Information security is a perennially hot topic, but as 2016 kicks off, many organisations look to take stock over the past year and consider what the coming months may have in store.
Breaches of information security have certainly maintained their notoriety, hitting the headlines regularly in 2015, with major breaches hitting companies such as TalkTalk and Vtech.
Below are some expert, thought provoking, security-related predictions from the team at Rapid7, with everyone from Rapid7's CEO & President, Corey Thomas, to the company's Global Security Strategist, Trey Ford, weighing in, offering insights around what they think lies ahead for 2016.
Tod Beardsley, Security Research Manager at Rapid7
"I believe, and fervently hope, that the security issues dogging the Internet of Things will reach a critical level of both awareness and accountability. Given the growing coverage in mainstream media outlets about the state of security with IoT, I expect to see vendors of IoT devices take on real responsibility for the security of their devices. We in the security industry all know that hacking IoT devices is like dropping back ten years, and I believe that the mass consumer market will drive creative and realistic solutions to the problems of old software, old build processes, and the fractured patch pipeline."
Rebekah Brown, Threat Intelligence Lead at Rapid7
"We will continue to break free from the echo chamber. We are already seeing this with security researchers spending more time talking to law makers and infosec professionals actively reaching out to engage with non-security sector organisations. This trend will (hopefully) continue into 2016 and will help break down the communication barrier that continues to plague us as an industry."
Jen Ellis, Vice President of Community and Public Affairs at Rapid7
"We'll see the massive focus on cybersecurity in the policy sphere continue, and perhaps even increase, with organisational and system changes made to reflect this prioritisation. With this continued emphasis on cybersecurity in the Government, I hope we'll see the level of engagement between policy makers and the security community increase, and I hope we'll see it drive positive outcomes. However, I am concerned that we're likely to see some pretty scary legislation being proposed – we've already seen a bill that would prohibit independent security research on cars. It's on us to educate legislators about the potential fallout of these efforts. I hope we'll see the security community take a more collaborative, thoughtful, and productive approach to engaging policy makers, so we can avoid legislation that hinders security, rather than helping it."
Trey Ford, Global Security Strategist at Rapid7
"Come see the softer side of security.
My prediction is probably aspirational: I am hopeful we'll see more transparency in incident and breach communications. The public isn't afraid of "yet another breach," they're afraid the organisations they have a relationship with will violate their trust. In our series on VERIS, we've talked about the questions the public wants to see answered: who took what action, against what systems or information, with what impact, when, and what is being done about it?
Security will continue the shift of focusing more on trust than compliance."
Guillaume Ross, Senior Security Consultant at Rapid7
"Privacy and security will become more of a concern for consumers in 2016, and perhaps a slight marketing advantage for hardware and software vendors, though it will not become the main criteria for most people choosing a device such as a smartphone or an operating system.
As we are talking about things that will probably not happen, let's get those un-predictions out of the way:
- The Internet will not get DDoSed by a botnet of fridges and toasters, though a few will certainly take hold.
- The Internet will not get DDoSed by a botnet of smartphones, as they will run out of power after an hour.
- Information Security jobs will not be filled rapidly, as companies will still be struggling to find staff, preferring managed services in many cases, where appropriate.
- No, not everyone will be done patching Heartbleed, and no, the amount of services exposed to the Internet at the end of 2016, including SCADA systems, will not be lower than the amount of services exposed at the end of 2015."
Corey Thomas, President and CEO at Rapid7
"We'll see a greater gap between the well-managed and the poorly-managed, our security version of income inequality. The poorly-managed will continue to ignore, pay lip service, and rely mostly on controls. The well-managed will recruit teams directly or through partnerships and build effective programs."