As the year winds to a close, CISOs across industries assess the past year and plan for the security challenges they will face as they head into 2016.
Security Current heard from several key CISOs about what they think will be the most important issues in cybersecurity in 2016.
Read their insights here:
Joe Adornetto
Quest Diagnostics CISO
In 2015, three of the five largest data breaches were in healthcare. This latest evolution in the threat landscape places our industry in the crosshairs and as a healthcare provider we need to be prepared for an incident.
The ability to detect and manage an incident becomes a fundamental process as we focus on cybersecurity, particularly in areas of APT detection, communications, remedy & response, and threat intelligence.
Roota Almeida
Delta Dental of New Jersey Head of Information Security
The health care industry will continue to be a prime target for cyber criminals. No other single type of record contains so much Personally Identifiable Information (PII) that is often linked to financial and insurance information and can be used for various attacks. “Get ready for Medical Identity Fraud!”
Additionally, breaches in the past couple of years have wreaked havoc on many brands and reputations. Due to this, board and the C-suite will have an appetite for offloading the risk to insurance providers. Cyber insurance will gain velocity and popularity in the coming year.
Bret Arsenault
Microsoft Corporation CISO
In the world of cybersecurity, each year brings new threats against our networks and devices, but also new opportunities and innovations to protect against malicious actors.
As we look ahead to 2016 and protecting against the next generation of cyberattacks, it will be critical for businesses and organizations to focus on improving their existing safeguards, rather than focusing only on the types of attacks themselves. Interestingly enough, the most effective preventative actions aren’t necessarily cost-prohibitive – like robust monitoring systems, proper employee training, and a strong identity lifecycle process.
Keeping a pulse on internal security measures is just as important as protecting from external threats. While the external threats keep evolving, we all need to be diligent about building a pervasive security culture, in which employees have the necessary awareness to practice smart cyber hygiene and to make safer online decisions.
Devon Bryan
ADP Vice President Global Technical Services (CISO)
With 2015 being appropriately dubbed as ‘the year of the ‘mega breach’ and with the increasing sophistication and stealth with which miscreants have been launching their attacks, the predictions for 2016 are quite ominous.
Despite the increased penetration of EMV (Europay, MasterCard and Visa), I’m not anticipating significant declines in retailer financial crimes in 2016. I’d expect that in 2016 the overly hyped market predictions regarding cyber insurance adoptions would actually start materializing. I’d expect more dramatic transformation in the bloated end-point protection space with AV actually being replaced. I’d expect to see explosion in the ransomware space and specifically DD4BC variants. I’d also expect to see dramatic developments in uber mobile malware. Based on the current tensions in global privacy I’d expect some significant developments in US – EU Privacy relations.
Paul Calatayud
Surescripts CISO
In 2015, data breaches became a new reality for all industries and sectors of the economy. Cybercriminals no longer focused on retail but crossed into healthcare and the monetization of that data. Looking forward to 2016, organizations are preparing themselves and focusing on achieving operational excellence.
No longer do companies feel immune to information security threats. Instead organizations should assume a breach could happen and prepare for the worst. As part of improving their operations, companies are working to reduce breach detection times drastically from the average 229 days, according to the 2014 Mandiant Threat Report.
In addition, healthcare companies are taking a page out of the ecommerce playbook and proactively looking for weaknesses beyond the front end and customer facing systems in order to make sure all digital doors are closed to threats.
James Carpenter
Texas Scottish Rite Hospital for Children CISO
In 2015, CISO’s have been experiencing increasing pressure to not become delays for execution of business processes due to security policy. CISO’s are business problem solution providers as much as they are protectors. Furthermore, the CISO of 2015 has been expected to be a business leader, IT leader, finance leader, and an excellent people influencer and navigator. This has helped the CISO of 2015 establish a workable security program that may even have included changing the applications the business has been using or the technologies used by the workforce.
- Key takeaways: CISO influence elevated across several business domains
- CISO is a designer or co-designer of business solutions
- No Delay – All elements of security programs are under scrutiny to ensure as much automation and reliability are in place
In 2016, increased investment in cloud / webscale / hyper convergence technologies will quicken the pace and reliability of IT deployments which will correspondingly force similar improvements in security to keep up. CISO’s will need to begin or increase their adoption of cloud security software such as DRAAS and cloud authentication to keep up.
Cloud services such as Office 360, Azure, Amazon AWS, should be piloted in a controlled way to begin engaging the future if this hasn’t happened already. More than ever, users are expecting an organization’s applications to mimic the characteristics of apps on their phones – always work, always fast, easy to use. The CISO of 2016 will be a leader engaging these technologies and methods to bring the benefits realization of cloud into reality for their organization.
2016 Forecast:
- Bigger Internet pipes with high reliability/failover
- Rapid increase in cloud technology adoption
- Limited staff increases – new staff valuable skillset will be strong in Devops/Cloud concepts
- SkunkWorks – Expanded partnerships with non-IT business units to explore new technologies together with a shared expectation that sometimes things won’t work.
David Cass
IBM Cloud & SaaS Operational Services CISO
The year 2015 was one of escalating breaches for banking, healthcare, government, media and telecommunications. No industry sector was spared, and these attacks demonstrated their destructive capabilities. Nation-state activity increased to an all-time high, paving the road for the cybersecurity pact with China. From a technology point of view, social, mobile, big data and cloud transitioned from buzz words to the new normal.
In 2016, I expect cyberthreats will continue to increase. Whether or not the cybersecurity pact leads to a framework of new international norms remains to be seen. Cloud continues to mature and will see adoption by large companies that only a year or two ago would have never considered it as an option.
In 2016, cloud will be about leveraging new capabilities rather than just a cost savings. Analytics and cognitive capabilities will see rapid growth as organizations look at their big data for new insights.
IoT will continue to grow as new devices are introduced regularly, and IOT device makers will be challenged by the amount of data being collected and how to properly safeguard that information. Additionally, privacy laws will continue to evolve, challenging organizations on their appropriate use of data.
Daniel Conroy
Synchrony Financial CISO
The year 2015 started with learnings from data breaches seen over the previous 18 months. The learnings included the importance of something as simple as a strong password to the implementation of layered security infrastructure and periodic penetration testing. The biggest takeaway from 2015 is that companies need to be in position to detect attacks before they occur and stop the adversary before successful exploitation of vulnerability.
At the same time, while it is important to invest in technologies and processes to prevent attacks, the reality is that nobody can prevent all attacks. But companies must take significant steps to minimize the impact, respond, and recover from attacks as quickly and effectively as possible.
The information security industry is seeing trends of cyber criminals spending weeks to months doing reconnaissance before attacking organizations. The industry continues to witness increased reliance on third party providers and increased malware and ransomware attacks against firms. As mobile commerce and the number of connected devices continue to grow, there will be an increase in planned organized attacks and hacking-as-a-service offerings.
While deploying technologies for faster and better detection of destructive malware and APT attacks will be a primary focus in 2016, companies must invest in establishing a forward-looking risk mitigation program and integrated threat intelligence and analysis capabilities which are necessary for a strong cyber defense.
Gary Coverdale,
County of Napa CISO
The year 2015 found an abundance of both internal and external breaches. Externally we’ve seen more and more Ransomware/Cryptolocker hacks, hacks into environments such as content applications that are missing updates and patches, and other incidents that take advantage of unpatched software and hardware. These are ‘low hang’ fruits that a proper cyber hygiene process can and will minimized.
Simple things like inventorying your technology assets; properly configuring those devices including switches, appliances, servers and computing systems (by incorporating very strong admin and user passwords, encryption of devices, and dual factor authentication); Controlling your assets in properly managing accounts and limiting user and admin privileges; an aggressive patch process; and repeating this process.
You must have proper and recoverable backups (especially important while being hit by Ransomware.)! Bringing cyber hygiene into your incoming E-mail and Internet activity is important and a fairly low hanging fruit to minimize breaches. Additionally become more aggressive with your user community cyber awareness program as 2015 was filled with Internal breaches or breaches that were successful from phishing attacks toward your organization!
The year 2015 was one of fairly unsophisticated breaches into systems and data but 2016 will be more sophisticated with substantially morphing malware that will get through undetected or by unintended ‘collaboration’ with you internal staff. Be prepared, take advantage of quick wins by properly deploying aggressive cyber hygiene and start hardening your systems by taking advantage of ‘smart’ partnering with the appropriate vendors that have the right and cost effective solutions meeting your security, privacy, and compliance initiatives.
Grace Crickette
San Francisco State University Special Administrator, CFO Division
In 2015, we were focused on how to elevate our current “State of IT Security” and communicate the right information to Leadership and the Board. We focused on aggregating and evaluating information on the health of our governance and current state of progress around securing our data and our systems. Then synthesizing the information down actionable information so that Leadership could better prioritize allocation of resources. We formed a diverse team from various disciplines to develop a repeatable process.
In 2016, the focus will still be on continuous assessment, evaluation, and communication of our current state. We need to continue to expand our team to include even more people from a variety of departments across our organization.
We have found that engaging non-technical managers to help deal with implementation of a security risk assessment on an ongoing bases provides the relationships that we need to be able to improve rapidly. Example: If you want to understand what data you have and why and what you should retain then you need to have a continuous process and continuous engagement with ownership at many levels.
Having those owners as part of your regular risk assessment security team and meeting routinely, providing education…providing lunch…making friends…. it works!
Darren Death
ASRC Federal CISO
There is a lot of discussion and marketing around advanced cyber security tools and threat intelligence services these days. Many organizations are jumping to implement these tools/service offerings and have not made the initial investment to ensure that they have a strong Cyber Security foundation.
I believe that there will be a shift in 2016 focusing on the need to perform basic Cyber Hygiene practices. Many of the new frameworks and reporting requirements that are coming from the government and the private sector will force the organization to take a deeper look at their environment.
The idea of basic Cyber Hygiene may seem over simplistic; however, it is often times overlooked in favor of flashy tools or is not part of an IT organizations culture. Often times an adversary does not need to implement highly advanced attacks because an organization has not performed their due diligence and has made the attacker’s job very easy.
Organizations will need to focus on understanding what there IT assets are and where they are located; ensure that the assets are securely configured; continuously validate that the configuration stays secured and that the environment stays patched; understand the risk profile of the environment; and have a risk reporting mechanism that is business/mission focused and connected to executive management. While the above list is not an exhaustive list associated with Cyber Hygiene it will go a long way to lowering an organizations risk profile.
Todd Fitzgerald
Grant Thornton International Global Director Information Security (CISO)
In 2015 there was a clear shift from prevention to ensuring that adequate incident response capabilities would quickly discover and react to the breach. Cyber insurance was also garnering much discussion as a way to mitigate the risk, while the premiums and exclusions increased as insurance companies re-evaluated the risk/reward of the policies.
As companies looked for ways to demonstrate compliance, frameworks such as the NIST Cybersecurity Framework, ISO27001 Certification, Cloud Security Alliance Controls Compliance, HITRUST, SOC2 attestations and so forth were evaluated. Company boards became increasingly interested from a risk perspective.
Gene Fredriksen
PSCU CISO
Intelligence today has been productized, and as such is not conducive to widespread dissemination of consistent information. There can be weeks of lag time between sources passing alerts and advisories to its subscribers. Unfortunately, the result of this today is an inconsistent level of protection across the Internet, leaving gaps, which can be exploited and subsequently leveraged by criminals.
PSCU continued the expansion of our Security Analytics system in 2015, enabling us to correlate disparate log and system feeds, turning them into actionable alerts. From an operational perspective, driving down the false positive rate allows users to have a higher confidence level in the alerts being generated, and it yields better use of critical resources and faster response to true security issues.
The system has also simplified compliance reporting, allowing us to quickly produce customized reports as required. This continued investment in resources to combat cyber security threats has improved our people, process and technology systems targeted at protecting the information entrusted to us by our credit union owners.
Looking ahead to 2016 and beyond, the best hope for a consistent intelligence feed is the government, particularly DHS. However, the hurdles with getting private industry cleared to accept sensitive threat information has slowed the pace of rolling anything out to the masses. While there is pending legislation and programs targeted at opening up access to those information sources, the sheer size of the problem makes rapid progress unlikely.
I believe that the conversation on risk management will continue into 2016 and beyond at the highest levels of the organization, as many organizations are still inherently accepting too much risk. To support this risk objective, the conversation will shift to understanding “where does the key data lie,” and the appropriate preventative and detective controls will be architected to protect these ‘crown jewels.’
Security resources are scarce and expensive and thus need to be focused on the highest value assets. Finally, companies will be pursuing more partnering with outside resources for a piece of the security operation to obtain the technologies and skills sets needed.
David Hahn
Hearst Corporation CISO
The Security Industry is starting to focus beyond just data leakage or loss. The data breaches will continue to happen but the concerns of disruption and inability for businesses to operate grows. We have seen this with the SONY attack, and other disruption attacks worldwide.
Brian Kelly
Quinnipiac University CISO
Looking back at 2015, I would say it was the year that redefined APT. It went from the long-standing definition of Advanced Persistent Threat to Annoying Phishing Tactics. While InfoSec pundits continue to warn of zero days and skilled adversaries with arsenals of offensive cyber weapons, the most dangerous and effective tactic remains phishing emails.
The FBI’s report of over $740 million in losses from “Business Email Compromise” supports my thinking, additionally the Anthem breach that compromised 80 million member’s personal data began with a phishing email that compromised a database administrators’ credentials that were used in the heist.
Looking forward to 2016, I see an uptick in cyber liability Insurance policies being issued. This is a growth area that has the potential to impact our collective cyber security posture in a positive way. There are many pre-breach resources packaged in the policies including Information Security Awareness Training materials, vulnerability assessment tools and policies along with the more widely known post-breach services of incident response, forensics services, credit monitoring and notification support.
I wonder if this increased interest in and purchasing of these policies will raise the bar similarly to the impact that Ralph Nader’s book “Unsafe at any speed” had on the automotive industry 50 years ago.
Marty Leidner
The Rockefeller University CISO
For the information security community as a whole 2015 showed us a substantial increase in the number of attacks and also obviously in the sophistication and targeting of those attacks. This despite the increased spending of resources in attempting to protect our valuable data and enterprises. These factors together make the challenges we face in the coming year 2016 quite considerable.
That said, I think we have to look ahead at 2016 for actionable implementable solutions that both end-users and system administrators can use and live with. These solutions must also have demonstrable benefits that can be explained to upper-level executives. This is no easy challenge.
It requires, I believe, at the very least, a more intelligent targeted response to only the most highly vetted and credible alerts, in other words ignore the noise and focus in on the problems. I wish the information security community and solution vendors best of luck in attempting to meet this challenge. I am sure it would be an interesting year.
Brian Lozada
Abacus CISO
In 2015 the lack of information sharing between government and the private sector is an area that has been highlighted. The importance of collaborative and working partnerships between the homeland security enterprise and the high-tech private sector industries needs to become a priority to foster working together collaboratively to counter the threats of the ever-changing terrorist landscape in the cyber arena.
The private sector has expertise and can add value help identify, remediate, and mitigate the cyber threats that are currently facing our nation. The homeland security enterprise has intelligence about cyber threats that if shared could arm more companies and organizations with information will allow them to better protect themselves. Without these partnerships, cyber terrorists and cyber criminals will continue to have the advantage.
If cyber terrorists and cyber criminals take advantage of the lack of communication between the private sector and the homeland security community and tailor an attack, it could cripple our nation’s response efforts. The impact would be significant. This could be avoided with proper information and resource sharing and partnerships between the private sector and the homeland security community.
Michael Mangold
Tractor Supply Company Director of Information Security
In 2015, we saw many companies react to the uptick in data breaches across several business verticals as there was increased focus on information security. Executive leadership has made information security a key focus to help secure critical assets, protect customer information and maintain shareholder confidence. Companies began initiatives to improve incident response capabilities and take a more collaborative approach to information sharing with external partners to expand threat intelligence capabilities.
As we move into 2016, you will see incident response continue to be a primary focus as companies look to accelerate detection and response capabilities. Third party providers will be closely scrutinized to ensure they have the right controls to protect company data. Security resources will be at a premium, as the demand will continue to outpace the supply. Managed security services will be leveraged to help address this shortfall and provide companies a cost effective, scalable model.
Vickie Miller
FICO CISO
If 2015 was the year of Threat Intelligence and Information Sharing, expect to see a growing gap between what product marketers are describing and what CISOs are ultimately finding useful and buying. Artificial Intelligence may become the new buzzword, but most security programs will still need to invest in areas that offer protection from opportunistic attacks (better processes, management and people).
Farhaad Nero
Bank of Tokyo-Mitsubishi Vice President of Enterprise Security
The year 2015 was a pivotal in terms of realizing the impact that third party service providers have on an organization’s security posture. Heading into 2016, I would recommend that security executives — CISOs — within the organization do a deep dive on the security tools, protocols and practices used by their third party providers.
Your security is only as good as those who have access to your infrastructure. And, speaking from firsthand experience, the regulators also are increasingly focusing on this – and for good reason. Raise and extend the security bar.
Pritesh Parekh,
Zuora CISO
In 2015, healthcare and the government were the top targets; IoT threats grew to become a major concern; and targeted malware increased in the retail and financial sectors. Security teams everywhere battled weak authentication and vulnerable security patches. On the bright side, Microsoft’s data trustee model tried to dispel European mistrust and cloud computing itself allowed security startups to quickly integrate their products and provide services for consumers.
The year 2016 is likely to be a record-breaking year for data breaches with the financial and retail sectors as the top targets. Cyber Insurance and ID theft monitoring companies will probably thrive in this environment.
And due to the increasing number of data breaches with healthcare organizations, HIPAA compliance enforcement may be revamped and become more stringent. On the global stage, Safe Harbor 2.0 may not address EU privacy concerns and may unfortunately become just another checklist item for most organizations.
Vanessa Pegueros
DocuSign CISO
The key takeaway for 2015 would be that Boards and C-Suite executives are broadly recognizing that security is a critical element of any business and must be taken seriously. The very public dismissal of executives at Target and other companies that experienced breaches put security and risk at the top of every executive’s mind – and this is good. Unfortunately, the continued volume of breaches that occurred made consumers numb and feeling helpless relative to their own ability to protect themselves and their personal data.
In 2016, I see four key trends dominating:
- Breaches will continue and cybercriminals will be looking at both new and old technology as vectors
- Boards and the C-Suite will spend increasingly more time, resources, and energy trying to solve the security problem. They will address this in a few ways:
- The CISO role will be elevated in the organization – The old model of having the CISO report to the CIO will come under increased scrutiny and more and more organizations will transition to Board level visibility of security and risk topics.
- Boards will ramp up their efforts to bring more risk and security expertise into their Boardroom.
- Budgets for security technologies will continue to grow.
- Cyber Insurance will gain momentum.
- Money will continue to pour into the security start up space:
- This will congest the security space even more and create a bigger divide between decision makers and security vendors as decision makers increasingly grow confused over providers and their solutions.
- This will create an opportunity for incumbent vendors and analyst firms to bring order to the chaos and help their customers get through the turbulent time.
- M&A activity will begin to increase in the security space toward the end of the year.
- Consumers will begin to organize, setting the stage for future legal action against companies who have compromised personal data in a breach
So in summary 2016, will bring more breaches, more attention from the top levels and more money being spent to solve the problems as consumers become increasingly less tolerant of their data being exposed in breaches.
Wayne Proctor
SVP, CISO FLEETCOR Technologies
The most important focus for cyber security in 2015 has been improving incident response capability. The wave of recent major data breaches makes it clear that if your company is targeted by hackers, you will be breached. This reality required a move from focusing on prevention strategies to becoming experts at incident response.
Companies not only need to have solid incident response plans but also need to gain deep visibility in to what is happening inside their IT environment, as you can’t respond to something you don’t know about. Enhancing security visibility will be the primary driver for security spend in 2016. Primary solutions to help enhance visibility include: advanced threat identification, next generation SIEM, threat feeds and data analytics.
Joel Rosenblatt
Columbia University Director, Computer & Network Security
Looking back at 2015, the root cause of the major break-ins often started out as compromised accounts. The mechanisms for these compromises are varied, some highly targeted attacks requiring much research and planning, and some simple phishing schemes based on the principle of “if you throw enough mud against a wall, some of it will stick.”
My crystal ball is a little cloudy (pun intended), but in my humble opinion, the only way that we are going to stay a little ahead of the bad guys in 2016 is by getting very serious about the elimination of passwords as the final arbiter of identity. Multifactor authentication, while not perfect, is probably the best technology around at this point to make that happen.
The other tech that I see as becoming a major player in security in the near future is whitelisting. Depending on anti-virus to protect your systems is a sure way to allow the key loggers and root kits of tomorrow onto your computers, allowing for the collection of credentials, which is where I started (grin).
Anthony Scarola
CISO TowneBank
This year (2015) brought more successful email social engineering/phishing attacks, especially at SMEs, due to increased sophistication and difficulty in detection by filtering solutions and employees. This led to increased advanced malware, also difficult to detect by existing, signature-based solutions.
The number of connected devices increased, which added additional stress to overworked and understaffed IT for managing increased vulnerabilities. And, although financial institution cybersecurity regulation has increased, it has also matured; more FIs are doing better at communicating cyber risk to the board, leading to better protection of key organizational assets.
Next year (2016) will bring advancements in evolving technologies, including the coalesced use of data analytics, machine-to-machine communication of indicators of compromise, and artificial intelligence through deep learning, to more quickly prevent, detect, and respond to attacks. Regulation will continue increasing and evolving, and institutions will reengineer networks, enhancing security controls with advanced tools, focusing on the inner layers and key organizational assets.
Organizations will continue migrating to the cloud for compliance, cost savings and lower risk; however, this will also decrease agility and control. Sadly, many SMEs, some large enterprises, and a few cloud providers will see breaches of confidential information leading to identity, intellectual property, and/or financial theft, as the battle between good and evil rages on.
David Sheidlower
BBDO CISO
In 2015, consumers’ awareness of their Personal Intellectual Property (PIP) in the cloud began to accelerate and with it came the commoditization of consumer security schemes. This was most notable in the area of out of band authentication becoming widely available. This will continue to accelerate.
In 2016, I believe that consumers will begin to want to be able to view the logs of the access to their PIP in the cloud so they can personally monitor it for unauthorized access.
Terrence Weekes
DJO Global CISO
In 2015 CISOs were drowned with “next generation” technology. Venture capital investments in cybersecurity technology companies have saturated the market with niche solutions and services that have yet to be broadly recognized as “must-have” tools within enterprise security programs.
Understandably, IT vendors and solution providers are aggressively competing for cybersecurity market share. However, their approach with customers fails to consider the reality that the majority of publicized data breaches do not result from highly-sophisticated advanced attacks. Rather many of these data breaches result from basic security program deficiencies (poor vulnerability management, lack of system hardening, weak authentication, excessive elevated access, etc.) and lack of skilled staff resources to identify and respond to incidents earlier in the attack lifecycle.
While some CISOs operate world-class security programs, many are still struggling with achieving/maintaining regulatory compliance and aligning their program to business goals. The year 2016 will likely yield greater awareness of cybersecurity risks within executive and board ranks, and that awareness should drive CISOs to develop more appropriately-funded security programs that are threat-aware and business-focused.
