As we wind down 2015 I think it’s a good time to throw my two cents into the morass of all the other “end of year recaps” and “next year predictions”. From where I sit, this is what I observed, and this is what I think we’ll see in the future.
Looking back at 2015
- Rise of the Board - Years after the National Association of Corporate Directors issued guidance that cybersecurity needs to be on the agenda of every Board of Directors meeting, Boards finally began to take cyber-risk as seriously as they should have been all along. Although this was by no means universal as many boards still struggle to understand why they should be concerned about information security.
- The CISO comes into his/her own – After many years of struggling, it seems that CISOs are finally beginning to wield some real influence within their organization. While small past examples have been successful, the CSO’s greater interaction with the Board and the CEO is driving broader respect throughout the enterprise.
- The role of government & regulators changed…sort of – for a decade, government and industry regulation have been the primary driving force behind a business’ investment in information security. In 2015 that really began to change. A litany of breaches over the past 48 months led Boards to realize that cyber incidents can have a real, negative impact on their business and their business’ reputations. Pair this with the evolving legal theory of strict liability for Board members for intentionally neglecting due care of data and information, and things really began to chug along.
- At the same time we watched some evolving legal and government cases in which regulators’ over-reach was curtailed…particularly at the FTC. For years the FTC has been running roughshod over businesses, operating on a sketchy legal theory that they can punish businesses who do not exercise due care in the protection of customer or employee data. Some have postulated that their drive to force businesses to enter into 20-year consent decrees are about developing a legal precedent for further regulation on their part. But in November, in the case of LabMD (a Georgia-based medical testing company), the FTC was sharply rebuked by their own lead administrative judge, for their specious actions, which ultimately resulted in LabMD’s demise after an eight-year battle with FTC lawyers.
- After years of posturing, the U.S. House of Representatives finally passed their version of the Cybersecurity Information Sharing Act (CISA). Where it will go in the Senate is uncertain, and for the most part there has been muted support for the bill in the information security industry, but at least there is some action on Capital Hill.
- Also on Capital Hill, we saw the latest attempt by a U.S. Senator to generate some noise for himself by making some noise around cybersecurity. In December, U.S. Senator Ed Markey (D-MA) sent letter to the major U.S. airlines and commercial aircraft manufacturers demanding details about how they address information security. I expect the Senator to be listening to a lot of crickets as he waits for their responses.
- The emergence of big data in security – 2015 was the year that every vendor who could, got on the bandwagon and began to offer solutions that would leverage big data tools to mine the mountain of log data for behavioral indicators of risky cyber behavior. This is one of my personal favorite technologies that we can expect to roll on into 2016.
- The game changers – all those breaches and near breaches were really shaken up in 2015 by four big security breaches that got everyone thinking differently about the problem
- The Sony Pictures breach wasn’t about PII or PHI. It wasn’t about extortion. It was about stealing soft IP and creating reputational damage…and it did a great job of that as CSO’s across the world were barraged with the question from their Boards “how do we not be the next Sony Pictures?
- The U.S. Office of Personnel Management (OPM) attack stole the background examination data of millions of individuals who have, or have had, clearances in the U.S.
- AshleyMadison – an example of how it’s not always about IP or credit card numbers. Not only with this breach likely put AshleyMadison.com out of business, but it also cost numerous individuals their jobs as businesses scoured the purloined database and began firing employees who used their corporate emails for their accounts.
- VTech – we still have to see the fallout from this one, but the idea of someone having all this data on our kids has a lot of parents worried and regulators foaming at the mouth.
- Chip & signature comes to the U.S. – promising to be the solution to credit card fraud, it has seen only marginal adoption at U.S. retailers despite an October deadline for adoption. As one retail CSO told me, “we’ll adopt it when it makes financial sense.”
- Where are all the security professionals? – this one will continue to be a problem for decades to come as massive and growing demand will continue to be met by significant shortages. Universities aren’t producing enough security professionals, in part because student interest in this space is low coupled with poor communication to students about how good a career in security can be, given high demand and skyrocketing salaries.
- The ugly re-emergence of shadow IT – while we thought this one was banished years ago, like all good IT trends, shadow IT has returned with a vengeance. Fueled by cloud offerings and easy-to-implement solutions, HR and Marketing departments are embracing outside solutions despite significant security risks.
Looking ahead to 2016
- Big data analytics take hold – one of my favorite new applications of technology, security solution providers are now coming to market with some great tools to help boil all that data we’ve been collecting down into actionable intelligence. As these solutions become more affordable they are showing real promise to help enterprises prevent breaches or shorten their time to response.
- Staffing continues to be a major problem – one of my top issues for the past decade shows no sign of abating anytime soon. As a result, CSOs continue to look for solutions that will help them to mitigate that risk – security systems that automate their operation as much as possible and that integrate well with existing solutions. Lacking these, and in some cases in partnership with these, businesses will turn increasingly to Managed Services to cover what they struggle to staff internally.
- The CSO and the CIO get divorced, but are still “friends” – in 2016 we’ll continue to see IT security move out from under the shadow of the CIO. Dotted line relationships will continue but when even longtime holdouts, like the financial services industry, are forced to recognize segregation of duties per new rules from the FFIEC, I expect we’ll see this shift continue to gain momentum.
- The CSO & CIO moving towards an inflection point – following on the footsteps of #3, I think we will continue to head in a direction where the CSO begins to wield increasing influence on par with the CIO. Since 2008 the CIO’s role has been evolving as they seek to tame the IT beast (and it’s insatiable appetite for budget. For the CSO, regulatory affairs and media attention will continue to drive share-of-mind with senior leadership resulting in increasing influence.
- The Board – the Board of Directors will continue their laser focus on security and IT risk moving through 2016. Director’s realization of the significant downside from security incidents continues to fuel their angst and will likely continue to push these concerns from Fortune 100 Boards down to even SMBs.
- Pushback against the regulators – on the one hand, Wyndham captured the press in 2015 with its revolt against greedy regulators at the U.S. Federal Trade Commission (although in the end they ended-up capitulating to a 20 agreement). But towards the end of 2015 we saw two cases which give hope that rational thought may actually be alive in Washington, and that we can expect to see more of this in 2016:
- LabMD finally beat the FTC in the FTC’s own administrative courts. In fact, the judge in the case excoriated the FTC for the entire action they brought against LabMD and the methods they used to punish a breach that never occurred.
- The Consumer Financial Protection Bureau (CFPB) went after car loan companies for using computer models to determine credit worthiness, and then sued the companies for racial bias where, in fact, none existed. Turns out the CFPB was using their own, flawed computer models.
- CyberTerrorism emerges – I hat to say it but I think we will see at least one successful cyber attack against the critical infrastructure – or a physical attack against a cyber target – in 2016. Everything is way too weak, we’re taking too long to secure what we have, and the targets are just too appealing to be looked over.
- Data retention becomes an even bigger problem – all that data. Every system produces tons of it, and like navel lint, businesses can’t help but examining it over and over to glean some nugget of value from it. But the cost of that data, the requirements to support those systems, and the potential liability from maintaining it can all point to the potential for increased corporate liability over time.
- The corporate productivity burden – businesses have struggled to grasp the true impact of security incidents. Reputational risk is difficult to translate into dollars & cents. But when a security incident happens what is the impact on corporate productivity when you have to pull staff from IT security, IT, legal, communications, etc. to spend days, weeks or months on response?
- Mobile device risk finally comes to the U.S. – Many CSOs have been scratching their heads for years wondering how we’ve been so fortunate, here in the U.S., to avoid significant attacks targeting mobile devices. Look for that to change in 2016 as the problems the rest of the world has been facing comes to the U.S.