It is important and difficult to stay current with relevant issues in our industry. Cybersecurity is furiously changing, fast in its pace, and rising in global importance. Professionals must not only keep abreast of what is happening today, but also what is emerging on the horizon and heading our direction. Security becomes stronger when professionals collectively explore ideas and actively collaborate on developing better practices. As a cybersecurity strategist, my eyes are fixed on the future risks and opportunities. Here is my list of what we all must be learning, discussing, and deliberating about now, so we can be prepared for what lies ahead.
Integrity Attacks will Rise to be the Next Wave in Cyber
One constant in cybersecurity is the continual rise in sophistication and creativity of the threats. We are seeing the beginnings of a fundamental expansion to attacker’s techniques. Integrity compromises will rise and join the more familiar Confidentiality (ex. Data Breach) and Availability (ex. Denial-of-Service) attacks. Integrity attacks undermine the trust of transactions and communications. Ransomware, Business Email Scams, and financial transaction fraud, are all growing examples of integrity compromises. This third-wave will drive significantly greater impacts due to their nature, the lack of available security tools, and weak processes to manage the risks. We are already witnessing savvy attackers making hundreds of millions of dollars in a single campaign and will likely see a billion dollar heist by the end of the year. Everyone is at risk.
• $2.3 Billion Lost to CEO Email Scams: FBI Warns of Dramatic Increase in Business E-Mail Scams
• Bangladesh Bank Hack: How a hacker's typo helped stop a billion dollar bank heist
IoT Security: Where Digital Life-Safety and Privacy Issues meets Consumers
Our insatiable desire to integrate technology with our lives is changing the equation of security and safety. With the growth of the Internet of Things (IoT) devices going from 15 billion to 200 billion by 2020 and the focus by attackers to get more access to critical capabilities, we may be unwittingly handing life-safety controls to the cyber threats. Such devices capture our conversations, video, health, activities, location, conversations, relationship connections, interests, and lifestyle. Will personal discretion and privacy survive?
IoT security is a huge and complex topic in the industry, earning the attention of everyone from researchers to mainstream media. Although transportation, healthcare, critical infrastructure, and drones are capturing most of the interest, connected devices and sensors are destined to be interwoven throughout businesses and across all walks of life. The benefits will be tremendous, as will the accompanying risks.
• Growth of global IoT Security Market To Exhibit 55% CAGR As Threat Of Security Breaches Rises
Why Ransomware will become the next scourge of security
The rise of ransomware is phenomenal, fleecing hundreds of millions of dollars from consumers, businesses, and even government agencies. This financial windfall for cyber criminals will fuel continued innovation, creativity, and persistence to victimize as many people as possible. It has found a soft spot, taking advantage of human frailties while targeting something of meaningful value to the victim, then offering remediation at an acceptable price point. This form of extortion is maturing quickly, exhibiting a high level of professional management, coding, and services. Ransomware is proving very scalable and difficult to undermine. It will surely continue because it is successful. Can it be stopped? How can everyday people and businesses protect themselves? Will security solutions rally? What will we see next in the rapid evolution of ransomware?
• Cyber Threat Alliance report: Lucrative Ransomware Attacks - Analysis of the CryptoWall Version 3
• US Computer Emergency Readiness Team: Ransomware and Recent Variants
What are the Hidden Long Term Impacts of Cybersecurity?
The industry looks at cybersecurity as a series of never ending tactical issues to be individually addressed. This is a symptomatic perspective, when the reality is a systemic problem. The real impacts of the future are hidden from view and are staggering. It is time we mature our perspectives and see the strategic problem and opportunities. Estimates range from $3 trillion to $90 trillion dollars of global economic impact by 2030. We as a community must understand the scale of the challenges and how addressing security in a tactical manner is simply not sustainable. This is becoming a deep intellectual discussion topic among cyber strategists. How do we change the mindset from short-term expensive fixes to a long-term effective treatment at a holistic level across the ecosystem?
The Battle for Security Leads to the Hardware
As attackers evolve, they get stronger, smarter, and more resourceful. It has become a cat-and-mouse game between the threats and the pursuing security capabilities. The trend is for attackers to move further down the technology stack. Each successively lower lever affords more control and the ability to hide from the security above. The most advantageous position is in the hardware, where the root-of-trust originates. The race is on. Advanced researchers and attackers are looking to outmaneuver security by compromising hardware and firmware of devices.
Traditional defensive structures must also advance to meet the new challenges. Security features embedded or enhanced by hardware can be incredibly powerful to support effective defenses and visibility, even against the most advanced attacker. Control of hardware and firmware will play an ever greater role in protecting technology and users. Who will win?
Job Crisis in Cybersecurity
Cybersecurity is in dire straits. There is not enough talented security professionals to fill the need. In a few years, there will be an estimated 1 ½-2 million unfilled cybersecurity positions. This will have a catastrophic effect on securing people and technology. Organizations have two problems; finding candidates to fill open positions and retaining the professionals they currently have from lucrative competitive offers. The disparity between supply and growing demand drives up salaries, spurs aggressive headhunting, increases the costs of security operations, limits the overall comprehensiveness of shorthanded teams, and artificially extends the windows of opportunity for attackers. It’s like trying to play competitive soccer without a full team in the field.
The best way to correct the problem is to address the supply side of the equation. More cybersecurity professionals are needed. Long term, only academia can save cybersecurity and they are struggling to retool, to sufficiently prepare the next generation of security professionals. Until then, this problem will affect every organization who needs security staff, potentially for years to come, and may drive up the use of Managed Security Service Providers (MSSP’s).
• Job Market Intelligence: Cybersecurity Jobs 2015 report published by Burning Glass Technologies
Cybersecurity Predictions for 2016
A slew of expert predictions is now available from a variety of sources. They typically come out by the end of the first quarter and although some are better than others, all of them provide perspectives for 2016 and beyond. Peering into the future of cybersecurity provides valuable insights around the challenges and opportunities. The industry is changing rapidly and attackers seem to always be one step ahead. Take advantage of what the experts are taking about, but beware some are trying to sell you their wares. Understand how anticipated trends will affect your organization, customers, and partners in the industry. Plan how you can adapt to find a sustainable balance in managing the security of computing capabilities and technology.
How versed are you in these topics? I believe they will have far reaching repercussions and every cybersecurity professional should understand these areas. Those who benefit from the insights of the future, can be better prepared to adapt to the changes.