March 29, 2022
Reading Time: 12 minute(s)
EP#82 – Kyle Lai & Caleb Leidy – Ongoing Challenges in CMMC
We’ve had another bumpy year in 2021. So, what’s coming down the pike in 2022? And what impact will the ongoing information security challenges of today have on the world of tomorrow?
In this episode, I answer those questions and more. Plus, I will assume the role of Nostradamus and make 8 information security predictions for 2022.
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player
Narrator (Intro/Outro) (00:06):
You are listening to The Virtual CISO Podcast, a frank discussion, providing the best information security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:26):
Hey there. And welcome to yet another episode of The Virtual CISO Podcast with you as always your host John Verry, and with me today, my Nostradamus alter ego attempting to predict 2022, at least from a information security perspective. The genesis of this particular podcast is a conversation that I had recently with one of our cloud service provider clients rapidly growing, their senior management team, asked me to come in and tell them, hey, what do we think’s coming down the pike in 2022? That way they could plan for it, that way they could budget for it. I did tell them that I wasn’t Nostradamus, but they asked me to play that role anyway. So here’s what we came up with. I don’t think it’s that crazy to play Nostradamus if you base your predictions on where we are today. And I think there are four ongoing and notable challenges that we’ve been dealing with that are going to continue to drive us forward.
John Verry (01:21):
Those four things are A, the migration of all of our organizations that transition to cloud services. COVID and the work from home has certainly exacerbated that. Not only will we continue to consume cloud services, but I think we’re going to more frequently consume what I’m going to call cloud-centric security solutions. We’re going to continue with that migration to things like Secure web gateways, CASBs, SASEs and all of the rest of the wonderful acronyms that you’re going to hear. The shortage in information security personnel does not appear to be getting better. It may actually even get worse. Cyber crime is not getting better, in fact, it may even get worse. We’re seeing ransomware is still a problem, which is remarkable to me. And then we’ve also seen someone I’m going to call nation-state level attacks. Things like solar winds that are increasingly concerning.
John Verry (02:14):
And then last on top of our information security requirements, we’re seeing ongoing evolution of privacy regulations. It’s interesting to me. We haven’t seen yet their impact because I don’t think we’ve seen very much enforcement of them to this point. If that does occur, I think we’re going to see some significant evolution in our responsibility to deal with that. So those four things drive a logical response from key stakeholders. So the first thing it does is it’s driven security and privacy regulations. The government has recognized that we’re bleeding intellectual property to the third party nations. They have recognized that privacy is a critical thing for the people that live within the United States, and that’s something that they should be enforcing. And if you look at what’s happening coming out of the CISA, the Critical Infrastructure Systems Agency, if you look at what’s happening through the presidential executive order. If you look at what’s happening through the Cybersecurity Mature Model Certification, we are seeing the logical response to this things, like IoT device labeling is something on the table. We’re now talking about software labeling for quality software.
John Verry (03:23):
And certainly if I talk about supply chain, risk management, which is going to be something which is increasingly something you’re discussing. What that does is that is going to escalate the level of vendor due diligence that you are going to be subject to. And that you’re to actually practice yourself as more of our sensitive data ends up in third party environments. And that logically is going to drive an equivalent response from the folks that are actually processing a client’s data, right. Because you’re going to see if you’re a cloud service provider, if you’re somebody who’s processing third party data, you are going to see greater due diligence on your part. Why? That’s driven by the regulations and the requirements there within, right. If you are downstream from somebody who is subject to CMMC or NIST SP 800-171, that DFARS clause says, “Hey, you need to flow that regulation down, that requirement down.”
John Verry (04:18):
So increasingly we’re going to have this flow down of these requirements through the supply chain risk management process. Increasingly, we have an expectation of our clients that we’re doing the right thing with our data, and there’s an expectation that they’re going to validate that with you. We’re seeing cyber liability insurance become an issue, they’ve lost a lot of money over the last few years in cyber liability insurance. They’re driving premiums up, but we’re also logically going to see is that the level of due diligence they do during the underwriting process is going to go up.
John Verry (04:45):
And then of course we talked about the cyber crime risk. So that is going to drive significant changes to the way that you address security and compliance within your organizations. I thought this, a Gartner prediction report that I saw said that 60% of organizations will use cybersecurity risk as a primary determinant in conducting third party transactions and business engagements. That’s an interesting number and something which we should all be cognizant of. Another interesting development, I guess would be a good word is that we have started to see MSPs being sued for data breaches. So I think those are going to drive, those logical steps are going to drive these eight predictions.
John Verry (05:27):
First is that zero trust. First prediction is zero trust will move from what I’m going to call buzzword to reality. Zero trust has been something we’ve talked about on and off over the last 10 years or so before it came to fruition. What we’re seeing now is out of CISA, out of the presidential executive order, there’s going to be a mandate for us to begin using zero trust. And I think it’s the only logical response, right? First off, I think we have to acknowledge that security awareness education does not work. We’ve offered security awareness education virtually, every one of our customers has. No before some product out there that’s doing this. We send out on the order of magnitude of 10,000, 15,000 phishing emails each month on behalf of our clients. I look at the report once a week, I get a summary report and every time I look at it, there are hundreds of people that have clicked on those links.
John Verry (06:20):
So I think we have to go from a model where we just assume that somebody’s going to click on a link. One of the cool things about zero trust is in a fully zero trust compliant organization, even if someone clicks on a link, we don’t need to really worry about that. Because effectively, we’re going to whitelist outbound traffic in such a way that the malware will not be able to actually be downloaded or even if it does get on the machine, it’s not going to be able to communicate with the command and control, and it’s not going to be able to exfiltrate the data.
John Verry (06:51):
The second thing of course why zero trust is a logical response is we talked about the presidential executive order, we talked about CISA guidance. And then the third thing is that, zero trust if I oversimplify it, right, is the logical extension from, or logical evolution from, would be a better way to say it, from the old castle-and-moat style architecture, right. So in the old days, everybody that was outside our firewall was evil, everybody that was inside our firewall was trusted. As we’ve gone cloud, and as we’ve gone work from home, we no longer have the castle with all our data in it, and we can trust everyone that lives within our castle. So really what we’ve gone to a point where there is no castle, there is no moat and we need a different model, and that’s what zero trust does.
John Verry (07:36):
So for those three reasons, I think zero trust is a logical response, and I think that’s what something that we’re going to see. The second thing is that cyber insurance premiums are going to increase notably. Probably what I’m hearing is on the order of magnitude of 25% or so, and I think that will also drive them to do better due diligence during the underwriting process. I think this is the only logical response to the fact that we’ve seen approximately a tripling of the number of cyber crimes last year. I couldn’t find an accurate number. I was using Accenture, publishes each six months, a cyber investigations, forensic and response report with regards to this. And they said that’s what happened during the first half of the year. So I’m assuming we’re going to see something similar during the second half of the year.
John Verry (08:17):
Third prediction is that supply chain and risk management continues to grow. And again, it’s the only logical response to, one, greater risk, right. Two, the fact that as we go cloud-based, increasingly more of our data is in a third party’s hands, and that we have an obligation under the growing regulations to ensure that those third parties are doing the right thing with our data. Third, we’re seeing privacy regulations. So now not only do we have the issue of, we need to ensure the information security posture of our third parties, increasingly, we’re going to have to ensure that they’ve got good privacy programs in place.
John Verry (08:58):
Third, of course, the president executive order calls for this explicitly, and then of course CMMC calls for this explicitly through the DFARS 252.204-7012, 7019, 7020 clauses, 7021 as well. And then all we’re seeing this guidance coming out of CISA, the Critical Infrastructure Systems Agency, which governs the operation of all critical infrastructure, all 17 of those, establishes at 16 critical infrastructure areas within our economy. And net effect of this is that, you will not only be being due diligent to more, but you are going to actually be due diligencing, and neither one of those are words I know that more as well.
John Verry (09:39):
Fourth prediction is fractional virtual CISO usage will continue to grow. I think it’ll grow at a rapid pace, and again, it is the only logical response. If we think about the fact that there is a shortage of personnel, that is going to make it not only difficult to find a CISO, but it’s also already driven and will continue to drive the prices up, which is going to make it also difficult to afford a CISO for SMBs and SMEs. And further, the most SMBs need a good strategy, they need that executive level guidance when it’s needed, but they typically don’t need a full time anyway.
John Verry (10:17):
So that’s another reason why I think there’s a logical response. I think the second reason that this a logical response is that, I talk to everyday executive management at SMBs and SMEs, I talk to IT directors, and they are significantly challenged to navigate cyber risk, the evolving and overlapping regulatory requirements that they’re seeing to deal with client expectations. That’s not what they do every day, right. So they need this guidance to ensure that they’re doing this and positioning their company in such a way that they’re going to be effective, not only near term, but longer term. And that’s really what the role of a CISO is. And then the third thing is that, increasingly we’re seeing an expectation of organizations having CISOs through due diligence process. Whereas an example through some key regulations. So someone will have to be responsible under certain laws and regulations to have that title. You also see that same challenge in the privacy regulations, where you’ll be required to have a “data privacy officer” or equivalent.
John Verry (11:16):
Fifth prediction, you will, and the not too distant future, you use the term, our compliance officer or our GRC platform. To me, it’s the only logical response to increasingly we are going to need to demonstrate, to be able to prove that we are secure and compliant. I fully understand that you can be compliant and not secure, and in theory, you can be secure and not compliant. But if we architect a cybersecurity program, an information security management system well, then we should be able to get to a point where compliance does equal security. And whether or not it does or not in any particular instance, if you are going to need to prove that you are secure and compliant to a third party, to an auditor, to your customers, if you don’t have evidence, and if you can’t prove that through the fact that you’re complying with the controls that you’ve specified, that you can demonstrate that they’re actually operating as intended, then you’re going to be in trouble.
John Verry (12:16):
And that’s why I also think that you’re going to see the phrase compliance as a service or compliance as a service offerings growing popularity as well. Why? Because while security isn’t compliance, it’s close enough that A, there’s a shortage and B, the prices in the compliance space are going up as well. So leveraging a third party to help you manage that compliance is increasingly a viable option. And when I say GRC platform, the obvious reason there is that a GRC platform, if it’s well done, can simplify that process of demonstrable security and compliance.
John Verry (12:53):
Prediction six. I think companies are going to look to reduce the number of vendors that they use. And this could significantly impact you as a user of vendors, or this could significantly impact you if you are typically a vendor to your clients, right. If you’re a cloud service provider, if you’re a business process outsource for Mayfair Law Firm, as an example. Earlier in the year, I had an interesting conversation with a Fortune 500 firm, and I was talking with their vendor due diligence people. They were asking us, potentially do some work in their vendor due diligence area. And they mentioned to me that they had approximately 700 law firms in their vendor database. Generally speaking, if you can do vendor due diligence on somebody for… Cheapest I’ve heard with organizations building their own programs and outsourcing it to a lower cost offshore facility, yeah, you might hear $1,200 per vendor or 13 or $1,400 per vendor.
John Verry (13:48):
If you’re doing it onshore, typically, you’re going to hear an average cost of about 2000 bucks per vendor. So think about it from that perspective. If they’ve got 700 law firms, that’s $1.4 million worth of vendor due diligence. And they had a stated goal of reducing that down by three quarters, which makes complete sense. So this idea of reducing the number of vendors, it’s really the only logical response to the complexity and cost of managing numerous third parties, right. As we go increasingly into the cloud, there’s a cost and complexity of managing supply chain risk, which goes a little further because we talk about third party risk, that’s my vendor.
John Verry (14:27):
Then there’s also fourth party risk or supply chain risk, which is how do I know that that vendor is doing the right thing with their supply chain and vice versa. So the less people we have in our chain, the less far down the chain that there are implications to us. And then of course, again, we have a shortage of qualified personnel that extends into due diligence. So if we can reduce the amount of due diligence we do, or we need to do, we reduce that shortage and the cost associated with hiring these people.
John Verry (14:55):
The seventh prediction is I’m going to call it software security goes mainstream. It is really the only logical response to the SolarWinds breach. The SolarWinds breach was a really interesting breach. And we’re seeing other breaches of this nature, more nation-state-oriented. But if we can inject software into somebody else’s software that’s being used and trusted by lots of third party organizations, that gives us an insane level of access. We also have the presidential executive order, which asked the FTC, as an example, to come up with some IoT labeling and/or software labeling approaches. The term software bill of materials is going to be a term that you’re going to hear, so that way we have a better understanding of when somebody provides us with software, not only has it been developed securely, but are the additional libraries that it’s leveraging from third parties, perhaps open source libraries, are those libraries properly validated to be secure.
John Verry (15:52):
I think we’re going to see what I’m going to call evolving API risk and cyber crime that begins to exploit API risk. Increasingly we are… Software is truly eating the world and I don’t know who coined that phrase. We are definitely in a place where the software is eating the world increasingly with IoT devices and cloud services. These cloud services talk to each other. Your cloud services are talking to lots of other cloud services. And if those APIs are not designed optimally, an organization, if I can get inside your organization, maybe I stop moving laterally and try to deal with ransomware. And maybe I start to see what I can do in terms of manipulating those APIs if they’re not properly protected.
John Verry (16:35):
There’s been some interesting proof of concept to attacks of this nature that I’ve read about. I think we’re going to see a little bit more of that. And then last, as we go to a DevOps, SecDevOps, continuous integration, continuous development world, right. As SASE becomes critical to us, we’re increasingly to a point where what used to be hardware is now software, right. You’ve heard the term infrastructure as code. In a sense, right, you can deploy a data center, right. You can only deploy a server now. You cannot only deploy an application, but you can effectively deploy a data center, network infrastructure, firewalls, servers, using virtualization and container technologies, all done as code. And if that code is not properly secured, then none of that infrastructure is secure.
John Verry (17:24):
And then last, number eight, I think CSPs are going to up their game in terms of recognizing this risk, recognizing the fact that they’re the level of due diligence, and they’re going to begin to use more significant third party attestations, more significant third party frameworks for managing cloud risk. Things like CSA STARs, FedRAMP, StateRAMP, ISO 27017. Why? It’s really the only logical response to significant client due diligence requirements and with a preference for third party attestation. For a marketing differentiator, if you and your main competitor both have ISO 27001, or you both have SOC 2, increasingly will see organizations recognizing that a client’s trust in a marketplace is critical to their success. So we see people actually looking at security attestations, not only as a way to mitigate risk, but also a way to differentiate themselves from a marketing perspective.
John Verry (18:25):
And then last, government regulations and expectations. A large per percentage of the economy in the US is driven through governmental spending both at the fed, state, local education markets. So increasingly we’re seeing a ramp up in things like CMMC, FedRAMP, StateRAMP, if you want to do business with the government. So we see that as being a key driver as well. Thanks for listening to this. I will say that I love this quote from Yogi Berra and never make predictions, especially about the future. I didn’t listen to that. Hopefully, I won’t look foolish next year on reviewing this.
Narrator (Intro/Outro) (19:06):
You’ve been listening to The Virtual CISO Podcast. As you perfectly figured out, we really enjoy information security. So if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected] And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.