Billions will be spent on cybersecurity by thousands of companies. Only a fraction of those companies will get the full value from their investments. Governments, insurance agencies, consumers and more are demanding their stakeholders are protecting their information, keeping their data safe, and respecting their privacy. Organizations in turn are spending more and more on cyber tools such as SIEMs, vulnerability scanners, and threat feeds. Other companies are starting by building a robust governance framework and ensuring their policies address risks, legal concerns and best practices. Each element of cybersecurity is important and required for a successful cybersecurity program. What is and will be overlooked is the duplicative and separate efforts required to manage every tool, every feed, and every component of a cybersecurity program. This extra and unnecessary burden will slow down efforts, make reporting inefficient and ineffective, and add unnecessary complications and delays to a cybersecurity program. Ultimately this makes these programs not only more costly but less secure.
Cyber risk management of all disciplines will be mandated by governments, first at the industry level and then across all businesses. Cybercriminals are not going away. They will continue to hack into businesses, celebrities, politicians, financial institutions, health care organizations and more. If there is value in the data, the criminals will try to get it. We have already seen regulations in industries such as health care and financial services pop up and evolve to promote and require cybersecurity. Regulators are more free from the politics that influence their world and often set rules before widespread laws take place. We should expect more and more industry regulators bringing cybersecurity into their management well before a highly partisan government can make unified decisions on laws. States will start pushing laws requiring industries to protect their cyber assets. This likely will happen at an industry level first because so many states have one or two or three dominant industries that the states want to protect. Many of these states will develop laws that are stronger or slightly different than federal regulations or laws causing organizations extra consideration and extra cost in reporting.
Vendor risk management practices will extend to customers as vendors are fined more for violations related to the customers they support. The continued effort to reduce risk will have a greater focus on organizations customers and suppliers. As companies deepen their knowledge of operational and compliance risks they will learn how suppliers and customers add to their risks. Everyone by now has heard about how an HVAC vendor was partially responsible for the breach at Target. It makes sense that material suppliers can impact the overall quality of goods manufacturers make. Customers too are seen as areas where their actions can be risky to the organizations that supply them goods and services. It's easy to imagine internet providers to assess customers on their propensity to download illegal content or fine/punish/report customers that use the internet to perform illegal actions. As organizations get wiser about risk and how customers and vendors impact risk, they will start taking actions to manage that risk including assessments, monitoring key performance indicators and key risk indicators, and start rationalizing their vendors and their customers.
Cybersecurity organizations are becoming larger and more complex in order to combat the continual rise in security incidents and the expanding threat landscape. We have more tools available to us than ever before and require more and more resources to mount effective detection and defense efforts. To address this, successful cybersecurity organizations will finally start to move out from under information technology organizations in 2017.
While IT may have been a natural place for cybersecurity to originate in organizations, security teams today must ensure they are provided with the independence necessary for them to engage in risk management and strategic planning efforts so they can be effective in protecting critical business assets and processes. The heightened cyber-attack activity many expect to see in 2017 should drive organizations to make that case this year and finally obtain the seat at the table needed to provide appreciable business value.
Contrary to the standard cybersecurity scaremongering, my prediction for 2017 is that IT departments will be forced to tackle cybersecurity entropy. IT security is now so complex to deal with, thanks to the constant evolution of threats, network systems, technologies and ways of working. While many are predicting the growth of new and flashy technologies that claim to stay ahead of the threat landscape, there comes a tipping point when security becomes too complex, and becomes unmanageable and severely unproductive for IT users. In 2016, when the productivity gap between UK and the rest of western Europe's leading economies has widened to the worst it's ever been, I believe that we have hit that tipping point. Therefore, 2017 will see more businesses looking for ways to simplify their IT security (without leaving themselves more vulnerable, obviously) with more context-aware intelligence that frees up time for the IT department to focus on other areas of the business that also need attention.
IoT as the next trojan. We've already seen the hacks through IoT devices and it will continue.
Increased regulations. More standard security controls and a growing cyber insurance demand.
More automation of security enforcement for prevention, increased machine learning for detection and remediation for response.
Increase in nationwide terror attacks. They might not cause real damage, but they'll get us talking and disrupt daily life – think traffic lights, power, etc.
Attacks on public figures. Expect embarrassing photos and tax documents galore.
Vinay Anand, VP of ClearPass Security, Aruba, a Hewlett Packard Enterprise company
The industry will scramble to secure the internet of Things. The recent attacks we've seen targeting IoT devices are only just the beginning. As we move into 2017, I'm confident that we'll see more frequent and more impactful attacks that exploit everything from light bulbs to thermostats to security cameras and beyond. On the heels of the Dyn attack we saw in late October, the industry is scrambling to leapfrog our adversaries, who are evidently already taking advantage of IoT vulnerabilities. While taking down websites causes significant disruption, there's potential for much more serious damage if an attacker were to gain access to the computer of a plane or a car, or a hospital's network. It's critical that organizations rethink how they are securing their networks as they embrace IoT.
User and device profiling will become mainstream. Many organizations today are clueless when it comes to the number of devices that actually reside on their network. Profiling devices and users is done sporadically today, but will soon become a mainstream practice. Organizations need to know what devices are on their networks in order to protect them and set policies that will flag unusual behavior, or take a device offline if there's abnormal activity. I expect that in light of the recent IoT attacks, many companies will recognize the urgency to get their ducks in a row and identify their inventory of IoT devices.
2017 will be the year of multifactor authentication. 2017 will be the year that multifactor authentication (MFA) becomes widely adopted. We've been tiptoeing around it for too long, but thanks to WikiLeaks, the DNC hack and other major incidents, there is greater awareness around how easy it is for attackers to get into our accounts. I think we are at a point where enterprises and consumers alike will be more receptive to MFA, and different types of biometric authentication such as fingerprints or iris scans will become increasingly important.Click here for Predictions 2017, Part 2