New Readers

 
Security Predictions and Directions
 Home Executive Briefings Security Predictions SM Directory Global Excellence Volunteer as Expert Register Awards About
 

2016 Security Predictions and Directions

Cross-platform, BYOD software security for passenger entertainment will rise significantly
Thorsten Held, Co-Founder and Managing Director - whiteCryption - Sunnyvale, California, USA

Bring-Your-Own-Device (BYOD) has shifted from the workplace to the consumer space – particularly in the transportation sector. Passenger experience – both in the air and on the ground – is an on-going and important trend for airlines and public transportation systems and will rise dramatically in 2016. Services will be implemented to a greater degree to increase customer loyalty and boost revenue. No longer will passengers be forced to view close-to-the-face, tiny seat-back screens; and more rails, metros, subways and other transportation systems will start pushing news, games and other over-the-top broadcasts to loyal commuters onto their own devices.

With these BYOD offerings, cybersecurity becomes critical. If the servers providing the content to the passengers’ devices are completely disconnected from the vehicle network, the risk is about content loss. Far more serious, if the servers are part of the vehicle network, the risk becomes much greater than just content (e.g., hacking into the control system, braking system and so on).

Non-conventional, software-implemented security solutions will become the security systems of choice to protect BYOD apps that run on insecure passenger devices. Software security solutions will be cheaper, more agile and more easily adaptable to changing devices, software updates and business needs over hardware solutions.

Important Issues:
  • Protecting non-secure BYOD apps with easy-to-deploy, inexpensive and flexible security solutions
  • App security for the Smart Home and Smart Cities
  • Embedded security for healthcare and medical – from mobile apps to smart wearables
Direction for CSOs and Decision Makers:
  1. Examine software security over hardware for less expensive, more agile solutions
  2. Understand the application touch points – inside and outside of the organization
  3. Make sure security meets government standards
Cryptzone secures the enterprise with dynamic, context-aware security solutions that protect critical services, applications and content from internal and external threats. For over a decade, enterprises have turned to Cryptzone to galvanize their Cloud and network security with responsive protection and access intelligence. More than 450 public sector and enterprise customers, including some of the leading names in technology, manufacturing and consumer products trust Cryptzone to keep their data and applications secure. For more information, visit www.cryptzone.com or follow us @Cryptzone.

Enterprises beware: Hackers for hire are on the rise
Leo Taddeo, Chief Security Officer - Cryptzone - Waltham, Massachusetts, USA

The dark web is quickly becoming Madison Avenue for nefarious sorts looking to deploy cybercrimes. Through these sites, those looking to harm a corporate network and gain sensitive information (i.e. social security numbers, credit card info, etc.) have the ability to connect with likeminded individuals and those with the technology know-how to deploy the most sophisticated cyber-attack. Given the ROI, it’s not surprising this trend is growing at an alarming rate. For a mutually agreed upon price, anyone can hire a hacker, domestically and abroad, to secure Personally Identifiable Information (PPI), initiate a DDoS attack or even perpetrate something as potentially devastating as what we saw with companies such as JP Morgan, eBay, Home Depot, Anthem – even the OPM. We can expect to see more and more of this in the coming year given authorities’ inability to track the owners, and simply put, the cost-effectiveness of organized cyber-criminals’ ability to hire individuals with technology skills to do their dirty work for them. Fortunately, there are steps enterprises can take to mitigate data loss and minimize their fiscal risk. At a bare minimum, organizations need rid themselves of antiquated perimeter security and adopt a software defined perimeter approach for granular control, where users have access on a need-to-know basis and non-authorized applications, resources and infrastructure are rendered invisible and inaccessible.

Important Issues:
  • Securing personally identifiable information (PII)
  • Privileged user access control
  • Network segmentation
Direction for CSOs and Decision Makers:
  1. Protect against easy entry points such as third-party vendors, service providers and partners by granting access to data and applications on a need-only basis. 2 - Harden your most sensitive assets in order to lessen the impact and footprint of a breach
  2. Harden your most sensitive assets in order to lessen the impact and footprint of a breach when one occurs.
  3. Consider investing in cyber insurance to mitigate data breach-related losses. Even the process of doing so will help you zero in on what data you consider mission-critical and how it should best be secured.
Global regulation will force companies to rethink their data strategies
Sanjay Beri, Chief Executive Officer - Netskope Inc. - Los Altos, California, United States

Over the last several years, organizations large and small across a variety of industries in Europe and around the world have rapidly adopted cloud apps. It’s no secret that departments from human resources to finance and everything in between rely on cloud apps for productivity, flexibility and innovation. In fact, according to the latest Netskope Cloud Report, European companies have an average of 608 cloud apps in use. At the same time, many European IT or information security professionals vastly underestimate the number of apps in use in their organization – often by 90 percent or more. In 2016, all eyes will turn to the EU General Data Protection Legislation (GDPR) which will require that organizations know what services are “processing” personal data and protect the privacy of those data. Yet if vast amounts of personal data are being processed by shadow IT, how can organizations even begin to protect those data? To date, U.S.-based companies have largely ignored the pending data privacy ruling, but with the European Commission aiming for agreement on the draft regulation as early as January 2016, organizations must take fast action. Any company with data or customers in Europe will have to comply with GDPR, forcing IT departments all over the world to rethink their data strategies before it’s too late.

Important Issues:
  • Security and compliance
  • Machine learning and anomaly detection
  • Cloud app usage visibility and control
Direction for CSOs and Decision Makers:
  1. Empower IT to take on the role of a broker (and less as a troubleshooter)
  2. Understand the potential business implications of global regulation such as GDPR and respond accordingly
  3. Equip your core IT infrastructure with machine learning capabilities to automatically detect abnormal behavior, enforce policies and shut down cyberattacks.
CISOs will get serious about data-centric security
Aki Eldar, CEO and Co-Founder - Secure Islands - New York, NY, USA

For years, the security industry has been heralding the death of the network perimeter. If the constant parade of mega breaches has not validated the fact that it has finally died, than I don’t know what will.

However, it might be sad news to some, but it’s not bad news. Perimeter based approaches have been on life support for some time. They had a long and fruitful life, not to mention an exciting one, and deserve to rest in peace. With the death of the perimeter comes what I call “the birth of Borderless.” Not that “Borderless is necessarily new, but now that cloud and mobile computing models are pervasive, it’s time we regroup and place our full attention on more business- appropriate and effective ways to protect the “crown jewels” those virtual walls were constructed to protect – data.

So if virtual walls no longer suffice, then it’s is not such a leap to consider protecting the data itself. This is not a new idea (encryption, anyone?), and while it’s true that our first attempts at data centric protection left a lot to be desired, as an industry we seem to have thrown the baby out with the bathwater. There’s been a lot of improving, automating, and innovating data-centric security controls – it’s about time people stop talking about why it didn’t work before, and take some time to test drive technologies that link the present to the future.

Important Issues:
  • Data Protection
  • Risk Management
  • Updating internal security processes
Direction for CSOs and Decision Makers:
  1. Know thy data – define and articulate what sensitive data is
  2. Automate data-security process - don’t rely on your users to know (or care) about data protection
  3. Engage your vendors – if they have specific expertise, leverage it
The tide will turn on cyberattacks
Johnnie Konstantas, Director, Security Solutions Marketing & Business Development - Gigamon - Santa Clara, California, USA

The tide will turn on cyberattacks among the most-well protected companies. That isn’t to say that breaches will be eliminated, but that sophisticated attackers are going to find it harder to make gains. The reason is a mixture of a better security posture among organizations, and increased scrutiny of hackers from both businesses and law enforcement. A key enabler to this shift will be the adoption of a security delivery platform that provides pervasive visibility of network traffic, users, applications and suspicious activity – across physical and virtual networks – and delivers it to multiple security devices simultaneously without impacting network availability. As a direct result, third party security appliances are more effective at protection and remediation, and cost and complexity of security infrastructure is reduced. This will allow organizations to finally reverse the asymmetry between the attacker and defender, dramatically shortening the timeframe between breach and detection.

CISOs will regain their footing, gain fast and visible wins
Shay Zandani, CEO and Co-Founder - Cytegic - Hackensack, New Jersey, USA

It’s been tough few years for security leaders and for the cyber security industry in general. But what goes down must come up. And I predict that 2016 will be the year CISOs rebound. That, given resources and runway, organizations can start to regain their home court advantage and land quick and visible wins that will improve the IT Security Organization’s stature and morale.

One thing we can do immediately is to start applying common sense to audit and security control review. For example, there is no shortage of threat Intel (including ours) that indicate that there is going to be a spike in attacks against retailers and financial service institutions during the holiday season. A bit more due diligence can provide a much richer level of detail into specific threat actors, types of malware, etc.

We see these blanket trends occurring all the time – i.e., in Europe attack activity often spikes in conjunction with major sporting events. Yet rarely do the most high-risk organizations adjust their controls to account for this reality. If you live in a region with harsh winters, you put snow treads on your car BEFORE a major snowstorm. Cyber security should work the same way – you adjust in accordance with real world events, and not randomly assigned compliance deadlines.

I believe this year common sense will prevail, and CISOs will start connecting dots that for whatever reasons were not previously being connected.

Important Issues:
  • Update cyber security risk management practices
  • Use layman’s terms to communicate what you need to be successful
  • Get ahead of known trends
Direction for CSOs and Decision Makers:
  1. What is obvious to you may not be obvious to your CEO or board – educate educate educate!
  2. Along those lines – if you are a retailer and you are not adjusting controls in advance of holiday-fueled attacks, shame on you.
  3. Take the time to market your successes -– people need to know what is working.
Jewels in the Cloud; Thieves in the Cloud
Hugh Thompson, Chief Technology Officer and Senior Vice President at Blue Coat - Blue Coat - Sunnyvale, California, USA

The keys to the kingdom are now in the cloud. As more organizations store their most valuable data in the cloud (customer & employee data, intellectual property, etc.), the bad guys will find a way to gain access to this data. In 2016, we expect to see an increase in breaches of cloud services, and hackers will use credentials to cloud services as a major attack vector. Social engineering tactics will focus on mimicking cloud login screens to gain credentials.

Important Issues:
  • Mobile malware and particularly ransomware make a lot of money for the bad guys, and we’ll see both increasing in the coming year.
  • As services like Office365, GoogleDrive, Dropbox and Box continue to increase in popularity; hackers will keep leveraging these services.
  • It seems that every year is deemed the “Year of the Breach,” and each year more and bigger-name companies are falling victim to breaches.
Advanced network visibility/behavioral intrusion detection/access control appliances make networks smarter
Carmine Clementelli, Marketing and Sales Manager, PFU Systems, a Fujitsu Company - Sunnyvale, California, USA

Advanced appliances with integrated network visibility/behavioral intrusion detection/access control appliances are going to make networks smarter to combat cyber threats, which are escalating as never before. The potentially devastating impacts of breaches are almost impossible to overstate, driving a powerful new generation of security solutions combining endpoint visibility, network access control, and behavioral analysis on the internal network traffic. These new appliances will correlate traffic flow patterns typical of remotely controlled attacks and spyware, rapidly mitigate threats and alert IT and security professionals both to anomalous device behaviors and – just as important – all unwanted devices connected on the network. As a result, 2016 will see security professionals and IT get serious about unauthorized/unknown/compromised devices. This means both finding out who and what is on the network, and automating the enforcement of policies to restrict access to sensitive data, subnets and digital assets – for all of the obvious security, liability and reputation reasons.

Important Issues:
  • Knowing who and what are on the network is increasingly essential, both to enforce and shape policies and to close security and compliance holes. BYOD is the norm, but unsecured devices and rogue network elements can’t ever be.
  • Unintelligent networks are hackable, rendering strategic data and resources vulnerable to APTs. Defense-in-depth strategies should be the norm, with internal traffic intelligence to analyze and recognize abnormal patterns & behaviors typical to APTs.
  • Unintelligent networks are hackable, rendering strategic data and resources vulnerable to APTs. Defense-in-depth strategies should be the norm, with internal traffic intelligence to analyze and recognize abnormal patterns & behaviors typical to APTs.
Direction for CSOs and Decision Makers:
  1. Use next-gen internal net security with endpoint visibility, access control & behavioral analysis on internal network traffic. The appliance correlates traffic flow patterns, shows who/what’s on the network, rapidly thwart threats & deploys easily
  2. Get serious about identifying unauthorized/unknown devices. This means finding out who and what is on the network, and automating policy enforcement to control access to sensitive data, subnets and digital assets – for obvious reasons.
  3. Accept that your network’s boundary-less – mobility means people are your perimeter. Network visibility and rapid attack response are essential, hands-on management of every device is unfeasible, and anti-virus subscriptions are a weak defense.
As passwords die, contextual/continuous authentication will rise in 2016
Lasse Andresen, CTO - ForgeRock - San Francisco, California, United States

The recent news about Amazon shows why there’s so much talk recently of the death of the password. The security approach where you only evaluate risk when someone’s at your door is becoming less workable. When you can continuously analyze someone’s authenticity while already in the system, then you can provide a high security environment while still offering ease of use to the end user. Especially with the Internet of Things bringing billions of new devices, services and apps online, the ability to continuously monitor and authenticate users while they’re in your house will become a real business advantage. Developers need to evaluate security solutions that are able to apply contextual identity, adaptive risk and multi-factor authentication at authentication plus at any point throughout a session. This kind of continuous security approach will be embraced in the marketplace and become the new standard, because it ensures authenticity of users, devices, things and services at all times and can mitigate risk whenever an anomaly is detected, even during existing sessions.

Important Issues:
  • Chip to cloud (or device to cloud) security protection
  • New technologies and standards that enable consumer privacy and security
  • Consent, context, identity and security data points will all significantly boost the value of big data exponentially
Direction for CSOs and Decision Makers:
  1. Apple, Google and Intel are all vying for control of our homes, while Microsoft, IBM and Oracle are fighting over our businesses, but the scene could be set for a disruptive innovator to come in and take everyone by surprise.
  2. By tagging data at the point of collection with additional contextual information, the value that can be extracted from it across an organization is multiplied significantly.
  3. As technology evolves and contextual big data becomes more meaningful, businesses and governments will be able to harness the IoT to fundamentally change our daily lives.
User Behavior Analytics will not yet live up to expectations
Joan Pepin, VP of Security/CISO - Sumo Logic - Redwood City, California, United States

We’ll continue to see an accelerated shift in the market -- from security information and event management (SIEM) technology to advanced security analytics, including User Behavior Analytics (UBA) -- however, I warrant caution. Despite some vendors moving to UBA products, this technology is still emerging. The UBA products we’re seeing come to market are not mature yet, meaning they cannot be relied on as a key detection technology. Additionally, most incident responders within an IT security team are not up to speed on how to best leverage UBA technology -- or even how to leverage it at all. Instead, security professionals should invest more time and resources in the basics, like adequately training users and practicing defense in depth. Addressing these foundational elements of the infrastructure first will better enable security professionals to deploy new tools effectively.

Important Issues:
  • Hiring will continue to be a major issue and a major focus.
  • Organizations realizing the value of security analytics and using big data to gain actionable insights for business decisions.
  • Going back to the basics to invest in security fundamentals will matter more, with a defense-in-depth approach to security and compliance.
Direction for CSOs and Decision Makers:
  1. Invest more in security basics like password policy and training employees to practice security fundamentals.
  2. Embrace emerging fields of data analytics like log management to monitor for user anomalies, threats and breaches in real time.
  3. Make sure hiring is a top priority, given fierce competition for security talent.
IoT developers will be asking “how do I implement security?"
Trevor Daughney, Exective Vice President - INSIDE Secure - Aix-en Provence, Meyreuil, France

IoT device manufacturers will pivot from asking “why is security needed” to asking “how do I implement security.” The high-profile automobile breaches before and after BlackHat this summer were to IoT what the Target breach was to retail.

Tap, Tap. 2016 is the year of mobile payments and security will be the top consideration of consumers as they consider adoption. Apple Pay, Google Pay and Samsung Pay laid the foundation for a flurry of individual banks and card issuers to roll out their own apps in the coming months. Whether they are successful or not will be in part due to there not being a major breach by any issuer. In general, mobile apps remain poorly protected. And while payment apps are likely to be some of the best secured, expect high-profile exploits of other apps.

Important Issues:
  • IoT Security
  • Mobile Payment Security
  • Content Protection
Direction for CSOs and Decision Makers:
  1. Stop asking why you need security - what's the best and most cost effective way to deploy it
  2. Be aware: Security is moving beyond the network connection.
  3. There will be new security requirements due to continued virtualization of the infrastructure SDN
As enterprise perimeters expand, so will security vulnerabilities
Samson David, SVP, Global Head Cloud, Infrastructure Services & Security - Infosys - Bengaluru, India

It’s no secret that cyber threats are getting smarter and penetrating deeper across devices and different levels. As global enterprises push to scale their businesses through initiatives like cloud and social, information that previously resided in internal hardware will now be strewn across various devices and levels like on-premises, public clouds, social media and mobile. This will leave consumers, businesses and governments on constant high alert for increased risk, vulnerability and exposure.

The Year of Ransomware
Brian Laing, VP of Products and Business Development - Lastline - Redwood City, California, USA

2016 will see a major surge in ransomware. This file-encryting and ransom-demanding breed of malware hit consumer users hard in 2015. In 2016, we can expect to see a surge of enterprise-grade ransomware variants. And corporations can expect their backup solutions to be tested.

Important Issues:
  • Ransomware
  • Internet of Things. Many IoT technologies are developed by people who do not have any exposure to security issues. They are primarily focused on adding functionality into their product.
Direction for CSOs and Decision Makers:
  1. Defending against any cyber attack requires three things: accurate detection, actionable information, and refined skills. Given the speed with which ransomware can infect and encrypt, CSOs need to make sure their organizations are adequately prepared.
  2. Assume that your network has been infected. Test that your team has the technology, information and skills needed to respond. This will ensure that your key data is recoverable within an acceptable period of time.
  3. Educate your users, making sure they understand the basics of security, and extend the education to home use. Many companies only educate around corporate security needs. An increasing number of attacks will target home accounts and networks as well.
Due to recent terrorist activity, world governments will require backdoors
Kendall Jones, Vice President of Engineering and Product Management - IronKey - Campbell, California, USA

In an increasingly hostile world, governments will not tolerate the use of encryption algorithms without backdoors. The need to track personal communication between potential terrorist cells will outweigh the call for personal privacy. Certain classes of business and government communication may be spared, but these organizations will be faced with regulation and inspection overhead to obtain that privilege. Citizens will need to reconcile the fact that any personal electronic communication is subject to inspection. Financial information such as credit card numbers will continue to be protected, but other personal information such as social security numbers will virtually become part of the public record. Anyone communicating with unbreakable security algorithms for data in transit will be put on a watch list and actively monitored.

Corporations must identify the truly critical data that they cannot afford to expose, and protect and share this data without using electronic transmissions.

Important Issues:
  • Understand new government requirements and how your products need to change to meet those requirements
  • Identify ways to provide competitive differentiation in a world where personal and corporate data is, by necessity, much more transparent
Direction for CSOs and Decision Makers:
  1. Identify how to differentiate critical high-value data and prevent its electronic transmission. Identify ways to share this data non-electronically
Prediction will emerge as the new holy grail of security
Richard Greene, Chief Executive Officer - Seculert - Santa Clara, California, USA

Up until 2014, the cybersecurity industry considered prevention to be their sole objective. Sophisticated enterprises then began to complement their prevention strategies with detection technologies to get the visibility on their infrastructure they lacked. In 2016, prevention will emerge as a new priority with machine learning becoming a key tool for organizations that want to anticipate where hackers will strike. This means the CISO of the 2016 will have a new and expanding role. Their responsibilities will shift from managing tedious work cycles on uncovering, analyzing and reporting threats, to an elevated role where they must think proactively and strategically to ensure the greater enterprise can achieve its strategic goals.

Important Issues:
  • Machine learning
  • Analytics
  • Threat intelligence
Direction for CSOs and Decision Makers:
  1. Embrace machine learning and threat intelligence to correlate attack sources and behavioral profiles. This will indicate if your organization’s network or devices have been compromised.
  2. Benchmark your security posture against other companies in the industry. This makes it possible to see how your web gateway is performing, compared to other companies’ gateways.
  3. Find an easy way to showcase visibility into current attacks, allowing for thoughtful discussions with your board of directors. This can also drive conversations around funding for cybersecurity budgets.
Cyberwarfare takes aim to disrupt businesses and the economy
Usman Choudhary, Senior Vice President and Chief Product Officer - ThreatTrack Security - Clearwater, Florida, USA

It’s become increasingly evident that the private sector and our connected economy is our largest vulnerability in a world of cyberwarfare. While stealing corporate and customer data will continue to fuel cybercriminal activities well into the future, 2016 will see an increase in nation states and cyberterrorists with sophisticated networks and advanced cyber tools in their arsenal taking much broader aim at fundamentally crippling businesses and financial markets. However, with new legislation aimed at fostering better information sharing, we’ll also see a more concerted effort and participation among industry and government groups to develop a plan of action and coordinated response to these threats. New partnerships will emerge between the government and enterprises to better defend our critical infrastructure, supply chains and other essential foundations of our economy. While the Sony hack of last year provided a glimpse into the future of cyberwarfare, it also brought sorely needed awareness of the problem into the corporate boardroom – forcing companies to take a hard look at their cybersecurity posture, and evaluate the security tools they have in place to address modern methods of attack, which have been engineered to evade traditional defenses. These are tremendous challenges that will reach well beyond 2016, but heightened awareness and a sense of urgency for action have never been greater.

Important Issues:
  • Identifying the context and progression of attacks
  • Detecting malicious intent through the movement of activity across networks and devices
  • Enabling rapid response through improved analytics and threat intelligence
Direction for CSOs and Decision Makers:
  1. Look for advanced threat defenses that can correlate discovered malware and anomalous network behavior to stop cyber attacks
  2. Take an active role in partnering with industry groups and government bodies that support the sharing of threat intelligence and techniques
  3. Provide guidance to senior leadership related to the solutions, policies and procedures required to shore up cyber defenses
Due to technology shortcomings, humans become a critical security layer
Rohyt Belani, Founder and CEO - PhishMe - Leesburg, Virginia, USA

As part of a layered security approach, companies have invested in technology after technology yet the scale and volume of breaches continues to grow. Attackers are winning because they are outpacing and outthinking technology development. The realization that we must fight fire with fire - and match people against people – is the first step to bridging that gap. Organizations need to enlist their employees as soldiers in the global cyberwar and equip them to fight against hackers. Through technology and immersive conditioning, employees will change risky online behaviors, alert security and response teams to suspicious activity, and reduce the risk of data breaches and compromises as PhishMe has observed time and again.

Important Issues:
  • Combining human and technology defenses
  • System infections will occur; the focus will shift to preventing such infections from translating to large data breaches by minimizing attacker dwell times.
  • As has been the case for the last 6 years, increased use of email social engineering by cybercriminals, nation-state actors and hacktivists alike.
Direction for CSOs and Decision Makers:
  1. Enlist your entire organization in the fight against threats. Invest in making your employees contextually aware and provide them the tools to easily report suspicious emails.
  2. Focus on Prevention of Breaches. The industry gave up. They surrendered and turned to detection and mitigation because the hackers were winning.
  3. Integrate. Integrate. Integrate. Many organizations find themselves with disconnected point solutions meant to address a specific area or threat. Make the most of your investments by ensuring you are connected and sharing the knowledge and intelligence
Cybersecurity products will require minimal on-going human resources to operate
Jeff Hill, Channel Marketing Manager - STEALTHbits Technologies - Hawthorne, New Jersey, USA

Not only is it expensive to employ armies of security analysts, but an acute shortage of professionals with the requisite technical skills to fill these positions renders budget considerations academic. Technologies like machine learning will be increasingly critical, and are likely to proliferate as human intervention in security operations is inevitably minimized. As this reality unfolds, genuine machine learning-based systems will emerge, exposing those hijacking that moniker illegitimately with pedestrian, rules-based analysis. Operational efficiency and staff overhead requirements will trump sexy feature lists as companies look for practical solutions to their security challenges, rejecting pie-in-the-sky solutions in favor of more realistic approaches.

Important Issues:
  • The FTC - filling a regulatory vacuum - has grabbed the cyber security regulation mantle based on law predating WWI, originally designed to break up the Standard Oil Monopoly. Cyber security tech leaders have little appetite for this.
  • In every major recent attack, outside hackers initially stole, exploited and escalated legitimate credentials of “insiders.” Detecting and stopping such authentication-based attacks is our ongoing mission.
Direction for CSOs and Decision Makers:
  1. The biggest threat facing the enterprise is the theft and abuse of credentials, primarily by outsiders. Ensuring that only the right people have the right access to the right data is critical.
  2. Enterprises create more unstructured data with every single document, spreadsheet and presentation. The scale of the unstructured data challenge is huge, and securing unstructured data is imperative.
  3. By taking ownership of unstructured data and protecting against malicious access, CSOs will simultaneously reduce their organization's security risk, fulfill compliance requirements and decrease operations expenses.
Adoption of passive behavioral biometrics for user authentication will increase
Ryan Wilk, Vice President of Customer Success - NuData Security - Vancouver, British Columbia, Canada

As we continue to see the shift away from traditional web based computing, and the large-scale consumer adoption of mobile, traditional device and PII-based risk prevention techniques will become less effective.

The problem is that mobile devices do not offer the same level identification as PCs, and the push for ease of use in the mobile space is requiring risk decisions to be made with far less data. Online fraud is a nine-billion-dollar a year problem, and on top of that ecommerce false positives are a hundred-billion-dollar a year problem. With cyber criminals continually getting better at gaming the system, risk leaders will need to find a new way to both identify their valued customers and identify those who present risk.

The key to this will be ensuring the accurate identification and verification customers through behavioral analytics, allowing business to become predictive of risk while being able to identify their legitimate customer. Fraud loss shows itself in different ways, whether through the use of stolen consumer data or payment details, or the overzealous risk techniques currently employed by some organizations that in effect would be a valid customer.

Eliminating false positives/negatives across the mobile ecosystem in a frictionless manner will be the key focus going forward in 2016 especially as users are looking for the no-hassle experience mobile is expected to facilitate. The ability to move beyond the machine, and truly know your customer will be the differentiator between companies that move to the next level or get left behind.

Important Issues:
  • Passive / Frictionless User Authentication
  • Focus on identifying the good user
  • Creating frictionless user experience
Direction for CSOs and Decision Makers:
  1. Move beyond the device, know the user on the other side of the machine through passive biometric and behavioral analytics.
  2. Become a facilitator of the business, not a blocker. Security through valid user identification will be key to creating brand loyalty and increased conversion while protecting brand assists at the same time.
  3. Ensure you are using an intelligent multi-layer risk prevention platform that leverages all of its components in real-time and across time to know your user. Your historical data is the most valuable intelligence you have, make sure you are leveraging it.
Greater industry and private sector emphasis on cybersecurity education
Russell Stern, CEO - Solarflare - Irvine, California, USA

Companies are now looking to hire IT personnel that have a cybersecurity background (i.e. DoD, etc.) over candidates with more traditional IT backgrounds (Linux, Unix, etc.) in order to combat the latest threat vectors. However, there is a dearth of qualified IT personnel with the adequate experience and cybersecurity knowledge base to be able to effectively meet the demand. As both the enterprise and consumer companies seek to keep pace with today’s cyberthreats, there will be an increase in attention paid towards cybersecurity education. In addition to increasing investment in both hardware and software based cybersecurity solutions, corporations will increase cybersecurity training, and we will see more educational institutions begin offering this as a specialization.

There will also be greater education regarding the importance of protecting against internal threats. This will include the importance of defending against east-west traffic risks and the need for time stamping and data capture tools for threat detection and post-attack forensic analysis.

Important Issues:
  • The need for increased cybersecurity education both at the corporate and collegiate levels
  • Increased use of data analytics in cyber defense
  • Taking a balanced approach to cybersecurity that incorporates both hardware and software based solutions.
Direction for CSOs and Decision Makers:
  1. Make cybersecurity a companywide priority from the board room to the data center.
  2. Establish a balanced hardware/software approach to cybersecurity management.
  3. Invest more in detection of the breach and mitigation of exfiltration of sensitive data.
Increasing use of web malware isolation systems, blocking browser-borne malware
Franklyn Jones, Chief Marketing Officer - Spikes Security - Los Gatos, California, USA

Immigration is a hot political issue these days. And in a sense, it applies very much to corporate networks. You see, in recent years we have witnessed a steady rise in the immigration of web content that is crossing secure borders into your corporate networks. Some research suggests that web content immigration accounts for 60%+ of corporate network traffic. Most of the content is good but some is bad, which is why businesses have built secure walls – consisting of various security tools such as firewalls, secure web gateways, IPS, AV software, etc. – to keep the bad stuff out.

But alas, these security tools have proven to be ineffective, and bad web content has been able to penetrate the walls, wreak havoc, and escape with your valuable assets. But all that will change in 2016, as corporate networks begin to deploy isolation technology, which effectively prevents all web content – good or bad – from entering the secure network. If you want real change, vote for isolation in 2016. Learn more at www.spikes.com.

Important Issues:
  • Web immigration, which happens when any employee uses any web browser
  • Browsers are strategically important applications, and can’t be eliminated
  • Technologies for detecting/blocking web malware are becoming ineffective
Direction for CSOs and Decision Makers:
  1. Every successful breach is costing your business time, money, and reputation.
  2. It’s time to think differently about network security – and solve the problem.
  3. Deploying isolation technology secures the borders and empowers web users.
APT’s will force CISO leaders to “grow-or-go”
Lior Div, CEO and Co-Founder - Cybereason - Boston, Massachusetts, USA

It seems to be generally accepted that Advanced Persistent Threats caught the business community off guard, although we did see them coming - the TJX and Heartland breaches made headlines prior to 2010. Fast-forward to 2016, data is currency –for cyber criminals, it’s seemingly good as gold. One out of four organizations were targeted by APTs and 66% of organizations believe they will be targeted by them. Clearly, APTs are here to stay.. Businesses need to accept that and implement cyber defense strategies that address the reality that they are, and for the foreseeable future will remain under constant attack by hostile forces.

I’m not saying this is a simple task. If you have not been trained as a soldier, then it is not intuitive to know how to handle a war-like situation, but today’s organizations ARE at war. This leaves them with two choices – adapt your cyber defense strategies to the times, or don’t, and suffer the consequences.

One huge step forward would be start actively hunting for attackers who are already inside their networks. We have all read enough Verizon and Ponemon reports to know that attackers are not “getting in” - they already are in. So why wait until an alert reveals they finally made a mistake?

I believe that 2015 was the year the business world got the memo that when it comes to cyber security, the world has changed, and that 2016 will be the year they recalibrate their approach to cyber security accordingly.

Important Issues:
  • Active Cyber Defense
  • Corporate Re-orgs around and within cyber security
  • National and global cyber crime laws
Direction for CSOs and Decision Makers:
  1. Don’t fortify defenses based on what might happen, fortify them based on what is happening
  2. Divorce the information security group from IT
  3. Consider the possibility that it might be smarter and less expensive to invest in better cyber defense solutions the bear the costs associated with data breaches.
Security and IT asset management is something to watch
Jason Christensen, Product Marketing Manager - LANDESK - Greater Salt Lake Area, Utah, USA

I feel IT security’s connection to IT asset management (ITAM) is one trend to watch for in 2016. ITAM is becoming increasingly important in the security arena as it deals with lost or stolen hardware, unauthorized system use, mishandling of hardware disposal and even mismanagement of off boarding employees. These security threats can potentially lead to a major breach.

In addition, the unauthorized installation and use of software is a major contributor to malware. End users are pirating software from non-trusted sources leading to increased security risks within organizations.

Important Issues:
  • Faster detection of security threats
  • IT asset management (theft/loss)
  • Implementation of BYOD processes and policies
The gap between operations and security will continue to narrow
Chris Goettl, Program Product Manager - LANDESK - Greater Salt Lake Area, Utah, USA

Security is no longer a luxury for companies who can afford to have a security team — it is a necessity. Those companies with no security team will be looking to mature their security practices within the existing IT organization. For software developers, security products will need to adapt to assist in filling this void.

Advanced API protection becoming mainstream to prevent attacks targeting them
Sam Rehman, Chief Technology Officer - Arxan Technologies - San Francisco, California, USA

In a move to minimize data exposure on mobile devices, organizations are increasingly keeping sensitive data server-side, often relying on authenticated communications from mobile devices through the API to the backend servers. As a result, APIs are under heavy attack and are being targeted by hackers looking to exploit vulnerable API security measures. What was once viewed as “advanced” security measures, such as cryptographic key protection (White Box Cryptography as an example), will become more of a fundamental security measure to shore up security vulnerabilities of those APIs.

Important Issues:
  • Cryptographic key protection
  • Mobile application code hardening and runtime self-protection
  • API protection – hardening the authentication of communications from the API to backend servers that house sensitive data and IP
Direction for CSOs and Decision Makers:
  1. Include run-time application self-protection into your mobile apps to protect your brand and your customers
  2. Use security to your business advantage – customers want to do business with organizations that are most trusted to keep their data private and secure
  3. Don’t wait for security regulations before embracing IoT and mobile – harden application code before your apps are released into the wild and become susceptible to risks such as reverse-engineering and tampering.
Companies will take more inclusive, collaborative approaches to IT security.
Michael Dortch, Senior Product Marketing Manager, Security - Shavlik - Santa Rose, California, USA

After years of building silos and focusing on largely ineffective perimeter defenses, 2016 will see more companies take more inclusive, collaborative and user-centered approaches to IT security. IT and security teams will increasingly combine user education efforts with tools and processes that make security measures more pervasive, ubiquitous, invisible — and effective. More companies will also share more information with each other about threats and countermeasures, as they realize that no team or company should or needs to fight cybersecurity threats alone.

Important Issues:
  • Windows 10—because Microsoft is still resolving how patches and updates will and will not be delivered, and CSOs need to plan carefully to avoid disruptions of user productivity or business operations.
  • Closing the vulnerability gap—because while vulnerabilities are typically exploited within two weeks of being identified, enterprises typically take 120 days or longer to implement patches to protect against those vulnerabilities.
  • The rise of “SecOps”—because every company needs security, but not every company needs or can afford a dedicated security team. This means that more security functions will be integrated into the workflows of IT and even some business operational personnel.
Direction for CSOs and Decision Makers:
  1. Take a more operational, open and proactive approach to security—less “firefighting,” more “fireproofing.”
  2. Place users at the center of all security efforts—and engage and educate those users to understand that they are the enterprise’s first and last line of defense.
  3. Modernize the infrastructure to maximize agility, resilience and trustworthiness—and start by patching everything. All the time. Starting now.
PKI becomes ubiquitous security technology within the IoT market
Lila Kee, Chief Product Officer - GlobalSign - Portsmouth, New Hampshire, USA

Connected consumer devices are getting a majority of the press these days when the topic of IoT security is presented. Typical scenarios include…“what happens if my connected thermostat or refrigerator or fitness device gets attacked?” In these cases, user privacy and data security are at risk. This directly affects consumers and has a significant financial impact. But, what happens when industrial devices and critical infrastructure connect to the Internet and get attacked. The results can be catastrophic. The efficiency gains and financial savings of connecting these IIoT (industrial Internet of things) devices is driving the IIoT market forward. Security and safety are real concerns and device and equipment manufacturers are now looking to build security in right from the design and development stages. PKI has been identified as a key security technology in the IIoT space by the analyst community and member organizations that are supporting IIoT security standards. This coming year, you will see more interest in PKI, how it plays in the IoT market and how it needs to advance and scale to meet the demands of “billions” of devices managed in the field.

Important Issues:
  • Encryption and mutual authentication will be more prevalent inside the protected perimeter in defending against threats from within organizations
  • Identities for things will outpace identities for users
  • More national ID programs and banks will become trusted identity providers (IDPs) with high assurance levels
Direction for CSOs and Decision Makers:
  1. Look at security vendors that can offer flexible and scalable solutions that meet your needs
  2. Follow industry standards development, especially around IoT security standards and frameworks. These will provide you with the blueprints to properly implement security
  3. Remember recent high profile attacks and where the originated from. Understand your weaknesses both internally and externally and execute the measures to ensure security
Machine learning and big data security analytics will supplant SIEM
Karthik Krishnan, Vice President, Product Management - Niara - Sunnyvale, California, USA

Organizations must rethink their monitoring and response capabilities that currently largely revolve around rules and signatures focused on the known bad. These techniques are ill equipped to handle today’s security demands as there is a need to detect advanced attacks focused on credential theft, privilege escalation, lateral movement and abnormal access to sensitive assets, without preconfigured signatures or rules to help detect them.

Machine learning can help customers detect and investigate these attacks without signatures or rules. User and entity behavior analytics can baseline normal behavior, spot abnormal patterns and more reliably attribute malicious intent. Solutions that will help the customer will not only focus on detecting these anomalies, but also help customers investigate them efficiently with rich and meaningful context.

Important Issues:
  • Contextually aware security analytics
  • Machine learning enabled data-based security
  • Incident investigation and response
Direction for CSOs and Decision Makers:
  1. Elevate monitoring and response as a first-class citizen alongside real-time attack detection and prevention for a meaningful security posture
  2. Look at machine learning-based analytics, not as ways to help solve all security needs, but to meaningfully help security teams become more productive by focusing their efforts on the attacks that matter
  3. Stay away from security analytics solutions that offer results without explanation. Request product trials first before purchasing.
Biometrics and BYOAuth in enterprise security will be contextualised
Chris Russell, Chief Technology Officer - Swivel Secure - Wetherby, West Yorkshire, England

Following widespread consumer adoption of mobile biometrics in 2015, most notably Apple’s TouchID, the use of biometrics and Bring Your Own Authentication (BYOAuth) will gain traction in the world of enterprise security.

2016 will see biometrics and BYOAuth scrutinised and contextualised, not as a ‘silver bullet’ but as a convenient means of reconfirming an employee’s identity in an increasingly complex network access environment.

The problem lies in how biometrics are stored and managed. An enterprise-class authentication solution must centralise control of both the user enrolment and the Y/N validation processes, otherwise it is unable to identify each user profile’s fallibilities. But centralising biometric data is an emotive topic; databases can be hacked and a user has just ten unreplaceable fingerprints, for example.

Today’s enterprises manage an unprecedented number of user-access gateways. To balance security with convenience, tomorrow’s authentication solutions must therefore apply exactly the right level of visible security as is appropriate to the access request, taking into account factors such as the user’s location and the device they are using to access the network. Only adaptive two-factor, or multi-factor authentication – presenting something you have and something you know – can provide the ‘layers’ needed. At most, device-enrolled, device-stored biometrics might be applicable as an additional factor but are not going to be deployed as the only authentication method. For this reason, the enterprise biometrics debate will shift toward enterprise-friendly ‘behavioural biometrics’ like typing style, and software interaction habits, which can passively reconfirm a user’s identity while they work.

Important Issues:
  • Recognizing the need for adaptive and risk based authentication.
  • Managing the growth of BYOD and a ‘culture of convenience’ where usability is prioritised over security.
  • The need to educate employees on the risk of data breaches and how easily valuable enterprise data can be compromised. To educate employees that “Authentication is good for you”.
Direction for CSOs and Decision Makers:
  1. Implement regular risk assessments which take a holistic view of company data, assess what is ‘business-critical’, and then establish the access control parameters that work best for your company.
  2. Invest in authentication and other security solutions that can adapt to the changing threat environments.
  3. Remove reliance on password authentication from your corporate network and deliver authentication through a standalone platform.
Cyber attackers will move their attack infrastructure to the Cloud
Patrick Murray, Vice President of Products - DataVisor - Mountain View, California, USA

Businesses and consumers are not the only ones moving to the cloud. In 2016, we expect to see the continued migration of cyber-attack infrastructure to the cloud, as cloud services become more pervasive and cost-effective. Cloud services such as AWS, Azure and Google Cloud are already victims as fraudsters register a massive number of free, trial accounts and use their computation infrastructure to conduct attacks. Other popular cloud services, including dedicated/virtual hosting (e.g. OVH, Quadranet, Ubiquity Hosting, etc.) and anonymous proxies (e.g. PureVPN, ZenMate), will also become increasingly common among online criminals. Cloud allows cyber attackers to significantly increase the number of attack campaigns they can conduct, attributed to the elasticity and compute capacity of these services, and allows them to easily hide behind legitimate network sources and thus remain anonymous.

In order to protect consumer-facing mobile apps and websites from attacks launched from the cloud, you need to go beyond simple IP reputation databases and rules/models-based systems to detect these well-organized attack campaigns, since one cannot naively block traffic from the cloud infrastructure. In fact, in our observation, the traffic from cloud infrastructures are highly mixed with both good user and bad user activities. The industry needs to change to more advanced solutions that can distinguish malicious traffic emitted from cloud infrastructure precisely.

Important Issues:
  • Large cyber attack campaigns via Cloud services
  • Anonymous proxies and VPN services used to evade detection
  • Limitations of legacy reputation and rules/models-based systems
Direction for CSOs and Decision Makers:
  1. Do not rely solely on IP reputation & rules/models-based systems to catch malicious campaigns
  2. Be careful not to block legitimate traffic coming from cloud services using naïve security methods
  3. Consider adopting advanced Big Data security analytics to detect Cloud-based attacks
Business-critical application security
Mariano Nunez, Chief Executive Officer - Onapsis - Boston, Massachusetts, USA

The next big wave of attacks will continue to be aimed at business-critical applications running on SAP and Oracle as they are the ultimate economic targets for cyber crime. These systems house an organization’s most important business data and processes including customer data, product pricing, financial statements, employee information, supply chain, business intelligence, intellectual property, budgeting, planning, forecasting and more. They are also currently the biggest blind spot for many Chief Information Security Officers. This new class of breaches are increasingly in the spotlight as witnessed in the first widely and publicly reported breach involving USIS, a supplier of OPM and DHS.

Important Issues:
  • Business-critical application security, and the broad-reaching impact of for security vulnerabilities across an organization.
  • SAP and Oracle Cloud security, and its inter-reliance on next generation business-critical applications moving to the cloud.
  • Behavioral analysis and correlation of security issues to business context as well as threat intelligence across like industries on business-critical application attacks.
Direction for CSOs and Decision Makers:
  1. Map your SAP and Oracle landscape – Find out if you have 1 or 100 SAP or Oracle systems, understand the business processes that each system supports and understand the information that each system houses.
  2. Understand the value chain that SAP and Oracle systems and applications support. Also calculate the dollars that the platforms manage at your organization.
  3. Map Policies with an SAP security lens (i.e. SAP Security Guidelines) as well as authoritative sources (SOX, PCI) and perform assessments to identify critical compliance gaps.
IoT leads to physical disruption and new enterprise defenses
Haiyan Song, Senior Vice President of Security Markets - Splunk - San Francisco, California, USA

In 2016, IoT will become a significant threat surface, leading to greater physical disruption that will force enterprises and other infrastructure operators to adapt to the new threats. Cyber attacks have historically caused little physical damage, but with the proliferation of IoT and our dependence on Internet-connected systems and devices, we will see IoT systems create opportunities for hacktivists to access and productize information. Beyond the traditional connotations of the damage caused by cyber attacks, we’ll start to see cyber attacks resulting in more physical damage, such as a terrorist organization destroying a power plant by accessing its Internet-connected industrial control system.

For the enterprise, the intersection of organizations and IoT will become a focus of the cyber conversation very quickly as businesses have to evolve to manage this new threat surface. With the growing amount of smart sensors and systems in today’s enterprises — and their low level of identity authentication — organizations will need to find ways to monitor IoT devices for cybersecurity protection. As a result, new IoT solutions will emerge focused on monitoring and detection, analyzing the behaviors of IoT devices to determine when something is amiss. These solutions could eventually help enterprises segment IoT-related devices and systems from their corporate IT networks to ensure they do not become an entry point for attackers. For example, an organization might disconnect its smart sprinkler system watering the garden from its central IT system for security purposes.

Important Issues:
  • Behavioral analytics and machine learning
  • Cybersecurity operations among enterprises
  • Identity authentication and compromised credentials
Direction for CSOs and Decision Makers:
  1. Develop and be deliberate about cybersecurity operations and threat intelligence within your organization, as this will become a competitive advantage.
  2. Leverage machine learning and data science for behavioral analytics and anomaly detection, since these will become less about human credentials and more about machine-to-machine and service-level credentials.
  3. Focus on automating security analytics and anomaly detection to make it less dependent on humans, reducing the need to hire skilled analysts for your organization to detect and respond to threats.
IoT devices will be hacked on a whole new level
Chris Rouland, Founder & Chief Technology Officer - Bastille - Atlanta, Georgia, USA

2016 will be the biggest year we have seen so far of “things” being hacked. From Cyber Barbie becoming part of the kill chain, to planes, trains and automobiles; the blood is in the water and hacking “stuff” is more interesting than finding bugs in a web browser.

Important Issues:
  • IoT Security
Direction for CSOs and Decision Makers:
  1. Enterprises need to start protecting the whole wireless RF spectrum, not just one protocol.
Data-centric security becomes mainstream, displacing traditional, control-oriented techniques
Rich Campagna, VP, Products and Marketing - Bitglass - Campbell, California, USA

The goal of information security has always been to protect data. For decades, the way that we have done that is by controlling the underlying infrastructure. We manage and lock down devices in order to keep data safe on endpoints. We lock applications and databases in private data centers behind layers of security devices. In both cases, the underlying infrastructure (app, network, device) provides the control point we need to protect wide swaths of data simultaneously.

With cloud and mobile, we no longer control that infrastructure - our data has moved beyond the firewall. Our inability to control and manage the applications, network and devices means that we must protect data by focusing on the only remaining control point - the data itself. With cloud first strategies becoming the majority in 2016, data-centric security becomes mainstream.

Cloud Access Security Brokers (CASBs) are an example of such an approach - providing data-centric security anywhere data goes - in the cloud, at access, on the device and on the network. With Gartner predicting that by 2020, 85% of organizations will use a CASB to protect cloud data, the shift has already begun. Such rapid adoption means that more enterprises, including the very security conscious and heavily regulated, will be able to enjoy the productivity gains, cost savings and increased agility that cloud and mobile promise.

Important Issues:
  • Concerns over the ability to restrict cloud data access from unmanaged devices.
  • Preventing cloud data leakage and controlling access, especially external sharing of sensitive data.
  • Preventing hacked accounts.
Direction for CSOs and Decision Makers:
  1. Augment built-in capabilities of cloud apps with a data-centric solution that offers more visibility and control over data.
  2. Focus on employee concerns, including privacy and user experience, to encourage adoption and minimize shadow IT.
Security’s human capital shortage will become more pronounced and disruptive
Joan E. Herbig, CEO - ControlScan, Inc. - Alpharetta, Georgia, USA

Cybersecurity is expected to become a $170 billion worldwide market by 2020, yet qualified cybersecurity professionals are not emerging at a pace that will match this need. In fact, Symantec has gone on record with its estimate that by 2019, only 75% of cybersecurity seats will be filled at any given time. Partnering with a Managed Security Service Provider (MSSP) is one of the best ways to address this talent shortfall, because the MSSP leverages in-house security expertise and round-the-clock staffing to augment its customers’ IT resources. This Security-as-a-Service (SECaas) model solves for the impending cybersecurity labor shortage and provides the added benefit of freeing up in-house IT and IS staff to focus on areas that drive business growth. Now is the time for organizations to explore SECaaS in order to successfully transition as the human capital shortage—and the cyber threat landscape—becomes more pronounced and potentially disruptive.

Important Issues:
  • Managed security services
  • Asset management and control
  • Vendor management
Direction for CSOs and Decision Makers:
  1. Leverage managed security services so you can focus more time on aligning security with business objectives
  2. Implement strong controls around your physical and digital asset inventories
  3. Establish a formal vendor management program so as not to unwittingly create security vulnerabilities
The hype around biometrics for authentication will burst
Morey Haber, Vice President of Technology - BeyondTrust - Phoenix, Arizona, USA

2015 brought news that the victims of the OPM fingerprint breach expanded to over 5 million prints. It's for this reason that the safety of biometric data should really be questioned and discounted as a viable means for authentication. Multiple techniques are available for using this very type of information to create fake fingerprints to bypass biometric scanners, plant false fingerprints, or even falsify applications that need fingerprint data using traditional ink techniques. While vendors gather around biometrics as a holy grail for authentication, it is breaches like this that put the entire concept in jeopardy for the masses.

Important Issues:
  • Protecting permissions and access.
  • Making alerting and alarms more efficient
  • Security cannot be sacrificed for the sake of “cool” technology
Direction for CSOs and Decision Makers:
  1. In addition to incident response, expand processes to include law enforcement.
  2. Consider revisiting existing technology and optimize costs and coverage with integrated solutions from single vendors.
  3. Identify “Whats at Stake?” or the “Crown Jewels” which dictate all security initiatives moving forward, versus a broad stroke approach.
Isolating malware will be essential for coping with new threats
Israel Levy, CEO - BUFFERZONE - Tel Aviv, Israel

The intensity and frequency of the attacks will grow exponentially and will be the first topic of discussion in any board meeting in the corporate world. In addition to the business motivation to attack (ransom, obtaining personal information, etc), we will hear more about hacktivists and terrorists using cyberattacks.

Executives will conclude that the perimeter defense isn’t working and IP reputation will continue to lose its effectiveness. As a result, anti-virus technology will be continuing its descent from the Windows world.

This is why separating environments and containing threats, as proven in the physical world, will prove to be the best immediate measure of defense.

Important Issues:
  • Protecting the endpoint (the biggest attack surface)
Direction for CSOs and Decision Makers:
  1. Focus on your weakest link in the security chain - end users.
The number of reported data breaches will swell dramatically
Conrad Smith, Chief Information Security Officer - Bitium - Santa Monica, California, USA

How this impacts you depends upon where you sit. If you are the person who has private data made public again and again, the constant barrage of carefully worded letters offering free credit monitoring will be of ever decreasing value and solace. If you are the organization that had custody of that data, then you can look forward to expending a significant lump of cash and effort dealing with the response, regulators, lawyers, and everyone else that wants a piece of you.

The winners in 2016, at least in the short term until they are caught or stopped, will unfortunately be those perpetrating the breaches. Success breeds success, so copy-cats and existing criminal groups will enter into the profitable world of stolen private data commerce. The beauty of this crime is that it is relatively easy, has a global pool to fish from, and there is no end in sight to the potential revenue stream. Finally, the other winners are the vendors that sell security products and investors that continue to pour money into them. Information security used to be an afterthought, but is now the Cinderella to the ugly IT sisters. New security vendors pop up constantly, and those more mature will be subsumed into larger vendors that wish to stay relevant and flush out their product portfolio.

Important Issues:
  • Cloud services security controls and monitoring capabilities
  • Transition of the information security function to becoming an internal service provider
  • Breach incident response
Direction for CSOs and Decision Makers:
  1. Adoption of cloud services unknown to you is happening somewhere in your organisation. Reach out to stakeholders to help them understand the risks, and help them do it securely.
  2. Ignore the FUD focused on marketing the myriad of emerging technologies, and instead focus on improving and fully utilising the attack mitigation technologies that you have today.
  3. Take time to perform an assessment of your security program maturity from a strategic level, be honest with yourself, and be realistic when developing your roadmap for improvement.
Cyberattacks will get much more physical
Tim Liu, Chief Technology Officer - Hillstone Networks - Sunnyvale, California, USA

Traditionally, cyber-attacks targeted companies to steal information. Today, people are using more connected devices, home surveillance, wearable, home appliances and automobiles. Companies are also bringing control systems online to improve communication and increase productivity. Therefore, hackers are now increasingly targeting these devices for opportunities for monetary gain. For the past year, we have seen ransomware, extortion against individuals. We have also seen attacks on control systems in manufacturing and utilities that disrupt service and operation. We will see cyber-crimes that are committed by a combination of online hacking with offline activities.

Multiple layers of protection will remain the best preventative action
Sanjay Sahebrao Katkar, Co-founder and Chief Technical Officer - Quick Heal Technologies, Ltd. - Pune, Maharashtra, India

According to a threat report recently issued by Quick Heal, in 2015, the number of spam emails categorized as malicious spiked, with approximately 36% of all emails including either a tracking cookie, attachment or malware designed to infect the receiver’s computer. Adware is also especially dangerous for PC-based corporate networks, and Quick Heal labs expects Adware malware authors to use more sophisticated tactics to trick PC users going into 2016. The best preventative action is to ensure that you have multiple layers of protection in your organization. A single line of defense is no longer enough, regardless of the threat. These layers can include AV, Application Monitoring, Content/Web Filtering and Data Loss Prevention (DLP).

Important Issues:
  • Mobile malware threats will only escalate: mobile device management can close gaps in network security and will become more important in 2016.
  • Data loss prevention is the fastest growing security segment. Security vendors need to understand the different types of DLP offerings and the role they each play.
  • Ransomware malware will remain a key challenge for the IT security world and is now seen as on par with a significant data breach.
Direction for CSOs and Decision Makers:
  1. Perform regular security audits, train employees on best practices to safeguard their data and the network, and maintain multiple layers/multiple levels of security protection including AV, Application Monitoring, Content/Web Filtering and DLP.
  2. Be vigilant from a global perspective. Threats that are emerging on other continents may eventually pose a potential threat in your region of the world as well. Stay abreast of global IT security news and best practices for addressing these threats.
  3. No organization is too big -- or too small -- to fail. That's why seeking outside expertise is imperative. Turn to third-party experts to help you ensure you're not operating in a vacuum, and covering all the IT security bases and beyond.
More enterprise API attacks as everything gets connected through APIs
Roberto Medrano, Executive Vice President - Akana - Los Angeles, California, USA

More and more enterprises today are doing business by opening up their applications through APIs. Though forward-thinking and strategic exposing of APIs the surface area for potential attack by hackers is dramatically increased. To benefit from APIs while staying secure, enterprises and security architects need to continue to develop a deep understanding about API security and how it differs from traditional web application security, or mobile application security.

Important Issues:
  • Mobile device and IoT access and data risk mitigation
  • Identity theft during data packet transactions among APIs
  • Securing repurposed internal-facing APIs so they can be used with customers and partners
Direction for CSOs and Decision Makers:
  1. Leverage, and secure, APIs so they can be used across all areas of your digital business
  2. Secure the usage that will come from massive increase in user access
  3. Invest in analytics tools to understand how users access your applications
2016: The year all industries become “regulated industries”
Ronald Hovsepian, Chief Executive Officer - Intralinks - Waltham, Massachusetts, USA

The striking down of the Safe Harbor agreement that has governed data flows between the U.S. and Europe is only the tip of a regulatory iceberg. In 2016, we will see a regulatory domino effect that will occur country by country, region by region, and state by state, as governments take steps to protect citizen data, preserve national security interests and build legal fences to protect local businesses. And, since these evolving rules will be determined within various governments, with different privacy concerns driving each set of regulations, we’re likely to see chaos before consistency. Remember when financial institutions scrambled to comply with the Dodd-Frank act? This will be similar, but on a global scale. Organizations will have to localize data policies. Each region will have a set of specific set of data handling guidelines, as well as separate guidelines for communicating data externally. As a result of these policies, organizations also will no longer be able to use centralized repositories, and instead will need to rely on multiple repositories, each subject to the specific region’s regulatory oversight. Businesses will also have to ensure that all of their cloud vendors also meet the data guidelines set within each region in which it does business.

Important Issues:
  • Safe Harbor 2.0 – falling in line with whatever new regulations are agreed upon between the U.S. and the E.U. by January 2016.
  • Data sovereignty –ensuring your customers have control over who accesses their data wherever it travels.
  • Minimizing risk as the attack surface expands – BYOD, wearables, consumer-grade file sharing applications are everywhere in the workplace
Direction for CSOs and Decision Makers:
  1. Ask all of your vendors how they plan to ensure that data transfers are compliant with EU and all other global data sovereignty laws.
  2. Consider hiring a Chief Privacy Officer, someone with international privacy law experience, to build a framework for data privacy governance and for navigating the interplay of business processes and technology.
  3. Consider asking your cloud and data storage vendors to supply you with customer managed encryption keys.
A leading fantasy sports sites will suffer a major hack.
Stephen Newman, Chief Technology Officer - Damballa - Atlanta, Georgia, USA

There’s big money in fantasy sports. According to the Fantasy Sports Trade Association, Americans spend about $15 billion playing fantasy sports. That’s about 32 million Americans each spending $467. Consider that each of those 32 million Americans also provide their name, address, email address, billing and/or credit card information, and you’re also looking at a truckload of customer data that could turn a reasonable profit on the black market.

Fantasy sports have not been immune to security threats. About two years ago application security testing firm NT OBJECTives discovered a vulnerability in Yahoo’s Fantasy Football mobile app. If exploited, attackers could change team lineups and post imposter comments on message boards. More recently, a DraftKings employee admitted to accidentally posting confidential data, which led to accusations of insider trading. This type of activity is likely to reoccur, if not in the realm of fantasy sports than perhaps in the world of financial trading, where traders trade in other accounts so they don’t get caught.

At any rate, we predict that one of the leading fantasy sports sites – FanDuel or DraftKings – will suffer a major hack in 2016. Attackers will be looking to steal customer data or manipulate results to win big pools, which can total hundreds of thousands of dollars.

2016 will mark the end for security unicorns
Carson Sweet, Chairman & Chief Strategy Officer - CloudPassage - San Francisco, California, USA

Overvalued startups will fold: a disaster for investors, customers and employees. Customers need to be careful now who they choose as their security vendor.

Important Issues:
  • Continued explosive growth of cloud infrastructure adoption, this time driven as much by IT as business units.
  • Consolidation of cloud security vendors. Smaller companies with tech and talent will be folded into larger vendor tech stacks. Legacy vendors are learning it's not easy to build security tech.
  • Chip and pin (chip and signature) will fail to stem credit card fraud. Hackers are now going after the databases. And, there are still droves of companies not encrypting credit card data correctly.
Direction for CSOs and Decision Makers:
  1. Platforms vs. tools: 2016 will see the emergence of integrated, on-demand platforms that will allow CISOs to replace much of their tool sets and do away with "tool fatigue."
  2. The benefits of threat data sharing edicts and threat clearing houses is going to be tepid at best for commercial entities. It's hard to implement, there's a ton of work to be done, and companies are afraid information will slip out.
  3. The talent shortage in security will continue to be a problem. But more individuals and universities will sponsor programs around security and IoT security.
Hackers will use IoT devices as springboards into corporate networks
Jason Sabin, Chief Security Officer - DigiCert - Lehi, Utah, USA

The exponential growth of the IoT and the connected devices and objects come with greatly increase the attack vector for data thieves. As more wearables and smart devices make their way into the work place, enterprise IT faces new threats and needs to advance its policies in order to protect valuable corporate data. Increasing use of identity authentication and encryption will play a key role in making sure that only authorized devices access sensitive data.

With the need to increase the use of authentication and encryption at the scale that the IoT demands, more organizations will look to public key infrastructure (PKI) and digital certificate management solutions to secure data in transit. More efforts will be put in place to encrypt data exchanged over the Internet by default.

Important Issues:
  • Authentication and encryption for growing number of IoT devices and products
  • Trustworthy deployment and management of digital certificates at-scale to increase TLS protection of data in transit
  • Industry collaboration to standardize key security protections
Direction for CSOs and Decision Makers:
  1. Authenticate and encrypt everything, particularly as the IoT continues to grow.
  2. Make use of smart sensors and tracking to know where your security assets are deployed and that they are properly configured.
  3. Establish your policies for how IoT devices may be used within the corporate setting. Establish policies and procedures to secure access to corporate data.
Employing technology to support GRC will not be an option
Ketan Dholakia, Co-founder & SVP R&D - Maclear - Lisle, Illinois, USA

In today’s changing business landscape organizations face a complex environment of risk, internally and externally. Geopolitical, financial, operational, legal, and regulatory environments produce compound risks for organizations to manage. Governments are increasing scrutiny of organizations, stakeholders demand transparency, clients want assurance the organization is reputable and business partners require commitments to compliance and ethics.

Poorly managed risk and compliance generates complexity, redundancy, and failure. Too often organizations are reactive and lack a cohesive strategy. This isolated and periodic snapshot approach to risk and compliance causes organizations to spend excessively on internal management and external auditors.

Organizations are learning that often activities overlap and risks interrelate to create a much larger risk environment than each independent area. A seemingly insignificant risk in one area of the organization can have profound impact in another. Many have already invested in a variety of risk processes and functions, but this silo approach leads to a myopic view of GRC within the enterprise — a lack of imagination, foresight, and intellectual insight.

Many companies have not included risk management in the strategy-setting and performance management processes. A common GRC framework and software platform across the finance, operations, engineering, quality, and other organizational silos improves visibility, reduces liabilities, and drives better business performance.

One thing is certain, risk and compliance burdens are not going away. Not too long ago the use of technology to support GRC was an option, but no longer. Today, the thoughtful application of technology solutions is essential to achieve better business performance.

Important Issues:
  • Continuous monitoring
  • Integrated Security
  • Know your Vendor's Vendor
Direction for CSOs and Decision Makers:
  1. Employ technology to free up risk and compliance resources
  2. Leverage technology to provide and enterprise view of risk and compliance
  3. Reduce duplication and improve data integrity use technology
Humans, not technology, are key to security
Michael Baker, Principal - Mosaic451 - Phoenix, Arizona, USA

With security vendors all touting their software or hardware as the one missing link in cybersecurity, it’s best to remember that technology is simply a tool. Most data breaches are not due to a lack of technology, but ignoring the human factor. Michael Baker, Principle at Mosaic451, a bespoke cyber security services provider and consultancy, warns organizations not to fall into the trap of thinking technology is “magic”, but rather ensuring that the professionals tasked to oversee Security Operations Centers (SOCs) are of the highest caliber. Technology and its tools are only as good as the people using them. Worse yet, technology such as security software and firewalls can lull CIO's into a false sense of security. They think that as long as they have the latest and greatest technology, they are safe. Unfortunately, this is far from true. The tools of security technology are only as good as the people using them. Without security personnel of the highest caliber and deep experience, cybersecurity breaches will continue unabated.

Important Issues:
  • Human personnel
  • Big data
  • Rapid response
Direction for CSOs and Decision Makers:
  1. Don't Buy "Magic", Do the Hard Work
  2. Focus on People, Not Technology
  3. Data Breaches are Inevitable without Planning
Continued growth of public cloud adoption
Sanjay Ramnath, Senior Director of Product Management - Barracuda Networks - Campbell, California, USA

The growth in public cloud adoption will force companies to rethink the way they secure their resources, and will encourage service providers to develop new security and networking tools that are native to cloud platforms. These new tools will be easier and faster to deploy, and might be handled by a MSP. This approach means that business moves faster, resources are right-sized, and time-to-value is reduced. Cloud adoption presents different types of challenges based on the migration scenario. Many companies are only planning to migrate some of their assets to the cloud. They want to leverage the benefits of the cloud where they can, while keeping some resources on-site as needed. In this type of hybrid scenario, Technology Managers will be looking to deploy the same security in the cloud as is on-premises, and to be able to securely connect the on-premises and cloud components. These companies may also need networking and segregation capabilities in the public cloud.

A company that has no existing on-premises servers or applications may choose to deploy only to the cloud. In this scenario, Technology Managers may struggle with security questions. How secure is the application? Who is responsible for server security? Is the deployment in compliance with regulations?

To solve these problems companies will require solutions to ensure continuity and compliance, prevent data loss, and provide comprehensive protection for applications and data, and designed to meet the challenges of public cloud and hybrid deployments.

Important Issues:
  • Rapid Adoption of Office 365
  • Increase in Targeted Attacks (command-and-control and data capture and exiltration) phishing, social media threats, hacks and data leaks.
  • Increased network dispersion via locations, cloud services, and adopting mobility.
Direction for CSOs and Decision Makers:
  1. Move to Office 365 -- Prepare your networks to handle the traffic and availability requirements as well as improve reliability. Also prepare your data by consolidating legacy email archives. After the migration, operate with the same level of security, compliance and data protection you had around on-premises email infrastructure.
  2. For Targeted Attacks: Proactively secure all Internet threat vectors with comprehensive security against targeted attacks. Advanced threat detection and sandboxing must be included in securing every threat vector. Integrate simple, affordable, best-of-breed security components to provide protection against advanced threats across all Internet threat vectors.
  3. For Increased Network Dispersion: mitigate network complexity by managing dispersion. Extend your security posture to include security for those users while ensuring secure access to network resources. Centralized policy management and reporting will be key to maintaining a uniform security policy for on and off-network users.
SAP Security must be simplified to make it understandable again
Johan Hermans, CEO - CSI tools - Herent, Belgium - Europe

SAP systems contain confidential and business critical data and this data needs to be secured. SAP security projects consume enormous budgets without really improving the security. This is caused by misunderstanding the basics of SAP security: the SAP authorizations. Instead of defining SAP access governance on high management level, most companies tackle SAP access governance on a very detailed technical level and they try to define all access paths to the data and translating these access paths into a rule set. People are making security to complex. Because of the complexity nobody understands the security and the focus on the real risks is no longer there. Simplify the complexity of security by splitting it into two layers, a governance layer and a technical layer so that access governance become transparent; management can focus on the governance aspects and the technical people can focus on technical layer and get the instructions through the governance layer.

Important Issues:
  • Cyber security
  • Innovation
  • Focus on the Good guys instead of the bad guys
Direction for CSOs and Decision Makers:
  1. Simplify security, focus on the real risks
  2. Implement SAP security by implementing the correct tooling
  3. Do not only focus on SOD's