To understand the current and future state of the cybersecurity landscape, we spoke to and received written responses from 50 security professionals. When conducting interviews, we always wrap up the discussion with the question, “What have we not discussed that’s important for us to address in this research guide?”
Based on the number and depth of responses, there was still a lot on peoples’ minds.
- We need more training for people, developers, implementers, vendors, and clients — more support and education across the board. We need to think about what kind of schools and university courses are in place and how youngsters can learn and adopt security and privacy best practices.
- Every programmer ought to be curious about this stuff — reading and thinking about it — so we’re not flying blind. You can’t send the security guy in at the last second to sprinkle security dust — it doesn’t work. Ultimately, it’s people on the keyboard doing the right or wrong thing — this requires awareness and education.
- Our educational system needs to do more to prepare for the next generation. We see some efforts to bring STEM into K-12, but so much more can be done to empower these digital natives to be fluid in software development, robotics, artificial intelligence, and cybersecurity. These topics can and should be ubiquitous in our schools, beginning elementary and middle school and continuing throughout high school and college. Technology today can help teachers be up-to-date on these topics. However, schools have scarce resources, and grants are small piece-parts. Large corporate entities could apply their philanthropic initiatives here, but states or the federal government should also consider options for a revolutionary change in what we offer kids. Let’s apply solutions there too.
- The talent gap and skills shortage in cybersecurity roles is one of the most critical issues organizations face today. Security teams must invest in their people with the best training and provide them with modern toolsets to ensure all their applications are protected, while avoiding creating an undue burden on teams already stretched too thin.
- The big question is, “Who is responsible for the lack of cybersecurity in the industry…manufacturers, ISPs, or users themselves?” Consumer awareness is growing, making cybersecurity solutions even more of a priority. The issue needs to be addressed and shared so that consumers can take control and protect themselves.
- Skills and expertise are crucial for the successful execution of an organization’s cyber strategy. In terms of talent and hiring, organizing cybersecurity teams into a matrix based on technical competency and sector experience is a best practice. We need to recruit and train to develop deep experience in Cyber Strategy, Identity and Access Management, Data Protection and Privacy, Cyber Analytics, Application Security, Attack and Penetration Testing, Threat Detection and Response, and Threat and Vulnerability Management.
We need to enable these technical practitioners to succeed in reducing business risk by rotating team members through sectors, training, and experiences so that they can better understand the implications of their actions and the business needs of their customer stakeholders.
Lastly, with so much cybersecurity risk managed outside of IT, the cyber skills necessary to succeed in the transformative age must become part of the DNA for every digitally-enabled aspect of the business. From product design to service management and manufacturing itself, cybersecurity cannot be ignored.
- The growing set of regulations and formal guidance from, for example, European, British, and US legislatures and agencies are disconcerting, since we are unable to use software and data across different geographies. This will have a negative impact on the economies of scale technical solutions we are able to provide customers.
- The same thing has been occurring for the last 50 years, and the state of information security has not changed. It’s still bad — but why? What’s the root cause of this problem? Why is it, that after 50 years and hundreds of billions of dollars in losses, we have not been able to transform the information security field? I think that’s huge and would make for a compelling topic of discussion.
- Navigating regulation is a cumbersome task to begin with; add a layer of complexity with regulations, specifically pertaining to data security, and you’re left with very few people in the room that fully understand what it means to be in compliance. Europe’s General Data Protection Regulation (GDPR) should serve as the writing on the wall for U.S. businesses that new regulations are coming here as well. Every business that handles non-public information (NPI) should have a designated individual, a Compliance Officer, whose role includes researching new and existing regulations, identifying what your organization needs to do in order to stay compliant, and providing a plan for the execution of process changes.
- Encourage customers to consider what compliance requirements their organizations are subject to (e.g.: NIST SP800-*, FIPS 140-2, PCI-DSS, etc.). Have customers think about how they handle log management and incident response.
- In 2019, AI/ML is deep in the trough of disillusionment, but it will have a place in modern security innovations where large quantities of data and finite outcomes for improved security exist.
- I wish we could have automated analytics and analysis, but we’re still a ways away. The value of information will continue to increase. It will eventually make its way into data markets so the validation of data and information will add an additional cost.
- While we talk about AI/ML, it’s still early in the process. According to a study from MMC Ventures, 40% of start-ups categorized as AI startups don’t actually use AI. That happens so much in security; we saw it at RSA. Be wary when suppliers talk about AI/ML. Ask to see more details or proof of what they are doing.
- Security is a nebulous and ethereal concept and is always changing — just when you think you have gotten it; you don’t have it anymore. A few years ago, it was strange to say that about security, but it’s all changing very quickly.
- Even though Cloud has become mainstream with enterprise, it is still very early in its development, and it’s going to change much more in the future than it has in the past. Prepare yourself for rapid and dramatic changes to the environment you’re in charge of securing. Embrace security engineering and programmatic approaches to solving your biggest security challenges. The most successful security transformations we see occur when security becomes a service provider to the rest of your organization, rather than a gatekeeper. Build solutions that help your application teams move fast and stay secure.
- Leverage business value in addition to cybersecurity. The best companies look at the risk and the value of information. Information needs to be available, accessible, and reliable. If you take that kind of notion and key to risk factors, that’s where the future is. The CISO and CTO live in the same world to deliver high-value information.
- Keep an eye on the emerging cybersecurity risk management. Vendors focus on mobile security on infrastructure — cloud and containers. Ensure risk management practices evolve to include these as well.
- There must be so much more. How that ties into the entire DevOps pipeline. No amount of scanning in the development phase replaces doing it again in the enterprise pipeline. Use the “trust but verify approach.” Trust that developers have everything in their IDEs and they’re plugging in Jenkins. Verify that everything that needs to be done is being done with an audit trail. Always have visibility into the enterprise pipeline for the security professional that comes in for an audit.
- It’s important to have a generic data model for capturing all the security events. It’s critical to have a system to process all the events in real-time with actionable insights. Move data and analytics to the cloud and build complex data flows in a fraction of the time so that you can deliver value in days not weeks. Modernize data circulation and harness the world of big and fast data.
- I think it may be important to highlight the importance of the supply chain in the IT world. The final system contains many components that come from many different companies and open source developers. We should all do our part, but we should also check the components supplied to us. If we all require our suppliers to follow stricter security guidelines, we will all benefit in the end. Let’s propagate our security knowledge and achievements through the supply chain.
- As you collaborate with DevOps to implement Shift Left and Shift Up, keep in mind that the security measures you implement must be platform-agnostic. I understand that’s a challenge. Talking to our customers, a lot of them are experimenting with technologies from multiple vendors, including AWS, Google, Azure, Docker, OpenShift and Kubernetes. A key piece of your organization’s strategy must be to keep all your options open. Don’t get locked in, which is true more so at the serverless level, where tools like Amazon Lambda or Google Functions are at a much lower level— providing the benefit of flexibility but creating potentially less portable code.
- It is absolutely critical that organizations secure development tools and environments in the same way they secure production environments. It’s important to secure applications early in the process, but it’s also important to secure the infrastructure that brings them through the entire CI/CD pipeline.
- I’ve noticed that the security industry has become much more fragmented in recent years. There used to be a number of security experts that I would consider to be generalists, and they had a broad knowledge of the lay of the security landscape. Looking at large security events this year, the practitioner landscape is fragmented into many specialty areas, whether that is application security, red teaming, security orchestration, etc. I no longer see a lot of highly knowledgeable security practitioners who are generalists. This trend may have implications on how security teams are organized and managed.
- In addition to the necessity of sharing security knowledge, I want to emphasize that security expertise should not belong to any one organization. It belongs to the community. Security is a shared responsibility, and developers, security researchers, and the community at large need to work together to achieve results.
This is the final in a series of security articles which share what IT professionals thought about the current and future state of security. We look forward to getting your thoughts and feedback.
Here’s who shared their insights:
- Josh Mayfield, Director of Security Strategy, Absolute
- Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
- Steven Aiello, security and compliance solutions principal, AHEAD
- Gadi Naor, CTO and Co-founder, Alcide
- Omer Benedict, Senior Director of Product Management, Aqua Security
- Tom Maher, CTO, Asavie
- Gaurav Banga, CEO and Founder, Balbix
- Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
- Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
- Anurag Kahol, CTO, Bitglass
- Syed Abdur, Director of Product Management and Design, Brinqa
- Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
- Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera
- Brian Kelly, Head of Conjur Engineering, CyberArk
- Doug Dooley, COO, Data Theorem
- Jason Mical, Cyber Security Evangelist, Devo Technology
- OJ Ngo, CTO, DH2i
- Tom DeSot, EVP CIO, Digital Defense, Inc.
- Chris DeRamus, Co-founder and CTO, DivvyCloud
- Alan Weintraub, Office of the CTO, DocAuthority
- Tom Conklin, CISO, Druva
- Anders Wallgren, CTO, Electric Cloud
- Satish Abburi, founder, Elysium Analytics
- Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
- Ambuj Kumar, Co-founder and CEO, Fortanix
- Josh Stella, co-founder and CTO, Fugue
- Kathy Wang, Senior Director of Security, GitLab
- Amith Nair, VP Product Marketing, HashiCorp
- Mike Puglia, Chief Customer Marketing Officer, Kaseya
- Nathan Turajski, Director of Product Marketing, Micro Focus
- Gary Duan, Chief Technology Officer, NeuVector
- Gary Watson, CTO and Founder, Nexsan
- Stephen Blum, CTO and Co-founder, PubNub
- Chuck Yoo, President, Resecurity
- Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
- Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
- Igor Baikalov, Chief Scientist, Securonix
- Oege de Moor, CEO and Co-founder, Semmle
- Dana Tamir, VP Market Strategy, Silverfort
- Logan Kipp, Technical Architect, SiteLock
- Albert Zenkoff, Security Architect, Software AG
- Tim Brown, V.P. Security Architecture, SolarWinds
- Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
- Tim Buntel, VP of Application Security Products, Threat Stack
- Andrew Useckas, Founder and CTO, ThreatX, Inc.
- Joseph Feiman, Chief Strategy Officer, WhiteHat Security
- Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
- Robert Hawk, Operations Security Lead, xMatters