Will 2015 be the year of risk-based security?
As 2014 comes to a close, many of us are beginning to look ahead at the expected trends for the coming year. For those of us in cybersecurity who are at the forefront of protecting organizations from an increasingly dynamic threat landscape and the harsh realities of cybercrime, placing big bets and declaring predictions regarding what we will see in 2015 has become both sport and tradition.
Given that we are now in a world where attacks are increasingly profit-driven, sophisticated efforts controlled by well-funded organized crime and nation states, it’s safe to suggest that the new year will bring many unforeseen and elaborate attack types.
In the course of my own inquiry regarding what the future will hold, I reviewed Gartner’s list of the Top 10 Strategic Technology Trends for 2015. Interestingly enough, security is foundational for ensuring the successful adoption of the trends and themes Gartner expects to be big disruptors over the next three years.
One trend on Gartner’s list that caught my eye is the idea of “Risk-Based Security and Self-Protection.” Below are a few highlights from the concept Gartner outlined which I found most compelling:
- “In a digital business world, security cannot be a roadblock that stops all progress.”
- “Organizations will increasingly recognize that it is not possible to provide a 100 percent secured environment.”
- “Perimeters and firewalls are no longer enough; every app needs to be self-aware and self-protecting.”
While it may be a stretch to assert that we’re moving towards fully automated networks, there are several points Gartner makes which are true today and among the reasons why there is mounting concern at the senior and executive board level today regarding cybersecurity.
For quite some time, I have encouraged security practitioners to embrace the reality that it is no longer a matter of if their organization will be attacked but a matter of when. The motives and persistence of attackers have increased, along with their understanding of classic security technologies and applications. Attackers are relentless in driving attacks home and will frequently use tools that have been developed specifically to circumvent their target’s infrastructure.
These challenges will only increase in severity as more organizations adopt new business models related to the Internet of Things (IoT) and the Internet of Everything (IoE). Today there are 10 billion connected devices, but that number is expected to grow exponentially—exceeding 50 billion sensors, objects, and other connected “things” by the year 2020. Cisco estimates that the IoE will create $19 trillion in Value at Stake (net profits) globally over the next decade. Getting security right will be crucial in enabling both individuals and organizations to gain greater value from IoE and IoT.
With the picture I’ve painted regarding what’s in store for us in 2015, you’re probably wondering what strategies organizations can adopt to address these challenges and maintain a robust security posture as they get ready for the next wave of disruptive technologies.
The best place to start is with a security approach that is both threat-centric and operational which focuses on the threats themselves versus only the policies or controls. It must provide broad coverage across all potential attack vectors, rapidly adjust to and learn from new attack methods, and implement the intelligence back into the infrastructure after each attack.
Additionally, this threat-centric security strategy must also tie back to business risk. Focusing on the threats to the business that really matter requires zooming in on the ones that have the most impact on the crown jewels -the application data. Since organizations face so many threats on a daily basis, concentrating energies on the threats that can do the most damage allows you to improve the effectiveness of security controls by expanding the use of automated, dynamic controls to block the most serious threats.
By adopting an approach that encompasses these attributes, you can reduce complexity and fragmentation, while gaining superior visibility and continuous control across the entire attack continuum—before, during and after an attack.
It will only be a matter of time before we know if Gartner’s predictions for next year will prove true. What is certain today and relevant for the forseeable future is that there is no silver bullet in security and no matter what strategies you adopt, attacks and breaches will happen. Security strategies must evolve and radically change to provide the levels of protection necessary to keep pace with the dynamic threat landscape and enable organizations to maintain a proper security posture.
The technologies necessary for staying ahead of sophisticated attacks are vastly improving and you have a unique opportunity to move towards security approaches that are built on a foundation of visibility and extensive data collection that can see everything, learn through correlation and context and apply controls dynamically.
I’m not sure how you feel about the future but I’m looking forward to seeing how these bold predictions play out in 2015 and beyond.