2020: Why a Bad Year Was Good for Security

Security is countercyclical: the business tends to boom while broader macro conditions deteriorate. But amid this year’s pandemic — including remote work and economic uncertainty for many — specific security trends (data as the new endpoint, distributed networking, zero-trust approaches) accelerated. But remote work also brought new challenges: a rise in ransomware; attacks on critical systems and supply chains; the need to securely onboard and offboard remote employees; and a growing talent shortage in an increasingly important industry. Here’s an overview of the ways 2020 impacted security technology and teams, as well as the new threats and challenges that came to the forefront.

To learn more about what went down in the security news this year, be sure to check out these podcast episodes as well.

On security technology

Data is the new endpoint. Cyberdefense is often a series of controls, and just as in physical defense, when one line is broken, teams fall back to protect the most critical systems. As data has become the crown jewels of many organizations, what we are trying to protect has changed, and security dollars are moving from the two traditional investments — endpoints and networks — to data.

And securing data means protecting it even if its environment is compromised. With existing data loss prevention (DLP) tools falling short, new tools are emerging that focus on the CI/CD pipeline; on securing data as close as possible to where it is generated; and applying encryption, obfuscation, tokenization, and other techniques to secure data.

The perimeter is dissolving. The move to remote work has accelerated the move to distributed networking/decentralization and zero trust. The market was already headed this way pre-COVID, but when the “castle” (office) isn’t open, it’s easier to get rid of a “moat” mentality. The result has been a decentralization of VPN architectures and a preference for thin clients to keep sensitive data off individual worker devices.

Digital security of the physical office. As many workplaces prepare for workers to return, digital security — such as advanced queuing systems, surveillance tools that monitor people per square foot, and touchless entry systems — are being applied to prevent the spread of COVID-19. After the pandemic ends, these tools have the potential to improve workplace safety by reducing the spread and impact of seasonal colds and flus in the workplace as well.

Discovery, control, and third-party risk management of user-provisioned IT. With workers remote, even more applications are finding their way into the organization bottom up. The move to cloud-based systems and increase in SaaS applications means more third-parties with access to your computer and data — and more third-party risk. Rather than trying to crack down on individuals and teams picking and adopting their preferred tools, IT organizations are using new tools to discover new applications and put the necessary security controls in place. They are also provisioning access to data to manage third party risk, specifying what data they have, where it lives, and who can and should access it.

Move to multi-cloud. Big events have long tails, and in the aftermath of major crises, business continuity often rises in importance. During 9/11, banks that had strong continuity planning recovered better than those that didn’t, and for the decade after 9/11, business continuity was a focus. COVID-19 has had a similar effect, accelerating the trend towards multi-cloud to avoid a single point of failure.

As a result of all this, organizationally, the best companies have started finding the best people in other technical disciplines to train and expand the responsibility for continuity beyond the core security team.

On security teams

Two divergent approaches to the CISO role. From its initial focus on securing on-premise servers, the Chief Security Officer (CSO/CISO) role has sprawled to include not just the cloud, but the physical workplace, individual laptops and phones, and data privacy and compliance. Organizations are taking two diverging approaches to the role:

(1) Some are breaking the role apart and aligning its different functions to various parts of the organization. Application security experts may report to the CTO; a more narrowly focused CISO may report into IT for corporate security; and privacy and compliance may report into legal.

(2) Other organizations have centralized the security team with the CISO reporting directly to the CEO, or at times, even the board.

[related podcasts: The Chief Security Officer in (and out of) a Crisis; Cybersecurity in the Boardroom vs. the Situation Room]

Remote work helps with security talent shortages. The increased scope of security in organizations has led to a talent shortage for CISOs, as well as for roles like cloud security architects and security engineers. A lot of security talent is in places (like San Antonio or Utah), that aren’t widely recognized as tech hubs, but host government- or national-security hubs. Though the talent shortage remains, remote work has at least made more of this security talent accessible.

Security moves closer to tech and product development. To do security well, it’s not enough to overlay a security team on product development or IT. More organizations are embedding security into software development and data science, and security engineers are moving closer to product and development (and away from specialization and penetration testing). Rather than focusing on security people who understand software, this organizational shift opens the demand for developers or data scientists who understand security — as well as portends a larger transition where security is not a distinct function… but an integral part of everything.

Securing a remote organization (and its workers). Pre-pandemic, one of the biggest obstacles to remote work was security. Individuals, their devices, and accounts were, and now more than ever are, the easiest point of entry for most hacks. Even when individuals are in an office, many don’t follow basic security measures; but when an organization is remote, new challenges emerge: How do you hire someone, verify them, and give them access to resources? What software goes on their laptop? What additional controls?

When they’re at home but on a work computer, what is the policy for what they can and can’t do with work equipment? And if you have to offboard someone, how do you keep them from taking sensitive data?

[related podcast: Security When the Workforce is Remote]

On rising threats

Attacks on critical systems and supply chains. Outed publicly just this past week, hackers spied on U.S. Treasury emails and other federal agencies through malware installed (indirectly via a third-party provider) over a year ago.The hack is a watershed for the question of how to secure supply chains and critical systems, and is potentially the most comprehensive and damaging breach by a foreign adversary in recent U.S. history.

[related podcast: 16 Minutes on the News: U.S. Government Hacked]

More criminal uses of deepfakes. While “deepfakes” — a portmanteau of “deep learning” and “fakes” — entered the lexicon in 2019, this year saw more criminal applications of the technology, and more organizations trying to figure out the policies and tools to detect, identify, and moderate deepfakes.

Ransomware with higher stakes. Ransomware — malware that holds systems, files, or data hostage in exchange for some payment (hence “ransom”) — has evolved into a multibillion dollar industry of modern, organized cybercrime. The range and targets of ransomware attacks increased this year, from encrypting documents to taking servers and systems hostage to stealing data — including an increasing number of attacks on hospitals where lives, not just wallets, are at stake.

Synthetic fraud. During economic downturns, all types of fraud tend to increase. During the global financial crisis, there was a rapid acceleration in bank fraud targeting consumers, resulting in innovations and sophisticated tools. For example, to circumvent bank fraud detection, an entire industry sprouted up to harvest consumer bank credentials, send out waves of malware to infect consumer computers, and launder ill-gotten gains through intermediaries. In this current global pandemic, “synthetic fraud” — where fraudsters create synthetic identities combining real things like social security numbers, with fake names and addresses — has picked up. Luckily, just as the financial crisis created new security leaders, this crisis (combined with bold investments in new platforms) can lead to meaningful security solutions for now and the future..

[related podcasts: Stories from the Frontline of Synthetic Fraud; PPP, Pandemic Relief, and Fraud]

The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.

The enterprise is changing

Sign up for our enterprise newsletter to get the a16z take on the trends reshaping B2B and enterprise tech.