BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Shadow Compliance: The Cybersecurity Trend Nobody Is Talking About

Forbes Technology Council

Howard Taylor, CISO Radware, LTD.

Are your closest customers probing your network for security weaknesses? To most CISOs, this question might sound crazy. Network scans are what the bad guys do, surely not your friends and business partners.

Yet it is happening right now with increasing frequency, evidence of what could be the most interesting cybersecurity trend nobody is discussing right now—shadow compliance.

In the old days—before 2020, for anyone who can remember that far back—compliance meant sending supply chain partners long questionnaires and requests for documentation. The more sensitive the sector (for example, military, government or banking), the more complex and time-consuming the compliance checks would be.

All of this still happens, of course, but much more is going on behind the scenes these days. The reality is that there is not much trust around right now, and that doesn't just apply to bad guy hackers and malicious nation-states.

The number one worry is cybersecurity. As far as your prospective partners are concerned, your network could be full of liabilities that might eventually expose them. The days of organizations making assumptions about other organizations are over, and nothing is taken for granted.

They know that not only are you unlikely to admit to cybersecurity weaknesses but that you probably don't know they exist in the first place. Looking at the frequency of major cyberattacks over the last decade, this skepticism is perfectly rational. The game-changer was the hack involving SolarWinds in December 2020, during which thousands of companies were affected by a vulnerable software update. What shocked people most was the compromise of a long-trusted product that created a vulnerability that bypassed the carefully-built security of thousands of customers.

The Death Of Trust

The vulnerability that was exposed was trust itself. This has resulted in a growing number of companies taking matters into their own hands and hiring specialized companies to carry out pen tests of their partners' internet-facing resources. This can include hunting for IP addresses or ports inside a network that are communicating with a suspect host, and it might even include a dark web scan for leaked data.

What this means for CISOs is best illustrated by the anecdote of a technology company that wanted to sell its products to a European bank. Everything seemed to be going well with the relationship in its early stages until one day, out of the blue, the technology company received a call informing it that the bank had discovered some "anomalies" on its network. The bank wanted an immediate explanation.

Over the course of a two-month exchange, it transpired that the issue the pen-testers had uncovered was caused by a legitimate security scan that the technology company's in-house threat detection system carried out. In other words, the anomaly was a false positive—small compensation given the weeks of effort to reassure the bank. The technology company was guilty until it could prove itself innocent.

Does all of this hidden due diligence matter that much?

I'd argue it matters a lot, partly because it implies a future for compliance that few organizations have yet to come to terms with. This phenomenon of zero-trust compliance is spreading like wildfire from sector to sector. Indeed, these sorts of checks might soon become an ongoing 24/7 process requiring constant vigilance by CISOs.

How does an organization succeed in this new reality of shadow compliance? The secret is good "cyber" housekeeping. Just like regular housekeeping, an organization must maintain a regimen of keeping its information technology platform in good order. This regimen is based on the boring, routine stuff that is usually forgotten about. It may not be as exciting as big data analytics to hunt for state-sponsored cyber attackers, but it is highly effective in combating cybercrime and overreaching customer audits.

The pillars of this regimen are asset and configuration management, software and hardware updates, limiting access to IT resources and applications and continuous monitoring.

Proper asset and configuration management sets the foundation for dealing with shadow compliance. All hardware, software, application, database and network components must be inventoried to ensure that only current, supported versions are in use and all appropriate security features are activated. End-of-life software or hardware may be missing critical security updates, leaving them vulnerable to cyberattacks. It is also important to configure these components according to vendor recommendations to ensure all security and functional settings meet business requirements.

Once your infrastructure essentials are current and properly installed, don't think you can just sit back and focus on running your business. Effective security measures are never static. New vulnerabilities surface daily. Left unchecked, they can easily become the topic of your next customer audit. You must implement an ongoing maintenance process to identify, prioritize and install hardware and software updates. These updates protect your infrastructure from known attack scenarios, making them an immediate necessity, and they'll help prepare you when your customers come probing your network.

Next, it's time to lock and bolt your "house." However, if everyone has a set of keys, there is no security. This applies to your IT environment as well. Limit system access to those who require it for their job function. Access should be removed when it is no longer needed, especially when an employee exits the business.

Last, but far from least, is monitoring. This includes gathering logs of activity such as system and application access, virus and malicious code and suspicious network traffic. Your monitoring strategy may include periodic testing (penetration tests and vulnerability scans) performed by a third party to identify security issues proactively. This can give you a list of remediation requirements that must be corrected.

Taking these actions should dramatically improve your security profile and help keep your customers satisfied.

If you are not part of the shadow compliance trend today, you will soon be. This one won't go back into its box. My advice is to prepare for deeper questioning rather than resisting it. The experts said building zero-trust architectures would have long-term implications, and they were right.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on LinkedInCheck out my website