Cybersecurity has dominated the news cycle this year and 2017 will continue that trend, bringing the issue front and center in boardrooms and the situation room, but a new vocabulary is evolving to describe and deal with these threats.
So for 2017, rather than continue to make predictions on which technology to watch, what organization will be hacked and who is doing the attacking, I thought I'd focus on the ten key security words to watch out for. Understanding their significance in securing your tomorrow will go a long way in both preparation and progress in your defenses for 2017 and beyond.
Without further ado, here are your ten security words to watch for in 2017:
Change is a word you'll hear a lot, as in “what we're doing isn't working, so we have to change.” This change directive will come from boardrooms more than CIOs and CISOs, and will be both general in details and demanding in nature. Change will be critical to a successful defense in 2017.
Acceptance is both a blessing and a curse. We'll see more governments and executives following the lead of German Chancellor Merkel, who – when asked about the Deutsche Telekom breach – stated, “such cyberattacks, or hybrid conflicts as they are known in Russian doctrine, are now part of daily life and we must learn to cope with them.” While lowering the hyperbole around simple phishing and social engineering attacks is good, complacency and fatalism belies the need to keep up our defenses in the face of intensified attacks. Acceptance is not the same as resignation. Understanding the difference will make a difference in 2017.
Automation is key to matching the speed and agility of 2017's attacks. Yesterday's advanced persistent threats (APTs) seem quaint when compared to the speed of 2017 attack vectors. Defenses need to be predictive and automated in order to finally get ahead of the attack curve. Speed kills; so automating a speedy defense is necessary in 2017.
Resilience will trump secure as a key word for 2017. The WEF mantra that “Your risk is my risk” when it comes to cybersecurity in critical sectors like finance, transportation, energy and communications adds dimension to the cyber equation. Threats cannot be addressed in isolation – now that we are all connected virtually – and that will drive enterprises to partner with their stakeholders on a strategy of resilience designed to overcome inevitable failures. Designing for resilience will be mandatory for inclusion in global eco-systems in 2017 and beyond.
Consequence is perhaps the most radical of new security words coming in 2017, but it will be a key plank in the new administration's national security and cyber strategies. Focusing on the ‘gray zones' between simple defense and outright counterattacks, groups from governments to industry will be looking to assign appropriate consequences to attackers who heretofore have hacked without any costs. Consequence could drive escalation as well as deterrence, making it a key word to watch in 2017.
Trust continues to grow in importance and 2017 should see it outpacing security on the boardroom agenda. Earning and maintaining trust with constituents will require an attitudinal change from leadership but will begin to show both qualitative and quantitative results. Expect to see trust driving business decisions, security decisions and privacy decisions in 2017 and going forward.
Microsegmentation replaces the “firewall” as the technical approach to minimizing the effects of 2017 cyberattacks and become the new normal. As new business models drive changes to old enterprise architectures, organizations will focus on microsegments to protect endpoints within specific user communities, regardless of whether they reside in data centers, public clouds or as private mobile devices or integrated eco-system supply chain partners.
Insider threats will become the focal point of the security space, because we're quickly realizing all threats are inside. Focusing on perimeters has become outdated, because threats ultimately operate within the enterprise regardless of where they originate. The industry will begin moving past a focus whether the insider has hostile intent or was simply duped, and focus instead on reducing the harm they can do.
Lateral threats that move freely across an enterprise once they inevitably sneak in will become an important focus of security officers as they accept that someone somewhere will click the wrong thing or leave their phone somewhere. Blocking lateral movement of attackers looking to access personal info or state secrets will make boardrooms happy as they keep their companies' security off the front pages in 2017.
Enabling agile, efficient and required new technology will be a new necessary for 2017 security decision makers. Security that simply tries to stop bad things is so last year, and 2017 will bring business drivers to the fore in deciding how best to secure these agile new environments. Demonstrating how you can use cloud, mobile, ICS and IoT securely will become an RFP staple in 2017.
Yes! Longtime followers will know that I always provide a little lagniappe to my top ten lists, and for 2017 the word is “Yes.” CISOs that are Dr. No will be pushed aside by creative problem solvers who utilize everything in order to further enterprise goals. Dr. Yes CISOs, CSOs and Chief Trust Officers will all get much better receptions in boardrooms and will lead in 2017 and beyond.
I remain both hopeful and confident that good will out evil, and once you know the new lexicon, 2017 will be a year of change in the right direction.
