Late in 2014, I was asked to break out the crystal ball and make some predictions about what might happen the following year in the security industry. I hit four out of five (with the fifth still in play), which is apparently worthy of a repeat performance – so here I go again with what I believe is on the cyber-security horizon in for 2016.
1. Security Talent Crisis Evolves. A prediction in previous years, a lack of skilled talent is a gimme – except I think 2016 will be a bit different. After 2015’s high-profile demonstrations of weaknesses, demand for cloud and IoT security skills in particular will accelerate even further. The pace of cloud infrastructure and agile tech delivery will continue to make it exceptionally difficult for enterprises to get the security talent they need as they compete with one another and a growing stable of cloud and security vendors, all vying for the same talent pool. On the flip side of this issue, I expect to see more collaboration between industry leaders and forward-thinking universities to develop programs centered on cyber-security education and training in a bid to bridge the gap. Enterprises and government agencies will turn to deeper automation to help in the short term, and to maximize the value of the talent they can tap into. Crowd-sourced security will continue to be interesting in niches, but will be a minor help at best relative to the overall talent shortage.
2. Chip and Pin Won’t Be A Silver Bullet. In the domain of payment security, chip and pin (or more often chip and signature) will not stem credit-card fraud nearly as much as hoped. We’ve seen this play out in the past: a rash of successful attacks on one point in the payment chain leads to dramatic but myopic action, followed by the fraudsters almost sauntering to find another soft point. We’ve been like the little Dutch boy, repeatedly putting our fingers in whatever leak seems the most severe, but never fixing the dam. To make matters more precarious, droves of companies still are not encrypting credit-card data correctly outside the PoS transaction environment. This means that if access to back-end datastreams can be had, so can the credit card data. With this environment teed up, I predict that fraudsters are now going to refocus their attack vectors on database servers and subversion of open-source application code, the latter probably executed through compromised repos or DNS poisoning.
3. Federal Cloud Grows Dramatically. The coming year promises some interesting developments in the government space. In 2015 we saw a big uptick in cloud service providers pursuing FedRAMP accreditation and major efforts by cloud providers to build federal marketplaces. This means more cloud-based services available to federal agencies in 2016, which I predict will spur accelerated federal adoption of cloud-based infrastructure and software. The interesting but hard-to-measure side effect will be improvements in agency security – the stringent set of requirements for FedRAMP compliance means consistent control deployment for users of cloud platforms. Agencies seeking relief from skills shortages will also contribute to federal cloud adoption. The flip side, of course, is that expanded cloud adoption by the enormous federal sector also means a new and attractive attackable surface area for malefactors. One hopes the FedRAMP standards will translate to strong security – but the smart vendors will go further than the FedRAMP minimums to protect federal data and services.
4. Roller-Coaster for Cloud Security Startups. On the cloud security business front, 2016 promises a flurry of acquisitions, consolidations, and probably tombstones. Legacy vendors are learning it’s not easy to build security tech from the ground up, and that oft-mentioned persistent skills shortage complicates this matter. On the startup front, investors will be far more discriminating and cautious with their dry powder. This will lead to a number of smaller companies, unable to obtain next-financings, exiting by being folded into larger vendors via tech & talent acquisitions. The IPO market for security vendors will be unforgiving. I also see 2016 as a rough ride for many of the so-called “unicorn” companies. The same investor caution, especially when considering already-overvalued startups, will lead to big problems for those that can’t deliver on big promises. Without financing options and in a discriminating IPO environment, these companies will have nowhere to go. The real losers in these situations are the employees and customers of these companies, who will be left holding the bag. There is an upside: investors will seek unassailable quality in cloud security investments next year. A premium on quality is a good thing and will strengthen the cybersecurity space in the long run, but the transition will be painful for many and may prove dangerous for those tied to sinking ships.
5. Cyber-terrorism escalates. News of the apparent escalation of Anonymous against ISIS has been making the rounds. While interesting that Anonymous is taking action against the ISIS’ use of social media for communication, recruiting and marketing (yes, marketing) the bigger trend I think 2016 holds is ISIS’ desire for cyber-attacks coming to fruition. ISIS and other extremist groups have been recruiting technologists for some time now with varying levels of success; however, ISIS’ use of technology, social media in particular, shows they’ve got tech savvy at some level. Given Anonymous’ attacks against their “infrastructure,” we can bet that ISIS will be pushing harder to recruit security talent ideals that match their own to stop the attacks, and to strike back. I predict we’ll start seeing less sophisticated attacks to begin, like DDoS and penetration of non-classified government systems. Financial services will also be major targets. How quickly ISIS can escalate depends on how quickly they can recruit talent, and how adept that talent is to putting malware kits and botnets-for-hire to work. The most interesting thing will be if the people who sit at the intersection of Anonymous and the underground hacking tools-and-services economy will service ISIS requests. Who knows — maybe the real positive impact of Anonymous v. ISIS will be Anonymous running honeypots against ISIS-recruited hackers to target them for counterstrikes.
A simple scan of the cybersecurity horizon as 2015 transitions into 2016 makes it obvious that we live in turbulent times and we desperately need to add skilled practitioners to our cause. But these are also exciting times, and innovative platforms, especially those that integrate and automate security and compliance and can scale, can help.
Have a happy holiday season, and here’s to a safe and prosperous 2016!