1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Where we’ve been. Where we’re going.

Discussion in 'CSO' started by RSS, Dec 15, 2015.

  1. RSS

    RSS New Member Member

    As we wind down 2015 I think it’s a good time to throw my two cents into the morass of all the other “end of year recaps” and “next year predictions”. From where I sit, this is what I observed, and this is what I think we’ll see in the future.

    Looking back at 2015

    1. Rise of the Board - Years after the National Association of Corporate Directors issued guidance that cybersecurity needs to be on the agenda of every Board of Directors meeting, Boards finally began to take cyber-risk as seriously as they should have been all along. Although this was by no means universal as many boards still struggle to understand why they should be concerned about information security.
    2. The CISO comes into his/her own – After many years of struggling, it seems that CISOs are finally beginning to wield some real influence within their organization. While small past examples have been successful, the CSO’s greater interaction with the Board and the CEO is driving broader respect throughout the enterprise.
    3. The role of government & regulators changed…sort of – for a decade, government and industry regulation have been the primary driving force behind a business’ investment in information security. In 2015 that really began to change. A litany of breaches over the past 48 months led Boards to realize that cyber incidents can have a real, negative impact on their business and their business’ reputations. Pair this with the evolving legal theory of strict liability for Board members for intentionally neglecting due care of data and information, and things really began to chug along.
      1. At the same time we watched some evolving legal and government cases in which regulators’ over-reach was curtailed…particularly at the FTC. For years the FTC has been running roughshod over businesses, operating on a sketchy legal theory that they can punish businesses who do not exercise due care in the protection of customer or employee data. Some have postulated that their drive to force businesses to enter into 20-year consent decrees are about developing a legal precedent for further regulation on their part. But in November, in the case of LabMD (a Georgia-based medical testing company), the FTC was sharply rebuked by their own lead administrative judge, for their specious actions, which ultimately resulted in LabMD’s demise after an eight-year battle with FTC lawyers.
      2. After years of posturing, the U.S. House of Representatives finally passed their version of the Cybersecurity Information Sharing Act (CISA). Where it will go in the Senate is uncertain, and for the most part there has been muted support for the bill in the information security industry, but at least there is some action on Capital Hill.
      3. Also on Capital Hill, we saw the latest attempt by a U.S. Senator to generate some noise for himself by making some noise around cybersecurity. In December, U.S. Senator Ed Markey (D-MA) sent letter to the major U.S. airlines and commercial aircraft manufacturers demanding details about how they address information security. I expect the Senator to be listening to a lot of crickets as he waits for their responses.
    4. The emergence of big data in security – 2015 was the year that every vendor who could, got on the bandwagon and began to offer solutions that would leverage big data tools to mine the mountain of log data for behavioral indicators of risky cyber behavior. This is one of my personal favorite technologies that we can expect to roll on into 2016.
    5. The game changers – all those breaches and near breaches were really shaken up in 2015 by four big security breaches that got everyone thinking differently about the problem
      1. The Sony Pictures breach wasn’t about PII or PHI. It wasn’t about extortion. It was about stealing soft IP and creating reputational damage…and it did a great job of that as CSO’s across the world were barraged with the question from their Boards “how do we not be the next Sony Pictures?
      2. The U.S. Office of Personnel Management (OPM) attack stole the background examination data of millions of individuals who have, or have had, clearances in the U.S.
      3. AshleyMadison – an example of how it’s not always about IP or credit card numbers. Not only with this breach likely put AshleyMadison.com out of business, but it also cost numerous individuals their jobs as businesses scoured the purloined database and began firing employees who used their corporate emails for their accounts.
      4. VTech – we still have to see the fallout from this one, but the idea of someone having all this data on our kids has a lot of parents worried and regulators foaming at the mouth.
    6. Chip & signature comes to the U.S. – promising to be the solution to credit card fraud, it has seen only marginal adoption at U.S. retailers despite an October deadline for adoption. As one retail CSO told me, “we’ll adopt it when it makes financial sense.”
    7. Where are all the security professionals? – this one will continue to be a problem for decades to come as massive and growing demand will continue to be met by significant shortages. Universities aren’t producing enough security professionals, in part because student interest in this space is low coupled with poor communication to students about how good a career in security can be, given high demand and skyrocketing salaries.
    8. The ugly re-emergence of shadow IT – while we thought this one was banished years ago, like all good IT trends, shadow IT has returned with a vengeance. Fueled by cloud offerings and easy-to-implement solutions, HR and Marketing departments are embracing outside solutions despite significant security risks.

    Looking ahead to 2016

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page