Industry executives and experts share their predictions for 2019. Read them in this 11th annual VMblog.com series exclusive.
Contributed by Stephan Chenette, CTO, AttackIQ
Data Privacy Regulations, Convergence of Threat and Risk Teams and Cloud Misconfigurations Among Top 2019 Cybersecurity Predictions
This time of year, cybersecurity professionals
are reflecting on major trends and events that occurred over the last twelve
months, and preparing for changes to come. In 2018, we saw monumental events
such as the enactment of GDPR and the emergence of similar data privacy laws
like California's Consumer Privacy Act. We also saw huge numbers of data
breaches--many of them in the cloud--as more and more companies move sensitive
data and other assets off premises. As the cybersecurity industry continues to
evolve, I expect the below trends to emerge in 2019.
The
rising concern over how companies use and protect personal information will
encourage efforts to enact laws similar to GDPR nationally.
Time and again, companies have proven their
ability to adequately protect consumer data is seriously lacking-shining a
light on the need for government regulation. The public demands that companies
be held accountable for data breaches, including meeting certain security
requirements and facing consequences for failing to meet those requirements.
The Marriott breach of 500 million customers will serve as a catalyst for the
development of new regulations, in the U.S. (perhaps first at the state and
then federal level) as well as in other countries around the world.
Specifically, the Marriott breach will drive
important changes regarding how organizations can collect and store personal
information. I expect new regulations to put restrictions on the type of
information hotels ask customers to provide, thereby reducing risk to customers
if the company is breached. For example, hotels may be required to use personal
identification numbers for customers, rather than collecting Social Security
numbers.
Here in the U.S., I expect lawmakers to learn
from Europe's GDPR as well as California's Consumer Privacy Act on what works
and doesn't work when drafting data privacy legislation. For example, GDPR
calls for fines and consequences for companies that get breached or don't meet
certain requirements, however this was not always enforced. Additionally, while
California has already passed its own data privacy law and other states appear
to be following suit, I expect a national law to formulate in the U.S. to
provide continuity and consistency.
Much
like we have seen the creation of purple teams to increase the coordination and
effectiveness of security operations between red and blue teams, we will see a
convergence of threat and risk teams.
Previously, companies had separate red and
blue security teams that worked in silos. In more recent years, we have
witnessed the emergence of combined purple teams that are able to more
effectively collaborate to find and fix security vulnerabilities and gaps. In
2019, we will see a convergence of threat and risk teams to not only meet
regulatory compliance audits like NIST and PCI-DSS, but drive security
effectiveness. Threat teams consist of the incident response, pen-testing, red,
blue and purple teams, and collectively focus on how to improve their company's
security posture, while risk teams focus on regulatory controls. The
convergence and further collaboration of these two teams will improve an
organization's overall resilience because while risk focuses on documenting the
controls that have been put in place in order to pass a compliance audit,
threat teams and the tools they use will be relied upon further to showcase the
effectiveness of those controls.
CISOs are increasingly feeling the pressure to
prove that their teams' actions are making a positive impact on the company's
security, and converging threat and risk teams to encourage collaboration and
increase efficiency is an important step. The threat team must help ensure that
the tools the risk team recommends for satisfying compliance requirements
actually work.
With
expanding reliance of public cloud Infrastructure there will be more personal
data breaches due to misconfigurations.
Cloud adoption is growing at a rapid rate.
According to IDG, 77 percent of enterprises have
at least one application or a portion of their enterprise computing
infrastructure in the cloud. With the continued shift toward the cloud,
unfortunately, we are going to see more data breaches due to misconfigurations. Gartner predicts that through 2022,
at least 95 percent of cloud security failures will be the result of human
error. This is due in part because companies do not know how to properly secure
data in these new environments, and are not testing the security of the new
tools they're using.
2018 has shown us several trends that if we
are aware of and prepare for, in 2019 we can be a more resilient and secure
organization. While the adoption of cloud technologies are generally positive
and helps make businesses more efficient, security must be top of mind with the
adoption of any new business and technology strategy. And while we have seen
multiple data breaches occur this year due to organizations failing to
adequately protect data, we will see more and more regulations emerge with the
aim of setting clear security guidelines and holding companies accountable for
breaches. Hopefully, with threat and risk teams working together, we will see
more collaboration and sharing occur so that as an industry, our aim is not
only compliant but a more effective security program.
##
About the Author
Stephan Chenette is the Chief Technology Officer and a
co-founder of AttackIQ, responsible for technology strategy and vision. Stephan
launched AttackIQ in 2013 as the first open platform in the emerging market of
Continuous Security Validation and has held several roles and responsibilities
during that time. Stephan is a frequent speaker on risk, threats, metrics,
security technologies, and other topics.