“Take the CISO job,” they said. “It’ll be great,” they said.
The role of the Chief Information Security Officer has always been a dynamic one. From securing endpoints and networks to plugging gaps in an ever-increasing stack of porous technologies, the CISO has never gone hungry from an empty plate of work.
Want to learn ransomware basics and earn a CPE credit? Try our free course.
Make no mistake: the challenges brought on by the rapid, fundamental organizational changes in 2020 have been extraordinarily tough for the CISO. So, to help you hit the ground running in the coming year, Varonis is sharing this list of five line items that we think need to be in every CISO’s budget for 2021 and beyond. So, sharpen your pencil but keep it in your pocket. You might need it in one of these dark alleys in the year ahead.
Does this sound familiar? Your CMO spends big money every year doing great marketing telling the world how great your company is, and their efforts are reflecting positively in growth. Your CRO leads revenues upward, you’re hitting operational milestones, and key customer wins are publicized and picked up by the media. Perhaps some industry analysts have even recently announced that they have initiated coverage on your company. This virtuous cycle is shortening your sales funnel, and everyone feels great about the growth prospects for 2021. Great, right?
Well, the bad news is that customers and peers are not the only ones who have noticed your success. You have made ransomware gangs very happy, too. Now that they know you’re making a killing and see your share price rising, they put your company in their crosshairs. And thanks to your success, now they even have the names of analysts who would be making contact with your C-suite to do research for their coverage. With just one email and a link, they can spearfish your CFO, drop malware into his PC, and take your whole company offline until you share in some of your well-publicized, hard-earned cash (or Bitcoin in this case).
Q3 2020 ransomware growth by variant (Image & Data)
Ransomware is the biggest threat to any sizeable organization in 2021. Attacks are on the rise, and these cyber syndicates have shown no remorse in who they’ll target with a crypto campaign. Every CISO needs a line item for ransomware in their budget, but, before you go setting aside some cryptocurrency for ransom payments to criminals, there’s something else you should know.
Payments of any ransom to criminals might fall afoul of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA). The United States Treasury’s Office of Foreign Asset Control (OFAC) issued an advisory in October 2020 that informed business leaders that any payment made by organizations – or their proxies – to sanctioned nations or state-sponsored actors could be in violation of US law, and those payors could be civilly liable for engaging with designated foreign entities.
You should also be aware that cybersecurity insurance companies are not necessarily excluded from the federal statute in the case of ransom payments to sanctioned entities. The United States government’s posture is to dishearten – not embolden – cybercriminals in targeting attacks against U.S.-based companies. Therefore, cybersecurity insurance is not a viable strategy in defense against ransomware.
U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes… OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
-U.S. Department of the Treasury, Office of Foreign Access Control, October 2020
We’ve all heard the horror stories (and perhaps you’ve survived a few yourself) of systems shutting down and readme.txt files left on otherwise-vacant computer desktops. That’s no way to live and it doesn’t have to happen to you.
With the average cost of an unpaid ransomware attack topping $700,000 last year, it is a simple fact of doing business in today’s environment: you need a ransomware detection budget to fortify your organization from the inevitable targeting that happens to every successful company. Be proud of your success, but secure it, too.
Security & Compliance Automation
It’s time to start talking about data security and compliance as one and the same because data will go wherever you let it, and that’s a risk whether you’re tasked with its safekeeping for your organization, for your customers, or for both. Keeping an eye – or at least a good set of rules – on every piece of data in your organization has never been harder or more important.
Varonis recently released the 2021 Financial Data Risk Report which showed that, on average, new hires at financial institutions have unrestricted access to 11 million files on their first day of work. Now, imagine this is your company. You have 11 million sensitive files with access spread out across a whole new set of endpoints and user agents as your workforce has shifted to remote work, making every connection a potential attack vector. Not only do you have to clean up millions of file permissions, but you also have to protect those files from moving into the wrong hands. People simply cannot do this alone, and frankly, they shouldn’t have to. You are going to need some real help with this. You need a security automation budget that makes the impossible a reality, from classifying files to alerting on their movement and restricting access.
In cost savings with automated remediation over 3 years
|In time savings per folder searched||
In annual cost avoidance from limiting attack surface
Forrester, Total Economic Impact of the Varonis Data Security Platform, March, 2020
On the compliance front, you survived Sarbanes-Oxley (SOX) and the General Data Privacy Regulation (GDPR) rollouts, and then just as you were done dusting yourselves off, the California Consumer Privacy Act (CCPA) came along and sucked away the last vestiges of energy from your team.
Forgive us for asking so soon, but what’s your plan for the California Privacy Rights Act (CPRA)? This legislation passed in the 2020 general election and will take effect at the beginning of 2023, but it will apply retroactively to data collected at the beginning of 2022.
The new law includes a new class of data called “Sensitive Personal Information” that goes well-beyond the definitions in the to-be-deprecated CCPA, and includes data as specific and granular as geolocation and even biometric information. Do you have a plan for identifying and governing data like this according to the new criteria?
“The number of security regulations, usually in the form of geography- or industry-specific compliance mandates for protecting personally identifiable information (PII), is still increasing.”
-Planning Guide for Security and Risk Management, Gartner, October 2020
There is also speculation that one of the 30-plus bills sitting in congress could finally break out in 2021 and make it to a vote, the result of which could potentially supersede any previous governance requirements. Breathe deeply. Legislators move slowly, but you’ll need to get moving on this now, too.
It’s hard enough to keep up with the latest data privacy and governance regulations, but as long as these regulations continue at a state instead of continental level, this is a problem that is going to get worse before it gets any better. Your data is sprawling. Your workforce is everywhere. The laws are changing. You need a security and compliance automation budget, because even as hard as your team works, they can’t do it alone.
72% of senior risk managers believe automation will help them meet emerging worldwide compliance standards.
Insider Threat Detection
Politics and global health are two hot-button topics in the virtual hallways of every organization right now. The stresses of the past year have put unusual, and more importantly – unseen – burdens on employees and insiders at all levels on the org chart. Whether these stresses are endemic to your insiders and their families or are being applied either deliberately or inadvertently by external forces, people are generally stressed out lately.
Best Practices: Mitigating Insider Threats, Forrester, 2019
Recent research from Forrester supports this stress reading, noting that insider threats resulting from abuse and malicious intent, as opposed to inadvertent misuse or accident, are on the rise. In fact, they found that over half of the incidents an organization experienced were a result of insiders.
As any CIA operative can tell you, exaggerated stress levels can lead to abnormal behavior and vulnerabilities in people. But, believe it or not, your organization can indeed establish baseline behavioral patterns for users within your technology environments.
When data starts moving or people start behaving in unusual ways, it’s often the first sign of risky insider activity. Is Bob in procurement having a bad day? Well, he might be, but with your insider threat detection budget, you can spin up detection solutions and be the CISO who doesn’t have to speculate.
Remote Data Security
It’s a hard fact of 2020’s accelerated digital transformation: remote work is here to stay. This is a good thing by many management standards as this new reality takes significant cost centers off the balance sheet as CapEx investments, effectively amortizing them as OpEx spending over time. Moreover, the remote work option becomes a strategic advantage in opening up your organization to the best talent from anywhere in the world. This is a great thing, right?
Well, the truth is, there is a lot to love about remote work – except for the mountain of risk it adds to the organization. Home WiFi networks connected to refrigerators and robot vacuums? Kids using mom’s work computer “just for a minute” while they wait impatiently to be served their third home-cooked meal of the day? What could possibly go wrong?
The global trend in Remote Desktop Protocol port openings during March 2020, indicating a pandemic-related rise in technical support and attack surface for a newly-remote workforce. (Image & Data)
Every new connection to a corporate network is a potential attack vector. Your perimeter might be locked down, but what about inside? You need a budget for remote data security to lock down your most critical assets. That’s not to say you should forget about having a big dog at the perimeter, but throw a dog a ribeye and watch what happens.
Cloud migration is another buzzword you’re probably ready to saw in half, but there’s a nuance to it that often goes unappreciated. As the phrase suggests, cloud migration is really a journey and not a destination. No matter how much you love snacking on little pink hearts with little love notes printed on them, you aren’t going to start this trip in January and be home and done by your favorite holiday in the middle of February. No, you need a plan, a budget, and a realistic schedule to get it all done.
Tech jobs are nearly 2x higher than the national average. Cloud migration is expensive if you rely on people to do repetitive tasks.
Cyberstates, CompTIA, 2020
The good news is you might already be further down this path than you had thought. If you’re using Microsoft Teams or Microsoft 365, some of your data is already on the cloud and your migration has already begun. The bad news is that it’s likely that at least some of your sensitive data is floating around the Microsoft cloud with open permissions on a sharing link accessible to anyone on the internet. You need a cloud migration budget for tools that fix data-handling errors, that make your journey to the cloud as swift and safe as possible, and that don’t add work when you finally get there.
Partner with Varonis
We wouldn’t just give you the hot topics for 2021, pat you on the back, and tell you “good luck, it’s rough out there.” Varonis partners with you to do a lot of the heavy lifting described above so you can focus on motivating your team and keeping the emperor robed. Our data security platform is made up of products that see, sort, and secure your data across a growing range of technology environments.
Automated Data Security
Secure your organization from internal and external threats with automated data security from Varonis. Leverage the powerful combination of Artificial Intelligence and a dedicated support team to optimize your implementation and automation. Get a 360-degree, bidirectional view of every user in your environments and of your entire data estate. View and remediate permissions at scale, and audit and report on users, files, directories, security groups, and more.
Automated Compliance & Governance
Comply with current regulations and meet future requirements with automated compliance and governance from Varonis. Automatically discover and classify sensitive data based on hundreds of built-in definitions and identification models. Automatically move, archive, quarantine, or delete data based on built-in or custom policies. Process data subject access requests in minutes and automate entitlement reviews with AI-powered recommendations to maintain a least-privilege model at scale.
Automated Threat Detection & Response
Shut down threats directly and decisively with automated threat detection and response from Varonis. Generate high-fidelity alerts about suspicious activity within and around your data environments. Clarify intelligence from the perimeter and automate threat response by shutting down machines, revoking access, and much more.
Varonis offers a no-cost risk assessment tailored specifically for your organization’s needs. In under two hours, you’ll see more about your data, and know more about your vulnerabilities than ever before. After 30 days, you will have a comprehensive game plan for how to start optimizing and automating your security for 2021 and beyond. Book your free risk assessment today and be the CISO who’s prepared for whatever 2021 may bring.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.