Author: Brendan O’Connor, Security CTO at ServiceNow
The security threats and breaches of 2017 have set astounding new records for personal data invasion. From WannaCry to Petya, the list of sophisticated and far-reaching breaches grows almost daily. In 2017, breaches impacted hundreds of millions of people globally.
The security mission to protect, detect, and respond, has remained the same for everything from IT networks and data storage to payment systems and IoT devices. In the past ten years, a tremendous wave of technology innovation has been developed to help us protect and detect. Yet, the most neglected area of security is the part we can control – our response. Without question, the velocity and complexity of the attacks will continue in 2018. The question is, will security operations be able to fine-tune their responses to meet the ever-increasing volume and sophistication of these challenges?
Prediction 1: Security “Haves” and “Have-nots” emerge
Security teams struggle to quickly determine whether incidents are worth a response. Many organizations use dozens of security tools that create and funnel massive volumes of signal onto the desk of the security professional. Analysts use spreadsheets and email to manage reacting to this signal, and the sheer volume of alerts results in analysts spending too much time researching incidents.
In 2018, we will see security Haves and Have-nots emerge between those that begin to automate this research portion of security response and those that don’t. Companies with the tools and culture to embrace automation, and put technology to work for real business enablement, will perform better than those that don’t.
The Haves will be expected to report on security operations as a key part of their day-to-day business. They will have scalable processes in place and will be in a position to measure progress. Automation will help them better determine which systems to patch and when. They will respond to phishing attacks in minutes rather than days. For the Haves, this will be a point of pride.
The beauty for the Haves is that their security people will be freed from mundane and time-consuming manual research. They will have more time to focus on strategic projects that fortify the organization. This new approach extends beyond security. Automation is so effective it becomes a rising tide that lifts all ships, operating in virtually all areas of business.
Prediction 2: Security gains a seat in the boardroom
Security programs are about trade-offs and minimizing risk. To achieve greater success, security teams need to better articulate those trade-offs by putting the risk and material consequences into business terms, fundamentally bringing security into their business strategy. CISOs need to help executives and board members understand the ROI, cost-benefit analysis, and security program trade-offs by articulating the business risk versus business value.
In the coming year, we will see CISOs do more to present their security concepts and programs in business terms. Talking about securing data is one thing, but demonstrating the value that security offers the business is something else. This will eventually apply to every aspect of the business, but most immediately applies to regulatory compliance, potential lost revenue, customer relationships, legal liability, competition, intellectual property, stockholder loyalty and brand protection.
The boardroom needs to take a step toward security, and security operations needs to take two steps toward the boardroom. Bridging the knowledge gap between security leadership and the board provides the framework to ensure effective security by helping all parties assess the risks and decide how to mitigate them.
Prediction 3: A breach enters our physical lives
There is a difference between information and physical security. The breaches that plague organizations today are primarily information security violations. While painful, having credit card information, a social security number, or personal digital information stolen does not result in physical harm to the victim. In 2018, we will see a breach impact our physical, personal lives. It might be a medical device or wearable that is hacked and remotely controlled. Perhaps it will be an industrial IoT device or self-driving car that gets compromised. Or something closer to home – literally. Devices from the garage door to the refrigerator are becoming smarter and more connected. The impact of such an attack will force government, business and individuals to take a closer look at the security of our infrastructure.
Prediction 4: The EU penalizes a company for a GDPR violation
On May 25, 2018, the General Data Protection Regulation (GDPR) will be put into effect. GDPR will provide a legal framework to strengthen and unify data protection and distribution for individuals within the European Union (EU). While the regulation will protect EU citizens, it will impact organizations worldwide – every company that serves a customer or employee in the EU – and businesses can be held responsible for the way they process, store, and protect personal data. The maximum penalty is a fine of 20 million Euros, or 4% of global annual revenue, whichever is greater. The EU may choose to make an example out of one of the first companies it penalizes, sending a message that GDPR is to be taken seriously.
The first company most likely won’t be a household name, but it will be known to be out of compliance in areas other than GDPR. As these penalties receive global publicity, other companies will be compelled to move forward with GDPR compliance plans.