The year that contained COVID, the fully-remote operational shift, the targeted-ransomware-with-data-exfiltration escalation, the GDPR final-fine landings, and the SolarWinds supply-chain compromise has been operationally singular. Several of the things that happened in 2020 will be reference points for the rest of my career.
The COVID-driven operational shift. The fully-remote operation that began on the 16th of March has, by year-end, become the operational baseline rather than an emergency adaptation. The customer-portfolio operational measures have held; the team-side measures have settled into a sustainable cadence; the technology stack supporting the remote work has been substantially expanded across the customer organisations. The London office is, as of year-end, expected to remain mostly closed through Q1 2021 with a phased return contingent on the public-health environment. The Bath office is operating on reduced capacity with the formal transition to a hybrid-by-default posture that is expected to persist beyond the COVID period itself.
The customer-organisation cyber-posture impact of the COVID period has been substantial. The remote-access infrastructure expansion, the cloud-native acceleration, the home-office cyber-hygiene posture changes, the COVID-themed threat-actor opportunism — each of these has been a sustained programme-work theme through the year. The aggregate effect: the customer-organisation cyber-architecture in December 2020 is materially different from December 2019, and the changes are, in the main, in the direction of cloud-native, identity-as-perimeter, and remote-by-default. Some of the architectural debt that the COVID-driven changes have produced will be absorbed in 2021 and beyond; some of the changes will, on balance, be improvements over the pre-COVID baseline.
The targeted-ransomware escalation. The Maze leak-pattern that I noted formalising in late 2019 has been adopted by essentially every major ransomware operator cluster through 2020. The dual-extortion model — encryption plus data-exfiltration coercion — is now the default. Travelex (January), the various COVID-period healthcare-sector cases, Garmin / WastedLocker (July), Universal Health Services / Ryuk (September), the steady drumbeat of customer-organisation incidents that have not been individually news-worthy but that aggregate to a substantial year of activity. The OFAC sanctions complication on the Garmin case has produced a structural change to the customer-organisation incident-response posture for any case with US-sanctioned operator attribution. The defensive disciplines (segmentation, identity controls, data-egress visibility, incident-response readiness) have been the substantive answer and the customer-organisation programmes have continued to invest.
The supply-chain pattern. SolarWinds in December is the defining event. The multi-month dwell time, the precise targeting, the scale of affected customer organisations, the implications for vendor-trust and update-channel-integrity disciplines — all of these will reshape customer-organisation programme work through 2021 and beyond. The FireEye case in early December was the proximate cause of the SolarWinds discovery; the Mandiant-side investigation work has been substantive and the public disclosure has been exemplary in form. The wider supply-chain conversation, which I have been writing about since at least 2017, is now structurally central to the customer-organisation planning conversations for 2021.
The regulatory environment. The Schrems II ruling in July invalidated Privacy Shield as expected and produced operational work on Standard Contractual Clauses and on data-flow architecture across the portfolio. The Marriott and BA final fines landed in October at substantial reductions from the NoIs but at amounts that still set the new floor for UK GDPR enforcement. The post-Brexit UK adequacy decision is still pending as of year-end. The CCPA enforcement period began. The various other US state privacy regulations continue in legislative progress. The regulatory landscape is more mature than at any previous point.
The portfolio. Six vCISO clients carrying through the year. Fourteen SOC customers (added two through the year, lost one in churn). Twelve EmilyAI commercial customers (lost two through the year, added three). Aggregate company revenue at approximately 91% of the original full-year plan, with the gap in line with the macro-environment-affected forecast. The team is at thirty-three at year-end, slightly below the original-plan target. The financial position is healthy; the cash reserves carry the company through any reasonably-bad scenario in 2021 and the operational cost-base is sustainable at the current revenue level.
The book. The GDPR-era operational discipline book is in late draft and is on track for publication in mid-2021. The early-Emily research paper from USENIX Security 2019 has been cited in the academic literature on machine-learning-for-SOC and is producing useful follow-on conversations.
The personal note. I wrote 47 posts on the blog this year, the highest count since 2016, helped by the fully-remote operating cadence which has produced more consistent writing time than the office-based pattern did. The blog discipline continues to be the most useful single intellectual practice I have. The conferences this year were substantially virtual — Infosec Europe was a virtual event with a much smaller booth presence than the 2019 in-person form, the various BSides and academic events were similarly virtual. The virtual format produces less networking value but has been operationally easier to participate in. I expect the conference landscape in 2021 to remain mostly virtual through at least mid-year.
The ten-year-anniversary deferred event. We have not, during 2020, found an opportunity to mark the ten-year milestone in person. The intention is to do so in 2021 when the public-health environment supports it, possibly combined with the 2021 Christmas event into a two-celebrations-merged-into-one form.
Onward into 2021. The SolarWinds aftermath. The continuing ransomware escalation. The post-Brexit regulatory landscape settling. The product roadmap execution. The book publication. And whatever the year produces that I have not yet imagined.