Information Security 2016, Highlights and Trends

"Prediction is very difficult, especially if it's about the future."
Nils Bohr, Nobel laureate in Physics

In looking back over all that has happened regarding information security in the past year, I'm reminded of a book I read my children when they were growing up, "Alexander and the Terrible, Horrible, No Good, Very Bad Day" by Judith Viorst. This year has been like that - going from bad (data breaches ranging from Yahoo, to Verizon to the IRS), to worse (with many major websites being taken offline with the DDOS attack on DYN). Unlike with Alexander, I'm afraid our day is not going to end well after all the calamities we have suffered.

In thinking about these incidents a few highlights and trends pop out:

1. We’re not getting any better at this. Security vulnerabilities across all industries and governments are as prevalent as ever, as evidenced by the continuous and ever larger breaches being announced. I've been a CISO for over 15 years and every year my expectations on "how much worse can it get?" are exceeded.
2. There are no silver bullets. Even though the number of vendors exhibiting at RSA strains the capacity of the exhibition hall to hold them all, there is no single technology that “solves” the problem of securing information. Machine intelligence, AI, and deep learning are the current buzzwords leading the hype trends, and I expect them to be just as successful as all the other “game changers” of the past, which is to say not very successful at all. 
3. The attack surface continues to expand.  An example of this can be found in the aforementioned Dyn DDOS attack, where vulnerabilities in devices ranging from baby monitors to webcams led to an attack that took major internet platforms and services offline for large swathes of users in Europe and North America. Whereas before you were primarily concerned with vulnerabilities within your environment, now you have to be concerned with vulnerabilities outside your environment that still have the ability to bring your business to its knees. 

What does this portend for the future? Nothing good I'm afraid. Here's what I think the next year will bring:

1. It’s not going to get any better (soon). Until the cost dynamic changes so that businesses can clearly see the financial impact in not securing their environment actually exceeds the costs of implementing controls, the amount spent on security will not be sufficient to change the success rate of attacks. Compounding this is the first mover disadvantage when it comes to security in competitive businesses. As it stands, the company that does spend significantly more money than their peers to tighten their controls and reduce risk, is also likely to put themselves at a competitive and financial disadvantage relative to those peers, at least until information security is seen as a key differentiator by consumers. Risk management is key to making sure that the investment dollars that are available are spent in the most productive fashion possible.
2. The government will continue to “help.” Don't expect the avalanche of regulation to abate, if anything it is going to get worse at all levels - industry, federal, and state. With all these competing and overlapping regulations, increasingly supplemented by mandatory compliance programs and audits, the burden for business will only get worse. Again, using risk management as the foundation for your program, and identifying the regulations you are subject to as one of those risks, is the key to coping with the deluge of “help.”
3. Good people are getting scarcer by the day. Finding people who can balance risk, technology, and business is a challenge in the best of circumstances, in today’s environment it can be a nightmare. Companies must look at what they realistically can do and afford with the staff they have, and make intelligent use of outside resources to supplement their team and outsource their needs where it makes sense. The days of the glass room datacenter and the white shirt IT department have long come to an end. In order to survive, IT must be the catalyst to enabling the business by leveraging the ecosystem of services and technologies available in order to serve the business in the most cost effective and secure fashion possible. 

Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here. 

This piece was originally posted on LinkedIn Pulse and is reposted here with the permission of Michael Lines.