InfoSecurity Professional INSIGHTS Archive: December 2019
Third-party risk management essentials
Working with third parties can help cut costs, better serve customers, and increase revenues. But, if not managed properly, they introduce risks that can seriously damage your organization. This eBook will guide you in selecting the right risk management framework for your organization—to properly scrutinize vendors and minimize risk. Download now »
What (ISC)² Members Expect to be the Biggest Security Issues in 2020
Folks, we’ve got a problem … lots of problems, actually.
During the 2019 (ISC)² Security Congress in Orlando, we asked dozens of attendees, speakers and vendors what their top security concern would be during the first half of 2020. We got plenty of responses, from election security and data sprawl to IoT and the cybersecurity workforce shortage—and many, many more.
Some involved DevSecOps, as companies lean heavily on application developers to build first, then add protections, instead of baking security into the process. Then there’s the rapid-paced nature of app development overall. “It boils down to cyber resiliency. We’re moving so fast to build applications that we overlook some of the basic items,” explained one member who wished not to be named due to the sensitive nature of his job. “We’re taking shortcuts and we will fail or have gaps that leave us open to adversarial attacks in our CI/CD pipelines.”
We had so many different responses, in fact, that there doesn’t appear to be a singular threat we can all get behind. Instead, it appears that many of the concerns plaguing the cyber world now will continue for the next six months (yeah, no surprise). So, as we round out this year, you may want to cut back on the spiked eggnog or other holiday libations. We’re in for a giant collective headache—with or without a post-holiday hangover.
Here are some of our favorite responses, paraphrased in some cases and directly quoted in others.
Among fears surrounding election security is deliberate misinformation that will create doubt in the process, like a posting on social media that says a polling place has been changed, when it hasn’t been. Who is doing this? “Anyone who wants to discount democracy, anyone who wants to cause doubt.”
Director, Information Security, Franklin County (Columbus, Ohio) Data Center
IoT without restraints
The proliferation of smart devices in both consumer and business spaces will continue to grow, as will the threats posed by the smart speakers and doorbells and appliances that remain outside any government control. “There will be regulation eventually. It will be the government or a large commercial entity that drives it. If you’re writing the standards, you’re in charge.”
Too much data … and not enough cyber help
“Data sprawl. Also, the shortage of skilled people.”
Former President of Information Security & Compliance Services, TransPerfect Legal Solutions
Third- and fourth-party risk management
“How far does my business strategy go? How do we figure out our obligations? What is my responsibility for the fourth party and all the way out?”
Director for Information Security & Compliance Services, TransPerfect Legal Solutions
How to ensure regulatory and legal compliance
“Enforcement of compliance. How to enforce best practices. What are you really enforcing if it hasn’t really been defined?”
Chief Information and Cybersecurity Officer, Truth Initiative
Adapting to rapid change
“Change! New tech standards. New platforms. Virtual technologies and the innovation in cybersecurity impacts everything.”
Senior Network Engineer / Principal Investigator
Communication with business
“Effective communication with business management. People in the [cybersecurity] profession struggle with relating to business. They’re too involved with technology. We need more communication with business leaders on their terms. Entering their world without realizing that we need to advocate for our advisory role. Make recommendations not decisions for business.”
President, Predictable Solutions
“[There are] not enough of us! Computer-to-computer communication has expanded so much. Every time we open up the number of entities that can talk to each other, we expand the attack surface hugely.”
Senior Security Architect, Avertium
Privacy and data encryption
“Technology is not keeping the human in mind. Everything we sign up for—we are now the fuel for the products. [We] need to insist on consistent data encryption. We must monitor constantly.”
Chief Technical Strategist, McAfee
Privacy for everyone
“I think we’ll have a national privacy law within two years.”
The loss of basics, perimeters and ‘clean’ elections
“There are three main concerns surrounding cybersecurity in 2020. First is the loss of basic skills. The fact is people are doing things that are ‘unclean’ and were instinctive 10 years ago. I go into shops and find people are no longer using antivirus software! We’ve forgotten the little stuff.
“Second is the loss of the ‘walled garden.’ As we move stuff into shared infrastructure (‘the cloud’), there is no longer a hard, crunchy shell around the assets that need to be safeguarded. We’ve reached beyond the protection of platforms and must now protect data directly.”
“Third, 2020 will focus on the active interference of hostile entities into our democratic processes. This doesn’t mean Russians or Republicans; this means general malicious activity within the electoral and civil processes.”
Garnet River, LLC