3 security trends from the CSOs of Box and Okta to kick-off 2021

In 2020 we experienced the world change as we knew it, and with it came a new slate of challenges for CSOs, CISOs, and their teams. With the loss of systematic security controls, created by the removal of comfort zones such as offices or secured operating centers, the inadequacy of security control in this new model amplified risks across the board. Decades of guided and prioritized investments in centralized controls now demanded a new, federated model of secured operations.

It also came to light that organizations needed to accelerate their decisions when executing a secure digital transformation – so as to not face an existential crisis in supporting their customers. This meant corralling content sprawl, consolidating content with frictionless controls, and building use cases that power the content to deliver for their customers.

As we begin a new year, with the hopes of a vaccine on the horizon and continued resilience in the security space, it’s important that we keep charging forward and making impactful decisions. I consulted with my fellow security practitioner, Chris Niggel, Okta’s Americas CSO, to discuss trends we’re keeping an eye on, as we begin our journey into 2021.

Simplified tools will ingrain security in every role

Last year, the pandemic led to the world's largest work from home experiment. For some organizations, this was hardly a tectonic shift in the way they operated, much akin to a blip in their radar. However, for many organizations, this created a huge lift and shifted how they supported their workforce, customers, and partners.

“There is no denying that COVID supercharged digital transformation and for many businesses, this manifested as the “future of work” conversation with the transition to remote work,” said Niggel. “This shift moved people and devices outside the confines of a traditional perimeter, offering more flexibility to workforces, but also changing the security requirements from a centralized network approach to one that relies on protecting identity and data.”

Niggel also shared that in this new environment, protecting employees means creating seamless access to the tools they need to do their jobs via secure, accessible, user-friendly, and scalable platforms. When asked what are the ways he would build on an existing tech stack this year, Niggel responded “the question is less of how we can build on our security stack and more of how can we modify the way we approach security to make the best user experience the one that is also most secure.”

At the end of the day, a company is only as secure as their least secure employee. By building and investing in products this year that make every employee feel responsible for protecting the organization, security will become woven into every job, and will no longer just rely on a single individual or team.

Automation will be your new best friend

With financial constraints on many C-suite leaders, practitioners were asked in 2020 to do more with less. This has almost always been implicit in the CSO/CISO role – a check-box accompanying the burden the role carries for any organization. In comes automation, with its incentive to drive efficiency, and promise to deliver on results. Automation is often seen as detrimental to talent and as a replacement strategy. But in reality, if leveraged as a multiplier to existing talent, automation can provide frameworks that can combat the volume and velocity of attacks on abuse of services, accounts, content, etc., and execute on predefined responses to keep up with the ever-changing threat landscape.

“Automation is key to successfully scaling any enterprise today to meet the demands of doing modern business and we expect to see more of it in the next year,” shared Niggel. “Engineering and security teams are expected to work together to deliver code with stronger security built in from the start and they’ll need the right tools and automation to make this happen.”

Niggel also shared that from a threat perspective, with more automation in evaluation and testing, security workforces can focus on responding to threats instead of focusing on finding them. This is hugely important as even bad actors are automating and industrializing attacks today. “The other piece of this is behind the automation curtain: data. Continually driving data will be fundamental in advancing automation. The good news is the flexibility we’ve gained through remote work and new collaboration tools has equaled more information and data sources for security teams to use to keep their organizations secure. This data can go a long way in shaping automation in the security space and beyond.”

As we look to leverage automation solutions using ML/AI next year, data trustworthiness and data safety is paramount to arrive at accurate actionable insight. Disinformation management isn’t a problem unique to social media and collaboration services. For reliable decisions, it is imperative that data custodians and data controllers exhibit capabilities for trusted data classification, attribution, threat detection, and moderation. This includes teaching our ‘intellibots’ to identify standard deviations in data provided, so as to avoid multiple levels of standard deviation in their results.

Hackers are smart, so we must be smarter

As we know, the remote work environment left many organizations with holes in their security protection. While in-office cyber security protocols have begun to feel like a distant memory, many remote employees are still dealing with company vulnerabilities even as we enter into a new year. To cap it all off - breaches and hacks are expensive. With thousands of employees working from home, millions of dollars are on the line as company data is exposed to a new range of phishing attacks.

Niggel shared a few tips to help stay safe from bad actors. “Phishing and identity attacks are growing in sophistication and becoming more and more commonplace. The best way to protect yourself is to double down on the security tools you already have - use long passphrases that are unique to each application you use, and store those in a password vault. Turn on Multi Factor Authentication where possible, and use push-based verification like Okta Verify, a hardware token such as a Yubikey, or the fingerprint reader on your device. If you receive an email or phone call asking for money or information that you are not expecting, call the person back using a number you know is good. Those steps alone will thwart most phishing attempts.”  

From an industry standpoint, Niggel explained that we know the traditional de-centralized identity model has created this problem. This is why we're seeing a shift to passwordless-experiences with solutions like Okta FastPass which provides passwordless login via biometric factors from any device or location to any Okta-managed app. This increases security but more importantly, increases productivity and streamlines the end-user experience.

One Last Reflection

The year 2020 started off feverishly like any other year, except for its repeating alternate digits. The last year of repeating alternate digits, 1919, was marked by the end of World War I and the carnage of the influenza pandemic that took more than 50 million lives. Year 2020 however was seen as a year of foresight - after all, 2020 vision is nearly perfect. As we enter into a new year, it’s important to take time to learn from last year’s lessons while looking towards the future. To my fellow practitioners who have been wittingly or unwittingly partners in this journey, let's continue to charge forward and make a difference in any way we can.