“Take the CISO job,” they said. “It’ll be great,” they said.
The role of the Chief Information Security Officer has always been a dynamic one. From securing endpoints and networks to plugging gaps in an ever-increasing stack of porous technologies, the CISO has never gone hungry from an empty plate of work.
Make no mistake: the challenges brought on by the rapid, fundamental organizational changes in 2020 have been extraordinarily tough for the CISO. So, to help you hit the ground running in the coming year, Varonis is sharing this list of five line items that we think need to be in every CISO’s budget for 2021 and beyond. So, sharpen your pencil but keep it in your pocket. You might need it in one of these dark alleys in the year ahead.
Ransomware
Does this sound familiar? Your CMO spends big money every year doing great marketing telling the world how great your company is, and their efforts are reflecting positively in growth. Your CRO leads revenues upward, you’re hitting operational milestones, and key customer wins are publicized and picked up by the media. Perhaps some industry analysts have even recently announced that they have initiated coverage on your company. This virtuous cycle is shortening your sales funnel, and everyone feels great about the growth prospects for 2021. Great, right?
Well, the bad news is that customers and peers are not the only ones who have noticed your success. You have made ransomware gangs very happy, too. Now that they know you’re making a killing and see your share price rising, they put your company in their crosshairs. And thanks to your success, now they even have the names of analysts who would be making contact with your C-suite to do research for their coverage. With just one email and a link, they can spearfish your CFO, drop malware into his PC, and take your whole company offline until you share in some of your well-publicized, hard-earned cash (or Bitcoin in this case).
Ransomware is the biggest threat to any sizeable organization in 2021. Attacks are on the rise, and these cyber syndicates have shown no remorse in who they’ll target with a crypto campaign. Every CISO needs a line item for ransomware in their budget, but, before you go setting aside some cryptocurrency for ransom payments to criminals, there’s something else you should know.
Payments of any ransom to criminals might fall afoul of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA). The United States Treasury’s Office of Foreign Asset Control (OFAC) issued an advisory in October 2020 that informed business leaders that any payment made by organizations – or their proxies – to sanctioned nations or state-sponsored actors could be in violation of US law, and those payors could be civilly liable for engaging with designated foreign entities.
You should also be aware that cybersecurity insurance companies are not necessarily excluded from the federal statute in the case of ransom payments to sanctioned entities. The United States government’s posture is to dishearten – not embolden – cybercriminals in targeting attacks against U.S.-based companies. Therefore, cybersecurity insurance is not a viable strategy in defense against ransomware.
“U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes… OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”
-U.S. Department of the Treasury, Office of Foreign Access Control, October 2020
We’ve all heard the horror stories (and perhaps you’ve survived a few yourself) of systems shutting down and readme.txt files left on otherwise-vacant computer desktops. That’s no way to live and it doesn’t have to happen to you.
With the average cost of an unpaid ransomware attack topping $700,000 last year, it is a simple fact of doing business in today’s environment: you need a ransomware detection budget to fortify your organization from the inevitable targeting that happens to every successful company. Be proud of your success, but secure it, too.
Security & Compliance Automation
It’s time to start talking about data security and compliance as one and the same because data will go wherever you let it, and that’s a risk whether you’re tasked with its safekeeping for your organization, for your customers, or for both. Keeping an eye – or at least a good set of rules – on every piece of data in your organization has never been harder or more important.
Varonis recently released the 2021 Financial Data Risk Report which showed that, on average, new hires at financial institutions have unrestricted access to 11 million files on their first day of work. Now, imagine this is your company. You have 11 million sensitive files with access spread out across a whole new set of endpoints and user agents as your workforce has shifted to remote work, making every connection a potential attack vector. Not only do you have to clean up millions of file permissions, but you also have to protect those files from moving into the wrong hands. People simply cannot do this alone, and frankly, they shouldn’t have to. You are going to need some real help with this. You need a security automation budget that makes the impossible a reality, from classifying files to alerting on their movement and restricting access.
Forrester, Total Economic Impact of the Varonis Data Security Platform, March, 2020
On the compliance front, you survived Sarbanes-Oxley (SOX) and the General Data Privacy Regulation (GDPR) rollouts, and then just as you were done dusting yourselves off, the California Consumer Privacy Act (CCPA) came along and sucked away the last vestiges of energy from your team.
Forgive us for asking so soon, but what’s your plan for the California Privacy Rights Act (CPRA)? This legislation passed in the 2020 general election and will take effect at the beginning of 2023, but it will apply retroactively to data collected at the beginning of 2022.
The new law includes a new class of data called “Sensitive Personal Information” that goes well-beyond the definitions in the to-be-deprecated CCPA, and includes data as specific and granular as geolocation and even biometric information. Do you have a plan for identifying and governing data like this according to the new criteria?
“The number of security regulations, usually in the form of geography- or industry-specific compliance mandates for protecting personally identifiable information (PII), is still increasing.”
-Planning Guide for Security and Risk Management, Gartner, October 2020
There is also speculation that one of the 30-plus bills sitting in congress could finally break out in 2021 and make it to a vote, the result of which could potentially supersede any previous governance requirements. Breathe deeply. Legislators move slowly, but you’ll need to get moving on this now, too.
