As the security community staggers into 2021, our mission is clear: With the world’s attention focused on the challenges of racial bias, political tensions, and a stubborn pandemic, cyber threats must not be allowed to join the litany of serious issues facing our globe. Our collective objective must be to prevent this from occurring, and it’s not just that we have insufficient capacity to handle yet another problem. Rather, cyber threats could produce largescale disruption on par with our other global challenges.
We hate to introduce our annual security volume with such a stark, perhaps even depressing, message, but our approach at TAG Cyber has been to call things as we see them. And right now, we see storm clouds on the horizon. But like all weather patterns, it is not ordained that massively coordinated cyber threats to critical infrastructure will become the Next Big Thing. Rather, it is possible that we can change the trajectory. Hopefully, this volume will help in that regard.
For the past five years, we at TAG Cyber have published our Security Annual in the hopes that we might democratize insights into the technology, trends, and complexities of the cyber security industry. Unlike the pay-for-play nonsense we see from many of the larger so-called research and advisory companies with their billions in revenue, we seek to inform readers in an honest and unbiased manner on the best methods and techniques for cyber defense.
And while, unlike the big advisory firms, we might not have the balance sheet of a small nation, we do have our moments of joy – usually when we help someone reduce risk. Here’s a snippet from the CISO of a power company: “Your research pointed us to several new areas of protection,” he wrote in an email, “and after adjusting our enterprise security architecture, we stopped a couple of things that could have been bad.”
That is why we do what we do.
Unlike in previous years where this annual was rigidly structured around our fifty TAG Cyber security controls (and they are now up to fifty-four controls, by the way – sorry), we chose to make this year’s annual more like a magazine. The interviews with luminaries are still here, but we chose to make the book something you might actually like to bring to the beach. (And yes, we give you permission to nerd out on the beach. We certainly do.)
The articles include some of the better pieces we created during 2020 in our day-to-day writing, but also many newly commissioned articles that offer our perspectives on the industry. As always, we do not lower our standards for the uninitiated. If you do not understand the basics of cyber security, then you’ll need to do some separate calisthenics to catch up. This book is not like those vapid Security Concepts for Dummies pamphlets on vendor tables at RSA.
That said, the book is also not written for the eleven people in the world who understand the mathematics of elliptic curve cryptography. Rather, it is developed and aimed at the working practitioner in the cyber security industry. This includes developers, managers, sales professionals, marketing experts, and yes – even board members (although Luddites are not welcome here. If you are clueless, then go grab a Gartner report.)
Many of you often ask about our growing team and our services at TAG Cyber, so while this is not a marketing brochure for our world-class, unique, lightweight, global, premise or cloud-resident, threat intelligence enabled, machine learning assisted, fully agentless, 100% passwordless, and quantum powered security solutions (sigh), I am happy to give you an update on how things have been going for us these past twelve months.
Apart from pausing the lease for our Manhattan digs until we have more clarity around COVID-19, we’ve rolled out many new services, primarily for enterprise customers. Our research subscription business is growing faster than we can keep up with, and we now deliver a student assisted security portal to many small- and medium-sized business. Nothing makes us happier than providing useful information to security teams, so we are a smiling camp these days.
As for all of you working in cyber defense, we sense a continued uneasiness and uncertainty around security. As we alluded in our introductory points, the possibility seems greater than ever that nation-states will take full advantage of global unrest and infrastructure change to pounce on unsuspecting targets. Companies are weak when they are undergoing change and when they are distracted. The pandemic has produced both conditions everywhere.
So, while we continue to coach an upbeat message to our enterprise and government clients, and while we continue to be superbly impressed with so many great innovations in cyber security technology from commercial vendors, we also agree that optimism might be a bit premature. Instead, we recommend that while you read the essays, articles, and reports in this volume, you take serious and honest inventory of your probably insufficient posture.
Organizations in 2021 must adopt a serious and determined approach to their defensive activities. This is a time for cyber security teams, enterprise IT departments, and government security agencies to do their best work. Pandemics might slow down travel and commerce, but we assure you that they do not slow down cyber offense. If anything, they provide sufficient cover for a serious malicious advancement. Be confident, be vigilant, but also be careful.
We wish you well this coming year, and we look forward to 2021 being better than the twelve-month period we are about to push into the history books. If you can say anything positive about 2020, perhaps it’s that by setting such a low bar, it raises the prospects that the coming year will be so much better. Let’s make sure the cyber security community does its part to contribute to this welcome improvement.
Stay safe, healthy, and secure – and we hope you enjoy our 2021 TAG Cyber Security Annual.