The aggregate effect of cyber risk and the financial liability it poses are concerns for the insurance industry. For example, as bad as the Target breach was, what if there had been multiple, similar breaches that occurred simultaneously? What impact would this have had on the insurance carriers providing cyber liability coverage to these companies?
“Moving forward, not only will it be important for insurance companies to better understand the risks facing individual clients, but they will need to view this data over their entire portfolios to understand aggregate risk and ensure they are not over extended,” he said.
He added, the good news is that the insurance industry is beginning to rely on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) to help standardize the view of cyber risk and ultimately manage aggregate, or portfolio, risk.
In the next year we are going to see a rebalancing of spending from traditional security solutions to data protection and recovery, said Paul Zeiter, president at Zerto. “While security spend protects the perimeter fence, there are simply too many cases of breaches getting past these defenses to not have a plan B in place.”
CIOs and CEOs are starting to recognize that millions of dollars in IT security investments, while critically important, are just not enough when a disaster such as a hack or ransomware breaks through the perimeter or a natural disaster like a hurricane floods their data center.
Paul Zeiter, president at Zerto
“In the wake of a disaster, companies quickly come to the realization that without the right investments in a disaster recovery solution, their businesses are exposed. To be proactive, companies need a plan and tools in place to recover from any disaster very quickly with as little revenue and end-user impact as possible. Even if an organization has implemented the best preventative security technology, disasters can and do still happen,” he said.
CloudPassage’s Sweet predicts DevOps teams will own security implementation (or, DevSecOps will gain traction).“History doesn’t repeat itself, but it rhymes. In this case, the rhyme is that the primary technology owners will also own security control implementation — even if they don’t operate it,” he said.
As distributed computing and TCP/IP took hold in the early 1990’s, the information security world revolved around RACF and TopSecret — mainframe access management. Distributed computing and network security had never been issues before, so there were no skilled security practitioners to get the job done. The result… network security was owned by the network organization. The same thing happened when web application security became a demand; the web developers were responsible for implementing security controls (e.g. WAMs) even though central infosec was providing guidance and standards, he said.
Just as network security ownership defaulted to network teams in the 1990s, the same will be true for agile security and DevOps teams in 2017. “Cloud and agile technologies are being adopted faster than ever, and the industry doesn’t have time to wait for infosec to develop the needed skills. Therefore, DevOps teams will be on the hook for implementing actual security controls,” he said.
The successful security team will recognize this and seek to provide tools that work with this trend instead of fighting it. In so doing these teams will maintain high degrees of visibility and create leverage for their already-stressed resources, he added. We’ve said for over a decade that security should be built in, not bolted on — here’s a prime opportunity to move towards that reality.
Tufin’s Harrison agrees about the importance of DevOps in the security process, ensuring compliance to internal and external security rules without slowing down the primary mission of the DevOps team. This will be a challenge, as security is not inherently baked into a DevOps culture of “move fast, break stuff.” “In 2017, DevOps oversights could be the new data breach. We may see a major breach that gets tracked back to the DevOps approach, causing DevOps and security teams to become new best friends.”
- Need to rethink endpoint security. Rick Grinnell, co-founder and partner at Glasswing Ventures, says in 2017 the industry will need to rethink the focus on security at the endpoint and instead begin to think about security at what he calls the "middle point" — or layers of security between the exploitable surface area of the internet of things (IoT), and the assets, data, and services that we need to protect. From a VC perspective, there are various areas that are ripe for innovation in this middle point, including new product areas (e.g., the detection and profiling of all connected devices) as well as improvements in existing solutions (e.g., next-generation security information and event management that can better analyze all of the output of new middle point and existing solutions).
- Moving away from security sprawl and towards true automation. Joerg Sieber, director of products at Palo Alto Networks, said to counter the malicious activities coming at them, security operations teams need to be more agile than ever, which means more visibility into what’s coming at them, a reduction of noise, and automating for faster response. Traditionally, security teams have bolted on additional security solutions to address new threats. This has led to management frustration, coordinating security resources (oftentimes manually) from a variety of security solutions and vendors where the components don’t talk to each other or share knowledge. Security organizations will start to migrate toward solutions that are more contextually aware and security platforms that can share information across the attack surface, utilizing analytics for automated detection and response.
- Critical firewall vulnerabilities will continue to be ignored. Chris Morales, head of security analytics at Vectra Networks, said the firewall is the most trusted device in a data center. The Shadow Brokers’ treasure trove of exploits stolen from the Equation Group was a wake-up call that advanced adversaries and nation-states had access to tools that provide access to eavesdrop on even encrypted communications traversing firewalls. According to the Shadow Server website, there are still more than 816,000 Cisco firewalls connected to the internet that are vulnerable, undermining the inherent trust placed in firewalls.
- Services instead of products. The security industry will accelerate the development of service-based offerings, offering packaged services rather than simply selling hardware, according to Monica Hallin, CEO of Vindico Group. Security companies will need to be flexible and agile in a time of great and rapid changes in the world and the industry. These changes increase the demand for new products and services. Security providers who lack the ability to rapidly change their businesses and offerings will face a difficult time. Even customers need to manage their risks and track their incidents more often, and be much quicker to revise and adapt to their needs.
- Phishing still on the hook. “Phishing will continue to be the number one attack vector for spoofing, malware and other malicious activity," says Ng. "Email, both personal and corporate, continue to be used at various enterprises with very little oversight. We will see attackers utilizing various email framework protocols to launch attacks that cause data breaches well into the next five years.”
- More bug bounties. “We will see a large trend of organizations offering bug bounties for vulnerabilities, which will offset the cost of selling the same vulnerability on the dark web," Ng adds. "Companies will be more open and transparent in their vulnerabilities and encourage attackers to break them.”
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.