Faced with ever larger data breaches and a shifting technology and cultural landscape driven by digital transformation, boards and the executive suite started paying more attention to security in 2016 than ever before.
Here are our picks for the most significant security trends in 2016, as illustrated in 15 stories from the past year.
1. Security and digital transformation
New technologies and business practices made their presence felt in 2016. The cloud, mobile, data analytics and the internet of things (IoT) all changed and continue to change business models, processes and culture and the security function is struggling to keep up.
Like mobile and cloud, blockchain — first implemented in the original source code of bitcoin in 2009 — stands poised to profoundly disrupt business. If it lives up to its promise, it won't just be financial institutions that are disrupted.
By providing a way to record transactions as automated trusted activity among digitally networked peers, blockchain technology could increase cybersecurity and reduce or eliminate the roles of trusted intermediaries or centralized authorities in industry after industry.
DevOps is all about agility — rapid releases, automation and continuous integration and deployment. Most analysts are betting that it will be the new normal in software development within a few years. But constantly changing code, updating features and adding new capabilities also means more chances to introduce bugs or miss vulnerabilities, unless your security practice is set up with DevOps in mind.
Any time a company shares data or provides access to third-parties, it increases its vulnerability to unauthorized access or breach. In today's IT environment, in which enterprises partner with multiple IT service providers, who in turn may have multiple subcontracters, cyber risks increase exponentially. IT outsourcing customers must take greater care in building cyber-risk protection into their IT services and cloud computing deals.
Digital transformation initiatives bear their own risks. In the race to stay relevant and gain competitive advantage, many organizations are consulting their security teams too late in the process to allow them to have a meaningful impact on digital transformation projects.
For years, organizations have been struggling to teach their employees best security practices in a way that actually have an impact. 2016 has been no exception. The threats posed by negligent insiders now top many security professionals' lists of security concerns, but even organizations that have data protection and privacy training programs in place aren't getting through to their employees.
Procrastination. Fidgeting. Biting your nails. These are all bad habits, but none so bad that they could bring a company to its knees. When it comes to security, however, some bad habits could be devastating, leaving your company vulnerable to hacks, data loss or theft or some similar type of security breach. The good news is that there are some simple steps IT can take to educate users on security best practices and make them part of the solution instead of the problem.
2. Security threats, trends and best practices
Given the changes organizations are undergoing as a result of digital transformation, it should come as no surprise that security professionals are doing their best to understand future security threats, trends and best practices.
The information security threat landscape is constantly evolving. In early 2016, the Information Security Forum (ISF) published its forward-looking view of the biggest security threats over a two-year period, ranging from leaks of sensitive data from IoT devices, to government-sponsored cyberattacks and a dramatic rethinking of cyber insurance as a result of large-scale data breaches.
While the ISF takes a high-level view of the security threat horizon, CIOs and CISOs also need to focus on the nitty-gritty details.
2016 also saw fraudsters up their game with a variant of phishing scams that began proliferating among enterprises. Called whaling, the social engineering grift typically involves a hacker masquerading as a senior executive asking an employee to transfer money.
Whether they identify as white hats, black hats or something in-between, a majority of hackers agree that no password is safe from them — or the government for that matter. Regardless of where they sit with respect to the law, hackers mostly agree that five key security measures can make it a lot harder to penetrate enterprise networks.
3. Hiring and retaining security professionals
It's been true for years: Security professionals are in high demand. Attracting them and retaining them is no easy task, and it's becoming increasingly difficult as boards and senior management are taking a renewed interest in the security function.
CISOs are hard to hire because there are far too few business executives with the right mix of business and technical chops. Also, companies aren't exactly sure how much they're willing to pay a CISO. The shortage of seasoned CISOs, inconsistent policies around compensation and a lack of proper metrics means some companies are under-investing in cybersecurity.
Data breaches, DDoS attacks, hacks and threats continue to dominate the headlines, so it's no surprise that some of the most in-demand IT jobs are in information security. And with a massive skills gap, companies are willing to pay handsomely for skilled security talent at all levels.
4. Cybersecurity inertia
Even as security incidents gather headlines and organizations pay more heed to security at the highest levels, some things never change. Inertia means many organizations remain on the back foot when it comes to security.
The notion that hacked companies are underinvesting in cybersecurity defies logic until you understand that most CIOs are told to prioritize innovation over risk mitigation. Companies grappling with digital transformations are racing to find their own Pokemon Go. CEOs laser focused on growing the business are loath to slow down to reduce risk. Ultimately, cybersecurity fails to become the imperative that it should be.
The rise of mobile in the enterprise has led many CIOs to become concerned about the potential for data loss due to a lost or stolen device — phones, laptops and the like lost in taxis, restaurants and hotel rooms. But CIOs also need to spend more time focusing on the office itself.
The likelihood that companies will experience a security incident continue to rise every year. The good news is that most organizations have put a data breach preparedness plan in place to combat such incidents. The bad news is that most executives aren't updating or practicing the plan regularly.