Saturday, December 28, 2013
TEN TOP SECURITY TRENDS TO WATCH IN 2014
In a time when many Critical Infrastructure companies around the world are feeling overwhelmed with stories of security threats from all sides, the year-end makes a great time to add a little perspective. So, based on my history in this space, plus the fact that my day job running CSC's global cybersecurity consulting business lets me talk to and help hundreds of executives around the world, I offer my perspective and what to watch for in 2014.
1. Incident Response Planning goes Mainstream
For every dollar spent on corporate information security, less than a penny has been spent on planning for the incident response. 2014 will see much greater board focus on the ability to respond to the seemingly inevitable incident, and that will drive advance practice and planning, and selection of your response team. Enterprises will stop being embarrassed by being attacked, and focus stakeholder attention on the efficiency of their response.
2. Big Data and Security meet at the SIEM
No matter how you define Big Data or how you pronounce SIEM (sim or seam), the evolution of these two tracks will combine to drive both your costs and risks down in 2014. Before, you had to know what to ask and how to interpret event data, but Big Data will change all that by analyzing everything and learning how to tell you where to focus. 2014 will be a year of teaching these systems how to be your eyes and ears.
3. Threats keep Evolving
More valuable stuff combined with even greater connectivity means that your adversaries will continue to evolve their threat vectors, creating ‘new and improved’ ways of stealing your stuff and disrupting your operations. 2013 gave us HumanMorphic APTs —2014’s crop will continue this dangerous trend.
4. Your Security Scope Expands
You thought your enterprise was hard to secure before, but in 2014 your security sphere is going to grow dramatically-- to include your suppliers, partners, and customers. It’s now your problem if they have an event, so helping them now helps you. Look for help from the White House in the form of EO-13636, and leverage lots of efficient ways to extend your security down.
5. Passé Passwords
While it will still be a few more years before Federated Identities lets you get out of the password business, 2014 will give you a lot of help in not needing to rely on them so much. Look for the best practices of the credit card and advertising worlds be brought to bear for enterprise access—where you know the user even before they log in.
6. Keys are the Key to the Cloud
Yes, you will move to the cloud, but it won’t be as scary in 2014 as it used to be, as long as you use the right architecture and always keep control of your encryption keys. Security becomes the enabler and new tech makes it easy to safely use efficient services like SalesForce and Dropbox, while keeping control of your environment in the clouds.
7. Smart Phones get Dumb Again
Your Bring Your Own Device (BYOD) plans have been held back, because your smart phones are too smart for your own good. Follow the latest trend toward using transparent virtual machines on these phones, turning them into dumb green screens when they access sensitive enterprise systems.
8. Transnational Crime becomes more concerning than Governments
2013 was the year of focus on what information governments are looking at, but in 2014 we’ll know that while many are looking (besides most governments, remember that social media ain't free, its a privacy tradeoff!), it’s the transnational criminals that are doing the worst things with it. And this will turn attentions from policy discussions to real security threats-- and how to stop them.
9. Shhhhhh! -- Securing your voice
With all the focus on securing the data, many enterprises are overlooking their voices. Between mobile eavesdropping on phones and cars, remote activation of microphones, enterprise VoIP, employee use of Skype, and even conference call numbers—your secrets are being talked about, and criminals are listening. Securing your voices will be as critical as the rest of your data, and luckily not any harder.
10. Quit It!
Squeezed between the increase in regulations, changes in technology, costs to hire, equip, and maintain security teams, greater governance, and increasing voracity and velocity of targeted attacks, companies will move to get out of their own security business, and create long term partnerships with professionals that have the trust, teams, scale, experience, and expertise to keep up. Your adversaries are working together—it’s critical that companies team up to defend themselves.
Lagniappe: Secure the Robots!
As our enterprises (and lives) become run by Industrial Control Systems (ICS & SCADA) that turn on and off our power, route our planes/trains/automobiles, dispense our drugs, deliver our food and water, mine our resources, and build our products-- the security of these ICS devices will become even more of a critical priority.