Virtualization and Cloud executives share their predictions for 2016. Read them in this 8th Annual VMblog.com series exclusive.
Contributed by Javvad Malik, Security Advocate at AlienVault
2016 Security Trends, Predictions and Wild Guesses
With 2015 nearly behind us, it is a good opportunity to reflect on what we saw. Historical events may not always be the best way to predict the future, but they do often give a good indication as to which way the trends are heading.
So without further ado, here's our top 10 list of security trends, predictions and guesses for the coming year.
Security Capability Consolidation
Buying, selling, going public or going private - 2015 has seen a significant amount of M&A activity. The general message of which seems to be one of consolidation. Michael Dell, CEO of Dell said in reference to the acquisition of EMC, "The IT marketplace wants fewer vendors, not more."
It's worth bearing in mind thought that having the desire to offer a ‘one-stop-shop' experience is one thing though, and being able to integrate technologies together in order to offer a seamless user experience is quite another.
(The Internet of) Things getting out of hand
More and more internet connected devices are making their way into consumer hands and with them come vulnerabilities. Much publicised incidents have occurred during 2015 with researchers poking and trying to exploit planes, guns and automobiles.
The Consumers Electronic Association (CEA) recently published Guiding Principles on the Privacy and Security of Personal Wellness Data. We expect more such guidance to be offered for other IoT applications - however, it will not stop researchers trying to find and uncover exploitable vulnerabilities. This will in turn, continue to fan the flames of ...
Responsible disclosure
Security researchers are positioned at a delicate moment in history and 2016 could bring about radical changes in how vulnerabilities are discovered, proven, reported and addressed.
The emergence of bug bounty programs and companies has greatly facilitated company/researcher relationships within the technology industry. But there are large segments of manufacturing and industry that would rather utilise lawyers to block research altogether.
Researcher self-regulation has been touted as another option for security researchers to consider.
It is unlikely that we will see the conclusion to this debate in 2016, but we will likely see some moves being made.
Security awareness going domestic
User awareness training has been an ongoing topic and the bane for many a security professional in recent years. However, security awareness training has begun to expand out of the corporate world into the consumer world. We've seen government plans addressing the masses, and there are some specific initiatives that aim to educate children on staying safe online. This trend will likely continue and become more uniform in its approach.
Deep Data Breach Impact
Traditionally, it's taken a while (if ever) for people to actually notice the impact of a data breach. Identities do get stolen, as does money from bank accounts - but overall there hasn't been a significant impact on a group of individuals in one go. The Ashley Madison breach changed the dynamic somewhat in that it bought to light how, given the right context personal and professional lives could be impacted significantly.
Unfortunately, the trend of breaches doesn't look to be slowing down any time soon and the cumulative impact of data correlated from multiple breaches may be significant.
Privacy regulations
Privacy has somewhat played the role of security's cousin - however, the continued evolution of attempts to regulate privacy, particularly across Europe, will pull security into many debates. Most prominent will be the case of Safe Harbor and how European Rulings will affect the transfer of personal data going forward.
This will undeniably impact the role and the skills required of security professionals within organisations which transfer personal data internationally.
SMBs security investment will increase
As breaches continue to dominate the headlines - smaller companies are becoming increasingly aware of the impact breaches can have. From a digital perspective, no company is considered ‘too small' and even young companies with small resources can be targeted. This can be either for the data they hold or attacked to use as a conduit into a larger company.
Instances of cyber attacks significantly harming small businesses is growing with ‘ransomware' topping the list of most companies concerns.
More shared cloud security
In some instances, particularly for companies with limited IT resources, utilising a cloud-based provider be it IaaS, PaaS or SaaS can be a good investment both from a business and security perspective.
Although the cloud provider may take some security responsibility, more companies are becoming aware of the fact that simply hosting in the cloud does not absolve them completely of their security responsibility. Amazon has a well-published shared responsibility model that is forcing companies to take a look at what security measures they can and should take when utilizing the cloud.
Increased incident response skills
As more high-profile breaches have occurred, there has been a greater need to respond, not just from a technology perspective to get systems back up and running again. But also from having the right communication strategy in place for stakeholders and customers alike. There have been several examples through the year where the public relations part in particular was not handled optimally. So we expect the boardroom of many companies to focus on all aspects of incident response and look to develop or acquire skills going forward.
Stop! Collaborate and Listen
There are an increasing number of avenues and tools that security professionals are utilising in order to share and collaborate on security research and threats. We expect this to increase and formalise greater over 2016. This will not only be amongst organisations and industry verticals, but perhaps more importantly amongst individual practitioners. The more trust networks are created and threat data and best practices are shared, the better advantage companies will have to protect against emerging threats.
##