Virtualization Technology News and Information
RSA Conference Advisory Board 2018 Predictions: Where We've Been and What's to Come

VMblog Predictions 2018

Industry executives and experts share their predictions for 2018.  Read them in this 10th annual series exclusive.

Contributed by Members of the RSA Conference Advisory Board

Where we've been and what's to come

The New Year brings both an opportunity for reflection and for anticipation of what's to come in the year ahead. While ground breaking technology innovation continues to change how we work, live and connect to the world around us, we also see increased cyberattacks and damaging data breaches.

The forecasts for future growth and investment are exciting, but it also remains important to keep our eyes on the significant work the industry is doing today. Each RSA Conference, builds around a central theme that highlights a timely and relevant focus for the information security industry. For 2018, they recognize the sense of urgency felt across industries and the importance of building a strong foundation that advances the field of cybersecurity with the theme "Now Matters." With this is mind, the RSA Conference Advisory Board came together to reflect on where we've been and anticipate what's to come in 2018 and beyond.

Attribution Awareness & Public Buy-In

According to Dmitri Alperovitch (Co-Founder and CTO of CrowdStrike Inc.), improvements in attribution capabilities have given the general public a much greater appreciation of the threat environment.

"The understanding of which nation states, criminal groups and hacktivist groups are breaking into organizations and for what purpose is helping to drive additional investment that is threat-centric and commensurate to the risk to the enterprise. Just as importantly, public attribution has helped advance geopolitical debate about how to bring various threat actors to account through law enforcement, and political and economic actions."

The public awareness of breaches has also impacted products offerings and company security postures. As Wade Baker (Independent InfoSec consultant and Co-Founder of the Cyentia Institute) points out, "The realization that breaches occur impacting the general public and, to a certain extent, will unquestionably occur has had a phenomenal effect on the industry. Detection and response is a result of that and where you'll see a lot of the spending and products."

The Role of Regulation

In 2017, we saw two very public, high profile breaches: Equifax and Uber. These attacks raised many questions around the role of regulation and the timing of breach disclosure.

Hugh Thompson (Program Committee Chair, RSA Conference and CTO, Symantec) notes regulation has been shaping the industry from the beginning, and what's more, regulation can be seen in a material way each year at RSA Conference. Thompson's thoughts on regulation for the future? In 10 years, we'll be even more regulated than we are today even as the industry tries to distance itself from compliance.

When looking at current regulations, both Todd Inskeep (Principal, Commercial Consulting at Booz Allen Hamilton) and Wendy Nather (Principal Security Strategist, Duo Security) agree compliance is still too reactive. Inskeep notes that we need new ideas and fresh thinking on what the real problem looks like. But unfortunately, regulation usually solves last year's problem at best. According to Nather, we'll continue to see large=scale attacks with huge collateral damage in the form of outages, but we likely won't be prepared for it.

The good news: Inskeep anticipates that "in 10 years, we'll have even more great talent working on all aspects of the information security problem, those new people will bring more diversity, ideas and innovation to the industry, even as new technologies create new challenges." So, while organizations may not be as prepared as they should today for large-scale attacks, the work the industry is doing now - and the talent it is attracting - is well poised to solve these challenges.

Emerging & Future Technology Trends

Knowledge-based authentication has continued to be a popular security control to help verify identity. However, Nather raises some important considerations as it relates to security versus privacy: "Are users going to get used to being asked the knowledge-based authentication questions regardless of what they are trying to register for? Not everything is worth invading a user's privacy by pulling their demographic and financial information from a centralized data store. As the population ages, maybe they don't remember those details anymore. There is the ongoing conflict between identification (telling two people apart) and authentication (proving that one of them is who they say they are). Social Security Numbers are trying to do both, and that's why we have the security problems that we do. The industry will need to figure out how to separate the two purposes once and for all."

Another issue with knowledge-based authentication stems from the large-scale Equifax breach, which impacted more than 143 million consumer credit records. Inskeep notes: "What kind of knowledge-based authentication can be used to authenticate people that hasn't already been stolen?" Looking for new ways to secure personal information and verify identity, while maintaining privacy standards, is one of the nuanced challenges security professionals will need to address in the future.

And those organizations going the Do-It-Yourself security route? Nather says that approach won't last.

"We may need a wholesale, greenfield migration of enterprise business operations to centralized, heavily-vetted service providers. In the future, it might be seen as criminally negligent to try to write your own software and run your own systems, because nobody can do it terribly well. In other words, those current holdouts with their own data centers may be forced into the cloud through regulation, or simple societal recognition of the fact that security is too expensive and too hard to get right on your own. Another thing we can do is simplify security controls so that they are more intrinsic to the technology, and create that tech pre-configured with security options that can't be changed. If you make it harder for users to get it wrong, then security will get better without us having to blame the end-consumer, which is a losing strategy."

Security Jobs of the Future

According to Inskeep, part of this transition will come as baby boomers start to retire, and we bring in a new generation to lead the workforce. "With generational changes in business-level executives and the Board Room, we'll have more people who understand the impact of what cybersecurity is in business. I don't feel that digital natives follow the attacks more than anyone else, but they do have a better intrinsic feel for their dependence on technology and a better feel for what IT and cyber means for their business and products."

Not only will there be a fresh perspective brought to the C-Suite and Board Room, but the fundamentals of a security job will likely change over time. Thompson reflects on the buzz that exists now around artificial intelligence (AI) and machine learning, and how that can potentially impact jobs in the future. "It is truly being used in products and people optimizing their stock. In 10 years, what does it look like when all the mundane tasks are all codified inside AI and machine learning? And what is the role of the security team? Maybe it becomes more about curating things properly." Meaning, the human role in security is more about providing additional instinct and insights to the droves of data machines can process at a faster rate.

Additionally, the entire Advisory Board agreed the role of the CISO is likely to evolve more into the Chief Risk Officer who would report directly to the CEO. Companies will think about cyber-risk the same way they think about operational or supply chain risk. There will be a transition away from considering cyber in a silo as something different, to the realization that cyber risk must be incorporated into the playbook the same way as any other crisis.

A Commitment to Collaboration

Obviously, there are still many serious challenges ahead for the security industry. Some have remained stable over time, while others have increased in correlation to the adoption of technologies such as mobile, cloud, IoT, and AI not to mention the technologies such as blockchain and the impact of quantum computing on encryption. And if history is any indicator, the sophistication and diversity of cyber-attacks and their frequency are unlikely trend downward. From the Advisory Board's perspective, there is universal agreement that one necessary factor for providing better, more creative and unique solutions to these various challenges is industry commitment to collaboration.

"It's been tough, and there are a lot of thorny issues from traditional business aspects to the ways business and government have interacted, but there are aspects of the problem that can only be solved when the public and private sector work together," said Inskeep. "I'm hopeful we will figure out how to align our various cyber-activities, work together more closely and coordinate to respond effectively to incidents. Right now, everyone is on their own. But we are good at solving problems - and ten years out, we will be better able to figure out how military, law enforcement and businesses can truly collaborate to make the world a safer place for all organizations."


Published Tuesday, December 19, 2017 8:05 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2017>