What to add to your 2020 InfoSec budget

December 30, 2019//Tony Howlett

Last Updated: November 19, 2020

As 2019 winds down and we head into the new year (and decade!), IT and security managers are making their lists and hoping for money for their 2020 InfoSec wish list items rather than budget coal.

While many technologies and projects vie for priority in the upcoming year, here are some of the things I believe should be top items on manager’s request lists:

Multi-factor authentication (MFA)

This is a remedial item on the list. If you aren’t already using multi-factor authentication for your administrative credentials, you’re a bit behind the 8 ball and probably out of compliance with many major frameworks (notably PCI-DSS). But better late than never and now is the time for your first New Year’s resolution. By applying this strong technical control over administrative logins, you will make it much harder for a hacker to take over privileged accounts which is where hackers can do the most damage. If you already have MFA in place, you might want to consider expanding the use case to cover more credentials. Some firms have even opted to use MFA for all remote access, including VPN users and vendors.

PAM and VPAM

Speaking of VPN users and third-party access, controlling your most sensitive credentials better is one of the most impactful things you can do to prevent breaches, ransomware, and other security attacks. New technologies known as Privileged Access Management (PAM) and Vendor Privileged Access Management (VPAM) can help you further lock down and track the use of privileged credentials both for internal users, in the case of PAM and third-party vendors in the case of VPAM.

With PAM technology, privileged credentials are never exposed to the actual users, which allows for frequent, complex rotation. PAM also allows for separate auditing and tracking of privileged credential use allowing you to place additional controls on them and catch any issues early. Similarly, VPAM adds additional tech specifically for vendors, including access technology, replacing insecure VPNs and some even have onboarding and off-boarding workflow mechanisms. 

Vulnerability management

Expect 2020 to be the year in which companies build out their vulnerability management tool suites and processes. Where before simple doing scans and tracking patches were enough, newer frameworks like Continuous Adaptive Risk and Trust Assessment (CARTA) dictate that companies make constant adjustments based on vulnerability posture. While the tools to put this kind of system in place are still being introduced, the goal to move towards a single pane of glass to view all your IT and cyber risk status is a powerful capability to have. 

Incident response

Many companies are starting to realize that while you do all you can to prevent a breach, sometimes they happen anyway. So, part of strengthening your IT security posture can be reviewing incident response plans, testing them, revising them regularly, and adding features that make forensic and other post-incident work easier. Things like offsite, longer-term log storage, offline backup storage, and forensic response retainers can all help your company recover faster and more completely from any kind of major cyber incident.

There are many more things that could be your priority in 2020, depending on your enterprise’s situation and requirements, however all the above offer a pretty good ROI and impact on cybersecurity. To find out more about the top VPN alternatives, check out our brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications. I hope you are granted all your budgetary asks and have a great time implementing them in 2020. 

close close