Trends and 'mega trends' for 2019 and the future include cloud delivery, business strategy and communication and the continued battle with passwords as a form of authentication.
Speaking at the Gartner Security and Risk Management Summit in London, Peter Firstbrook, VP analyst at Gartner, said that the “controls of security are shifting, and the focus needs to shift to new forms of controls.”
Firstbrook said the mega trends of the next 10 years will be:
- The skills gap is real and growing, as the reality is, it is hard to find qualified security professionals
- Regulations and privacy concerns are not going away
- Cloud application scale and complexity will continue to grow, as organizations move to the cloud and complexity increases with more of use of containers, APIs and virtualization
- Attackers are showing no signs of letting up, and their “creativity” continues to increase
Firstbrook said that all of these mega trends are external “and beyond your control” and are all things that have to be accommodated for. When it comes to internal mega trends, Firstbrook said that these include: realizing that “perfect is not possible” and companies adapting to that concept when planning to detect and respond, that cloud delivery is here for security services and that communication is key, especially as we talk the language of the business and help it understand choices for resolving risks.
For the overall 2019 trends, Firstbrook identified seven major trends:
Fusion of products and services: He said that some MSSPs are now “OEM’ing” other security products, and he encouraged anyone using managed services to determine how easy those products are to use.
Cloud center of excellence: He recommended establishing a chief cloud architect to take responsibility of cloud, and invest in new tools like Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) and Cloud Access Security Broker (CASB) “and this is key going forward, and you need to invest in them now.”
Data security governance framework: To better manage data controls, Firstbook said that organizations invested in tools like data loss prevention and tokenization, but did not get the best value from them and didn’t start with business environment in mind.
Dawn of passwordless authentication: Firstbook said that organizations are now getting rid of passwords, and the Microsoft CTO has recently pledged to get rid of them. With 35% of smartphones now having some sort of biometric authentication on them, and options like tokens from Duo and Yubico, there is an alternative.
SOCs and Correlated alerts: Firstbrook said that businesses are not getting value from SOCs, and he could see EDR “become the SIEM of record.” He also said that he sees companies like Microsoft, Cisco, Fortinet and Palo Alto Networks all invest in incident response tools for their own products. “In the new SOC, think of new ways to implement,” he said.
CARTA (Continuous Adaptive Risk and Trust Assessment) Proliferates: Launched a couple of years ago by Gartner, Firstbrook said that this is accepting that you do not have perfect authentication and defenses, and acknowledging that you will get infected by an authenticated person “who are not who they say they are.” He said that this is proliferating into tools and into network intrusion software.
Risk appetite statements emerge – The final trend was for business stakeholders to create a mission statement that allows them to establish a view of risk, getting everyone to understand and agree with the team what it, and having a conversation with execs on what risks they are willing and are not willing to take.
For recommendations, Firstbook recommended taking advantage of security product vendors that “are increasingly fusing products with services,” to utilize a data security governance framework to prioritize data security investments, and adopt a CARTA mindset and augment one-time security gates with internal detection capabilities. He also recommended engaging business stakeholders to create risk appetite statements.