Virtualization Technology News and Information
Article
RSS
AttackIQ 2019 Predictions: Data Privacy Regulations, Convergence of Threat and Risk Teams and Cloud Misconfigurations

Industry executives and experts share their predictions for 2019.  Read them in this 11th annual VMblog.com series exclusive.

Contributed by Stephan Chenette, CTO, AttackIQ

Data Privacy Regulations, Convergence of Threat and Risk Teams and Cloud Misconfigurations Among Top 2019 Cybersecurity Predictions

This time of year, cybersecurity professionals are reflecting on major trends and events that occurred over the last twelve months, and preparing for changes to come. In 2018, we saw monumental events such as the enactment of GDPR and the emergence of similar data privacy laws like California's Consumer Privacy Act. We also saw huge numbers of data breaches--many of them in the cloud--as more and more companies move sensitive data and other assets off premises. As the cybersecurity industry continues to evolve, I expect the below trends to emerge in 2019.

The rising concern over how companies use and protect personal information will encourage efforts to enact laws similar to GDPR nationally.

Time and again, companies have proven their ability to adequately protect consumer data is seriously lacking-shining a light on the need for government regulation. The public demands that companies be held accountable for data breaches, including meeting certain security requirements and facing consequences for failing to meet those requirements. The Marriott breach of 500 million customers will serve as a catalyst for the development of new regulations, in the U.S. (perhaps first at the state and then federal level) as well as in other countries around the world.

Specifically, the Marriott breach will drive important changes regarding how organizations can collect and store personal information. I expect new regulations to put restrictions on the type of information hotels ask customers to provide, thereby reducing risk to customers if the company is breached. For example, hotels may be required to use personal identification numbers for customers, rather than collecting Social Security numbers.

Here in the U.S., I expect lawmakers to learn from Europe's GDPR as well as California's Consumer Privacy Act on what works and doesn't work when drafting data privacy legislation. For example, GDPR calls for fines and consequences for companies that get breached or don't meet certain requirements, however this was not always enforced. Additionally, while California has already passed its own data privacy law and other states appear to be following suit, I expect a national law to formulate in the U.S. to provide continuity and consistency.

Much like we have seen the creation of purple teams to increase the coordination and effectiveness of security operations between red and blue teams, we will see a convergence of threat and risk teams.

Previously, companies had separate red and blue security teams that worked in silos. In more recent years, we have witnessed the emergence of combined purple teams that are able to more effectively collaborate to find and fix security vulnerabilities and gaps. In 2019, we will see a convergence of threat and risk teams to not only meet regulatory compliance audits like NIST and PCI-DSS, but drive security effectiveness. Threat teams consist of the incident response, pen-testing, red, blue and purple teams, and collectively focus on how to improve their company's security posture, while risk teams focus on regulatory controls. The convergence and further collaboration of these two teams will improve an organization's overall resilience because while risk focuses on documenting the controls that have been put in place in order to pass a compliance audit, threat teams and the tools they use will be relied upon further to showcase the effectiveness of those controls.

CISOs are increasingly feeling the pressure to prove that their teams' actions are making a positive impact on the company's security, and converging threat and risk teams to encourage collaboration and increase efficiency is an important step. The threat team must help ensure that the tools the risk team recommends for satisfying compliance requirements actually work. 

With expanding reliance of public cloud Infrastructure there will be more personal data breaches due to misconfigurations. 

Cloud adoption is growing at a rapid rate. According to IDG, 77 percent of enterprises have at least one application or a portion of their enterprise computing infrastructure in the cloud. With the continued shift toward the cloud, unfortunately, we are going to see more data breaches due to misconfigurations. Gartner predicts that through 2022, at least 95 percent of cloud security failures will be the result of human error. This is due in part because companies do not know how to properly secure data in these new environments, and are not testing the security of the new tools they're using.

2018 has shown us several trends that if we are aware of and prepare for, in 2019 we can be a more resilient and secure organization. While the adoption of cloud technologies are generally positive and helps make businesses more efficient, security must be top of mind with the adoption of any new business and technology strategy. And while we have seen multiple data breaches occur this year due to organizations failing to adequately protect data, we will see more and more regulations emerge with the aim of setting clear security guidelines and holding companies accountable for breaches. Hopefully, with threat and risk teams working together, we will see more collaboration and sharing occur so that as an industry, our aim is not only compliant but a more effective security program.

##

About the Author

 

Stephan Chenette is the Chief Technology Officer and a co-founder of AttackIQ, responsible for technology strategy and vision. Stephan launched AttackIQ in 2013 as the first open platform in the emerging market of Continuous Security Validation and has held several roles and responsibilities during that time. Stephan is a frequent speaker on risk, threats, metrics, security technologies, and other topics. 

Published Tuesday, January 15, 2019 7:26 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<January 2019>
SuMoTuWeThFrSa
303112345
6789101112
13141516171819
20212223242526
272829303112
3456789