The New Year brings both an opportunity for reflection and for anticipation of what’s to come in the year ahead. While ground breaking technology innovation continues to change how we work, live and connect to the world around us, we also see increased cyberattacks and damaging data breaches.
In fact, cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015 according to some forecasts.
The result: the growing recognition that digital security is a critical problem to solve if we want to realize the full potential for ongoing disruptive innovation, and continue the pace and breadth of adoption of transformative technologies across industries. Worldwide spending on information security products and services is expected to grow to $93 billion in 2018 according to Gartner. At the same time, venture capital funding has consistently increased in the cybersecurity industry. Projections for 2017 are on track for another record-breaking year with $5 billion in disclosed funding and close to 550 deals according to CBInsights, further illustrating the rapid industry growth since 2012.
The forecasts for future growth and investment are exciting, but it also remains important to keep our eyes on the significant work the industry is doing today. With each RSA Conference, we work to build around a central theme that highlights a timely and relevant focus for the information security industry. For 2018, we recognize the sense of urgency felt across industries and the importance of building a strong foundation that advances the field of cybersecurity with the theme “Now Matters.” With this is mind, the RSA Conference Advisory Board came together to reflect on where we’ve been and anticipate what’s to come in 2018 and beyond.
Attribution Awareness & Public Buy-In
According to Dmitri Alperovitch (Co-Founder and CTO of CrowdStrike Inc.), improvements in attribution capabilities have given the general public a much greater appreciation of the threat environment.
“The understanding of which nation states, criminal groups and hacktivist groups are breaking into organizations and for what purpose is helping to drive additional investment that is threat-centric and commensurate to the risk to the enterprise. Just as importantly, public attribution has helped advance geopolitical debate about how to bring various threat actors to account through law enforcement, and political and economic actions.”
The public awareness of breaches has also impacted products offerings and company security postures. As Wade Baker (Independent InfoSec consultant and Co-Founder of the Cyentia Institute) points out, “The realization that breaches occur impacting the general public and, to a certain extent, will unquestionably occur has had a phenomenal effect on the industry. Detection and response is a result of that and where you’ll see a lot of the spending and products.”
The Role of Regulation
In 2017, we saw two very public, high profile breaches: Equifax and Uber. These attacks raised many questions around the role of regulation and the timing of breach disclosure.
Hugh Thompson (Program Committee Chair, RSA Conference and CTO, Symantec) notes regulation has been shaping the industry from the beginning, and what’s more, regulation can be seen in a material way each year at RSA Conference. Thompson’s thoughts on regulation for the future? In 10 years, we’ll be even more regulated than we are today even as the industry tries to distance itself from compliance.
When looking at current regulations, both Todd Inskeep (Principal, Commercial Consulting at Booz Allen Hamilton) and Wendy Nather (Principal Security Strategist, Duo Security) agree compliance is still too reactive. Inskeep notes that we need new ideas and fresh thinking on what the real problem looks like. But unfortunately, regulation usually solves last year’s problem at best. According to Nather, we’ll continue to see large=scale attacks with huge collateral damage in the form of outages, but we likely won’t be prepared for it.
The good news: Inskeep anticipates that “in 10 years, we’ll have even more great talent working on all aspects of the information security problem, those new people will bring more diversity, ideas and innovation to the industry, even as new technologies create new challenges.” So, while organizations may not be as prepared as they should today for large-scale attacks, the work the industry is doing now – and the talent it is attracting – is well poised to solve these challenges.
Emerging & Future Technology Trends
As with 2017 predictions, IoT continues to be a hot topic. Last year, Gartner predicted that “by 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.” According to Alperovitch, the “proliferation of IoT devices that are being manufactured without any security standards, and most without any long-term security update mechanism, is going to create a tsunami of security issues, leading to an increase in volume and ferocity of DDoS attacks from IoT botnets. This is not being systematically dealt with right now and we are unfortunately increasingly sliding toward a point of no return on this issue.”
However, IDC predicts that by 2019, “more than 75% of IoT device manufacturers will improve their security and privacy capabilities, making them more trustworthy partners for technology buyers” – which points to a positive trend if it proves to be accurate.
Knowledge-based authentication has continued to be a popular security control to help verify identity. However, Nather raises some important considerations as it relates to security versus privacy: “Are users going to get used to being asked the knowledge-based authentication questions regardless of what they are trying to register for? Not everything is worth invading a user’s privacy by pulling their demographic and financial information from a centralized data store. As the population ages, maybe they don't remember those details anymore. There is the ongoing conflict between identification (telling two people apart) and authentication (proving that one of them is who they say they are). Social Security Numbers are trying to do both, and that’s why we have the security problems that we do. The industry will need to figure out how to separate the two purposes once and for all.”
Another issue with knowledge-based authentication stems from the large-scale Equifax breach, which impacted more than 143 million consumer credit records. Inskeep notes: “What kind of knowledge-based authentication can be used to authenticate people that hasn’t already been stolen?” Looking for new ways to secure personal information and verify identity, while maintaining privacy standards, is one of the nuanced challenges security professionals will need to address in the future.
And those organizations going the Do-It-Yourself security route? Nather says that approach won’t last.
“We may need a wholesale, greenfield migration of enterprise business operations to centralized, heavily-vetted service providers. In the future, it might be seen as criminally negligent to try to write your own software and run your own systems, because nobody can do it terribly well. In other words, those current holdouts with their own data centers may be forced into the cloud through regulation, or simple societal recognition of the fact that security is too expensive and too hard to get right on your own. Another thing we can do is simplify security controls so that they are more intrinsic to the technology, and create that tech pre-configured with security options that can’t be changed. If you make it harder for users to get it wrong, then security will get better without us having to blame the end-consumer, which is a losing strategy.”
Security Jobs of the Future
Today, only 40% of large enterprises report on cybersecurity and technology risk to their Board of Directors. By 2020, Gartner predicts that will grow to 100%.
According to Inskeep, part of this transition will come as baby boomers start to retire, and we bring in a new generation to lead the workforce. “With generational changes in business-level executives and the Board Room, we’ll have more people who understand the impact of what cybersecurity is in business. I don’t feel that digital natives follow the attacks more than anyone else, but they do have a better intrinsic feel for their dependence on technology and a better feel for what IT and cyber means for their business and products.”
Not only will there be a fresh perspective brought to the C-Suite and Board Room, but the fundamentals of a security job will likely change over time. Thompson reflects on the buzz that exists now around artificial intelligence (AI) and machine learning, and how that can potentially impact jobs in the future. “It is truly being used in products and people optimizing their stock. In 10 years, what does it look like when all the mundane tasks are all codified inside AI and machine learning? And what is the role of the security team? Maybe it becomes more about curating things properly.” Meaning, the human role in security is more about providing additional instinct and insights to the droves of data machines can process at a faster rate.
Additionally, the entire Advisory Board agreed the role of the CISO is likely to evolve more into the Chief Risk Officer who would report directly to the CEO. Companies will think about cyber-risk the same way they think about operational or supply chain risk. There will be a transition away from considering cyber in a silo as something different, to the realization that cyber risk must be incorporated into the playbook the same way as any other crisis.
A Commitment to Collaboration
Obviously, there are still many serious challenges ahead for the security industry. Some have remained stable over time, while others have increased in correlation to the adoption of technologies such as mobile, cloud, IoT, and AI not to mention the technologies such as blockchain and the impact of quantum computing on encryption. And if history is any indicator, the sophistication and diversity of cyber-attacks and their frequency are unlikely trend downward. From the Advisory Board’s perspective, there is universal agreement that one necessary factor for providing better, more creative and unique solutions to these various challenges is industry commitment to collaboration.
“It's been tough, and there are a lot of thorny issues from traditional business aspects to the ways business and government have interacted, but there are aspects of the problem that can only be solved when the public and private sector work together,” said Inskeep. “I’m hopeful we will figure out how to align our various cyber-activities, work together more closely and coordinate to respond effectively to incidents. Right now, everyone is on their own. But we are good at solving problems - and ten years out, we will be better able to figure out how military, law enforcement and businesses can truly collaborate to make the world a safer place for all organizations.”