Denim Group has been acquired by Coalfire. Learn More>>

Tis the Season for Security Predictions

Each year across the country, right after Thanksgiving, a curious thing occurs at many technology vendors. Marketing professionals reach out to their company thought leaders to let them know that it’s time to produce a prediction report. Shortly thereafter, collective eyes are rolling and groans accompany candid statements, such as “I have nothing new or unique to add.” After some chiding and a twinge, most agree to a brainstorming session with marketing, nominating one or two peers to cobble together a list for public consumption.

Though positioned as unique findings, most are entirely based on anecdotal evidence. The process is anything but scientific. To get warmed up, we often use the magic of our favorite search engine of choice to find and consider predictions from the past. While many predictions are entirely self-serving, others are so blatantly apparent that anyone with a shred of technical knowlege could have discovered it.

So, in spite of all that I’ve laid out above, I’ll embark down the perilious path of passing on a few observations that I think could impact the security world in 2017. I won’t call them predictions, just some common observations that are interesting to us, and interesting enough that in certain cases, we’re pivoting our business to take advantage of these trends.

As a software security vendor, we regularly interact with a portfolio of unique clients, trade notes with competitors and partners at security shows, and interact with industry analysts and smart tech reports. We notice common denominators – clients asking the same types of questions, or reports curious about the same types of topics. So although we live in a world of anecdote, remember two acecdotes just might equal data. Below are some of the more interesting “observations” that you just may want to pay attention to in the new year.

Attackers Will Become More Sophisticated, Organized and Automated – Your Job Will be to Adapt

The old adage that the best security folks are those that think like attackers applies. That sentiment will serve those well as attackers expand their targets to include smaller enterprises, or those in industries who thought they were immune to attack. There are two types of enterprises, thost that are targeted and those that are targets of opportunity. Targeted enterprises are typically ones whos’ core function will always attract attackers because of what they do or who they service – banks, financial institutions, retail, and government and military organizations. Everyone else must avoid being a target of opportunity, an enterprise that attackers might not normally focus on, but is ripe for attack because someone clicked on a malicious link and forgot to close a TCP port on the firewall. We see an increasing number of non-traditional enterprises being targeted because botnots and phishing attacks are so easily automated and executed. The challenge of the security professional is to recognize this pattern of activity and adapt to the new threat environment. If you are the lone security person in a smaller or non-targeted enterprise or industry, you will carry the burden because you know the consequences. As a result, you will have to do a better job of securing resources to protect your enterprise. If you are a security professional in a large, sophisticated financial instituation, you will have to extend your understanding to include business units to better prepare for fraud and account takeover activity. Here’s the bad news: your job just got harder and the good news: you get paid way more than you did five years ago.

Your Organization is Changing Beneath You – Your Job is to Change with It.

There are several macro trends that are affecting the organization you work that will fundamentally change IT and your job. You may already be aware of several of these trends, and you may actually be on the receiving end of one or more of them. The first that we see occurring throughout organizations is the fragmentation of centralized IT. The days of the imperial CIO are coming to a close, as business units embed developers and other roles that used to reside soley in the IT organizations. This fragmentation is being accelerated by the transition to the cloud, with many non-IT leaders making cloud decisions without the awareness or approval of IT. We have witnessed one large bank who’s VP of Sales moved their CRM to and informed IT after the fact. This happens more than you may think and points to the diminishing power of the CIO to prevent this happening. To make matters more confusing, organizations have become more project driven, changing staff and organizational structure as projects are stood up and torn down. This is reflective in the people organizations employ or contract to get the job done. Instead of full time equivalents (FTEs), organizations are likely to engage a spectrum of project stuff to include FTEs, temp-to-perm, long-term contactors, short-term staff augmentation, offshore, etc. Your challenge is the understand the organizational changes happening around you and adapt to provide sound security recommendations to the appropriate project and the right time. You will have to become even more savvy about the organization, keeping your ear to the ground and have informal contacts outside your group to pick up on macro changes that will affect your security team.

Organizations are Going Faster – Your Job is to Keep Up!

Unless you work for an organizations that doesn’t build software internally, you are likely aware of how DevOps and Agile are changing your world. Security, specifically application security, is not remotely close to being solved for the reason I’ve outlined above (sophistication of the threat and change within the organization). Yet, organizations are pushing to build software and deploy systems at a much faster tempo implementing the concepts outlined in Continuous Integration/Continuous Deployment (CI/CD). Competition and a variety of other compelling reasons are driving this, but understand that IT and security are both on the receiving end of this trend. The bad news is that you will have to understand your application development and deployment strategies better and get up to speed on CI/CD concepts and technologies. The good news is that you might have the opportunity to architect in application vulnerability testing into the CI/CD process that allows you to get upstream of many of the thorniest application vulnerabilities. Dan Cornell’s piece about CI/CD and security is a great starting place for understanding how to build in security in the CI/CD process. You will most certainly have to pick up news skillsets involving DevOps and Agile as organizations move towards a faster deployment schedule. The move provides certain opportunities and pitfalls that will likely determine how security is implemented in your organization.

These are four observations that we offer up that we see affecting our clients from the largest and most sophisticated to the smallest and less security savvy. Much of what we’ve observed is echoed by analyst like Gartner and will likely only increase momentum given the competitive pressures 2017 will bring. But then again, I could be completely wrong, and like the AV vendor predicting malware on mobile devices, deeply affected by my own experiences in the consulting trenches. Regardless, good luck in 2017, which will likely be even trickier than 2016!

Cybersecurity Will Become More Mainsteam – Your Job is to Explain Security in Layman’s Terms

From news reports on election hacking to the latest breach story, cybersecurity has do doubt gone mainstrain. I accept this fact, even if I refuse to call it “cyber” like most purists. Although cybersecurity has become more central to business, non-practioners still struggle to understand key concepts of the security world. I think cybersecurity will one day be a core skillset of most business managers, but until then, your role will continue to be looking for metaphors to explain technical security concepts in ways non-technical folks can understand them. I’ve found some of the best security pros out there could put technical security concepts in laymens – or business – terms, and do so with the greatest of ease. When executives ask “why don’t we just hack them back?” you will be called on to lay out why it’s not a great idea to do so, and do so in a convincing way. As a security professional you will become “Explainer-in-Chief” if you’re not that already. It’s great to be loved though…

About John Dickson

John Dickson web resolution

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years’ hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
More Posts by John Dickson

Leave a Reply

Your email address will not be published. Required fields are marked *