The Year That Was: Updates and Observations from 2021

Team Growth

We will enter 2022 with a team close to double that of 2021, fuelled by a mid-market that has really resonated with our approach of partnering to provide a complete security function/department as a service – with all the subject matter experts, processes and platforms that go along with that.

Our clients see us a strategic part of their organisation, providing the essential function of supporting core objectives through information security. They either choose not to, or recognise they are not in a position to, build a specialist information security team internally, including procuring, configuring and maintaining key security platforms.

As a result, leveraging Security Centric to provide their information security function meant increasing the size of our team of subject matter experts, available to be called on proactively or on an ad-hoc basis in support of customer requirements.

“Unprecedented Times”

Whilst an overused buzzword, a lot of changes, firsts and achievements occurred during the pandemic.

• We onboarded a bunch of new team members completely remotely.
• We moved into brand new offices in February to accommodate the expansion from 2020 and forecasted growth.
• We had some entertaining surprises, such as realising your co-workers are taller/shorter/different to their Zoom postage stamp representation.

We’ve been putting the finishing touches on our 24x7 Security Operations Centre – up from 8x5 – due to reach production operational readiness in early 2022. This is in response to increasing demand for continuous coverage of critical business functions whilst also satisfying data sovereignty requirements, which often preclude other larger vendors.

Observations

Significant observations from 2021:

1. The importance of validating the effectiveness of controls, not just turning them on. E.g. we’ve been called in to investigate multiple MFA bypass events that led to significant breaches. Takeaway: just because the GUI says a feature is on doesn’t mean it’s operating as expected.
   
   
2. The leverage once afforded to malicious parties by targeting the availability of systems has diminished with backup and redundancy maturing. Threat actors have turned their attention to confidentiality – using the threat of publishing internal confidential data as their leverage. Takeaway: remember each element of the infosec triad: confidentiality, integrity and availability.
   
   
3. Boards want more visibility of their position on cyber, particularly knowing if, and how well, they are fulfilling their directorial duties. I’ve been increasingly called into boards in an advisory capacity, developing a standing agenda and performance measures for cyber. Exposure, comparison to peers and a report card were a common theme. Takeaway: boards do not want to see operational IT security metrics. Their focus is much higher.

What is vital is ensuring an appropriate strategy and roadmap is in place for 2022, as regular programming (hopefully) resumes. The disruption of the past 20 months has presented new or evolved risks, but has also provided an opportunity for significant uplift in cyber security posture as organisations change the way they work and there is more visibility of cyber risk. Don't let this opportunity for a step-function improvement pass by.