As 2016 comes to a close, the time is right to look back at the year to reflect on those security lessons we learned and to identify emerging trends.
These tales from the trenches relate primarily to the challenges we continue to see organizations face as they position themselves for successful digital transformation. With greater adoption of cloud solutions, the Internet of Things (IoT), a proliferation of devices, and ever-expanding networks, comes greater complexity in anticipating and responding to new threats. Malicious actors are taking advantage of this fact as demonstrated by the surge in ransomware and other destructive malware in 2016. To excel securely in the digital economy, organizations need simpler, yet effective, security solutions that take advantage of the power of the network to detect and mitigate threats. We are making significant progress, but we have more work to do.
• Secure Digital Transformation Presents New Challenges - 2016 saw a growing trend of CEOs and CIOs recognizing that their information security teams must be actively engaged in the digital transformation of the business if they are to lead or support these initiatives effectively. Secure digital transformation requires a cultural change, not just for the organization, but for security as well. Slow, centralized governance structures and processes need to evolve to become more agile, and security architectures must be flexible enough to enable rapid changes to business processes and security requirements.
• Convergence in IT and OT Networks Requires Converged Governance - Enterprises are becoming aware of the expanding threat landscape due to IP-enabled access to industrial control systems or SCADA networks. While traditionally, these networks have been managed separately, all levels of executive management are now striving for better alignment between Information Technology (IT) and Operational Technology (OT) to gain an understanding of enterprise security risks and corporate priorities across both domains.
• Growth in Cloud and DevOps Leaves Security Trying to Catch Up - There has been a fast progression to DevOps for creating new systems and managing environments in machine time, yet many information security departments are still operating in human time and are often left playing catch up. Security governance must now extend beyond simple use of paper policy statements for protecting technologies from risk, with validation performed only once or twice a year. Adapting with the organization as it innovates and implementing more automation capabilities will allow security teams to stay ahead of the technology curve.
• Large Scale Evolution in Security Architecture and Segmentation - Global enterprises are driving towards “segmentation” because of audit findings, compliance requirements, or a desire to minimize the impact of East-West attacks like ransomware and other malicious malware that move laterally across the network. However, many organizations know that the legacy approach of placing fixed firewalls into a network to isolate VLANs is neither effective nor practical. Without additional control definition, implementing isolation just does not provide holistic protection. Many enterprises are rethinking their network security architecture to provide a comprehensive security segmentation plan that defines controls for identity/trust, policy enforcement, isolation, visibility, and resilience, and applies those controls flexibly based on data classification and policy requirements.
• Measuring Security Effectiveness - As enterprise IT environments shift from investigating alerts to proactively finding bad actors, they need a different set of threat detection and response tools and expertise. Unfortunately, security teams often struggle to aggregate and understand security event and telemetry information from their infrastructure with speed, accuracy, and focus. Overwhelming data and the inability to ingest the information effectively slows the time it takes to detect and confirm a threat.
Organizations at the forefront of digital transformation recognize that instead of just measuring the number of blocked threats, time to detection is the real indicator of security effectiveness, in order to contain an attack and remediate faster. Understanding the value of what must be protected, along with a methodology for quantifying gains and losses, can generate significant business metrics to help understand the successes and failures of digital initiatives.
• Third-Party Risk: Distributed Application Management & Cloud Inventory Management - As more and more enterprises rely on third parties to host application components, they often lack a transparent view of those providers’ security posture. Enterprises simply assume that their “trusted” third parties will manage risk and compliance for them. Moreover, organizations are becoming heavily reliant on less visible third parties in the form of external APIs and code repositories to store their development code and/or software containers. Although the security of these may be somewhat visible, it tends to be an afterthought.
Even more rarely considered are the repositories for their current software and build dependencies. Very few organizations manage their own repositories for their build depositories, instead relying on standard Internet accessible repositories. These repositories are often not secured or are accessed via insecure protocols.
At the end of 2016, it is clear that even well-funded security programs still have digital transformation challenges. The pace of technological change to support innovation and business differentiation is pushing organizations to modernize their legacy governance, security, and delivery models. Looking ahead, 2017 will likely be another demanding year for security teams. However, it also promises to be transformational as organizations learn from the past and securely evolve to grow and capture value.