Sizing Up Security in 2018: Predictions For Your Organization and Your (Former) Identity
In my role, I spend a lot of time looking at and thinking about technology trends, with a sharp focus on how security is reaching limits and breaking. This is what drives me as we build products to address market requirements. The whole reason Illumio exists is because I saw that firewalls are reaching limits and needed to be rethought in the age of the cloud.
As is tradition this time of year, I took some time to think about what has changed in 2017 and what that means for the year ahead. Some of the predictions are grounded in the reality of what's transpired and what we have learned, while others are more speculative and educated guesses based on the data we have.
I hope these predictions make you think and inspire you to be agents of change in your organization and across the industry, helping us, as vendors, define and shape solutions.
1. DevSecOps will shift from a democratic model to a republic.
The shift of control from the ministry of security (a.k.a. the department of "no") to the model where the developer can do anything and everything was an overcorrection. It has also introduced unacceptable risk to the business.
While it’s important that development, security, and operations all work together, next year we will realize this should not be a democratizing movement, but rather more of a republic model.
Developers need to bring their agile development processes and requirements to the table, and security teams need to bring their security expertise. While these teams have to work together in new ways, ultimately, security teams are responsible for doing the right thing. Because, as we all know, there really is no single person who represents all components of DevSecOps equally. It’s all about working across teams with a common language and a common goal, where the expertise of all members is needed, and each contingent is valued for their diverse and expert opinions.
2. Our exposed PII will come back to bite us.
Personally Identifiable Information (PII) is no longer valid since so much of it has been exposed in breaches over recent years. Everyone needs to acknowledge that they have been breached and are vulnerable, and that attackers have more of our personal information than ever before. As a result, we will start to see new types of attacks that leverage the rich amount of PII that is publicly available. Given the huge pool of PII data collected, it could be weaponized to cause massive attacks on major entities (e.g., government, financials, healthcare systems, etc.).
The rich data that attackers have on individual users could create uniquely sophisticated phishing/social engineering attacks that are undetectable and indistinguishable from the real thing — life takeover will be a possibility.
3. The market will realize security needs to be comprehensive and that requires a cultural shift.
Organizations are just coming to terms with the fact that security starts at the top and responsibility extends across the entire organization. Breaches are not due to one or a handful of individuals, or even a specific set of policies, and you can’t point to a scapegoat or a single change of events as the root cause. These days, everyone in the organization plays a role in security. There is no such thing as a bad apple — it’s a bad barrel.
Organizations must realize that security must be a component of corporate culture and, in order to make that a priority, it must come from the top down.
4. AI security vendors will need to shift from technology to results.
Vendors touting AI will finally realize that customers want to see results and not just flashy marketing. Companies selling AI-powered products will need to find a way to start showing results in a quantifiable way and not simply pitch their solution.
Those that do this will be leaders in the industry.
5. There will be an increasing desire to quantify risk
We are starting to see the shift from qualitative risk measurements to quantitative.
IT teams are under more scrutiny and, therefore, need to show the return or effectiveness of their activities to answer questions about how security dollars are being spent and what their impact is on the overall security of the organization.
This is especially true as we move from a reactive model to a proactive model for security.
6. Some security "best practices" will show up in the dead pool.
New deployment models like cloud and containers will cause organizations to give up on patch management as a security control — replacing updated VMs or containers is much easier than patching in place.
Those same dynamic and distributed deployment models make chokepoint firewalls, or those that rely on traffic steering, lose favor to rising micro-segmentation controls that provide security enforcement as dynamic as the environments they support.
I’d love to hear your stories about how your experience aligns with my predictions. Please share thoughts or questions by replying to @illumio.