2018 Security Predictions: automation, boardrooms and GDPR
Brendan O'Connor, Security CTO at ServiceNow discusses security how threats and breaches of 2017 for personal data invasion will shape the security trends for 2018.
From WannaCry to Petya, the list of sophisticated and far-reaching breaches grows almost daily. In 2017, breaches impacted hundreds of millions of people globally. The security mission to protect, detect, and respond, has remained the same for everything from IT networks and data storage to payment systems and IoT devices. In the past ten years, a tremendous wave of technology innovation has been developed to help us protect and detect. Yet, the most neglected area of security is the part we can control – our response.
Without question, the velocity and complexity of the attacks will continue in 2018. The question is whether security operations be able to fine-tune their responses to meet the ever-increasing volume and sophistication of these challenges?
Prediction 1: Security “Haves” and “Have-nots” emerge
Security teams struggle to quickly determine whether incidents are worth a response. Many organisations use dozens of security tools that create and funnel massive volumes of signal onto the desk of the security professional. Analysts use spreadsheets and email to manage reacting to this signal, and the sheer volume of alerts results in analysts spending too much time researching incidents.
In 2018, we will see security ‘haves’ and ‘have-nots’ emerge between those that begin to automate this research portion of security response and those that do not. Companies with the tools and culture to embrace automation, and put technology to work for real business enablement, will perform better than those that do not.
The ‘haves’ will be expected to report on security operations as a key part of their day-to-day business. They will have scalable processes in place and will be in a position to measure progress. Automation will help them better determine which systems to patch and when. They will respond to phishing attacks in minutes rather than days. For the ‘haves’, this will be a point of pride.
The beauty for the ‘haves’ is that their security people will be freed from mundane and time-consuming manual research. They will have more time to focus on strategic projects that fortify the organisation. This new approach extends beyond security. Automation is so effective it becomes a rising tide that lifts all ships, operating in virtually all areas of business.
Prediction 2: Security gains a seat in the boardroom
Security programmes are about trade-offs and minimising risk. To achieve greater success, security teams need to better articulate those trade-offs by putting the risk and material consequences into business terms, fundamentally bringing security into their business strategy. CISOs need to help executives and board members understand the ROI, cost-benefit analysis, and security programme trade-offs by articulating the business risk versus business value.
In the coming year, we will see CISOs do more to present their security concepts and programmes in business terms. Talking about securing data is one thing, but demonstrating the value that security offers the business is something else. This will eventually apply to every aspect of the business, but most immediately applies to regulatory compliance, potential lost revenue, customer relationships, legal liability, competition, intellectual property, stockholder loyalty and brand protection.
The boardroom needs to take a step toward security, and security operations needs to take two steps toward the boardroom. Bridging the knowledge gap between security leadership and the board provides the framework to ensure effective security by helping all parties assess the risks and decide how to mitigate them.
Prediction 3: A breach enters our physical lives
There is a difference between information and physical security. The breaches that plague organisations today are primarily information security violations. While painful, having credit card information, a social security number, or personal digital information stolen does not result in physical harm to the victim. In 2018, we will see a breach impact our physical, personal lives. It might be a medical device or wearable that is hacked and remotely controlled. Perhaps it will be an industrial IoT device or self-driving car that gets compromised, or something closer to home. Devices from the garage door to the refrigerator are becoming smarter and more connected. The impact of such an attack will force government, business and individuals to take a closer look at the security of our infrastructure.
Prediction 4: The EU penalises a company for a GDPR violation
On 25 May 2018, the General Data Protection Regulation (GDPR) will be put into effect. GDPR will provide a legal framework to strengthen and unify data protection and distribution for individuals within the European Union (EU). While the regulation will protect EU citizens, it will impact organisations worldwide–every company that serves a customer or employee in the EU–and businesses can be held responsible for the way they process, store, and protect personal data. The maximum penalty is a fine of 20 million Euros, or four per cent of global annual revenue, whichever is greater. The EU may choose to make an example out of one of the first companies it penalises, sending a message that GDPR is to be taken seriously.
The first company most likely will not be a household name, but it will be known to be out of compliance in areas other than GDPR. As these penalties receive global publicity, other companies will be compelled to move forward with GDPR compliance plans.