks using the same. Artificial intelligence (AI) and machine learning (ML) are enablers. 2021 will see the arms race escalate with weaponized ML attacks that go beyond continuous scanning to identify vulnerabilities. Emerging defenses such as continuous automated red-teaming (CART) will grow in popularity as enterprises look to keep up with AI-fueled attackers. AI will also be used to supercharge human attacks. “Deepfakes” and AI-enhanced phishing will fool more people, leading to more severe data breaches, IP theft and malware infections.
On the positive side, DevOps and InfoSec teams will use AI to automatically build secure infrastructure. Think of known good templates customized for specific business applications. Teams will spend less time building secure infrastructures from scratch, starting from a safe place and building up. Of course, all that building must be done securely.
- Software Security (Née Application Security) Gets Renewed Focus
The acceleration of cloud adoption permanently shifted the software security landscape. The very definition of an application has changed. The term application security will become a legacy reference as DevOps and continuous integration/continuous delivery (CI/CD) movements gain traction. Enabled by cloud services, demand for faster delivery velocity can be met, but there’s an impact on software security. DevOps and CI/CD require teams to be nimbler, meaning less time for lengthy security test cycles. Those tests will be replaced (or complemented) by shorter, component-based tests that will be distributed across build, operate and defend teams.
Gone are the days when InfoSec holds all security knowledge and responsibility. Gone also are the days of focusing on secure coding. Software applications aren’t coded anymore. They’re assembled from open-source and third-party libraries, COTS, and glue code.
More than 85% of a modern enterprise application is written by someone outside of the enterprise, and for much of that, there is no access to source code. 2021 will see security responsibilities (and the need for training) distributed across the teams that build (dev), operate (IT) and defend (InfoSec.) It’s something we’ve been talking about for a long time as an industry. It finally arrives in 2021.
- WFH Continues To Expose Weak Spots
The move to remote working happened practically overnight, forcing many security teams to double-down on their efforts to ensure secure infrastructure while also aligning with the new WFH environment. The transition included the oft-rushed adoption of cloud services, opening the door to more attacks, as mentioned above.
Security professionals have known the value of threat modeling for years. In 2021, as software controls more of our world, developers will finally embrace threat modeling. DevOps is about collaboration, so we’ll see security teams break down barriers and imbue security at scale, creating a true DevSecOps environment. This will help companies close weak spots in continued WFH environments.
Rise Of Ransomware
Cybersecurity Ventures predicts there will be a victim of ransomware every 11 seconds by 2021. Ten years ago, I commonly said that we wouldn’t take cybersecurity seriously until someone died because of it. Unfortunately, that cybersafety line has been crossed several times, with the loss of human life as a direct result of ransomware.
Sadly, this trend will continue in 2021. Sophisticated, AI-fueled ransomware attacks will continue to lock servers, destroy data and wreak havoc on critical infrastructure. Security teams need to be uber-diligent and prepare for a ransomware attack. What can you do about it? War-game, threat-model, backup and encrypt.
2020 has certainly been full of challenges, upheavals, reckonings and uncertainty. With this tumultuous year behind us, I look forward to 2021 and the inevitable innovation that will occur in our phenomenally resilient and creative industry.
Forbes Councils Member