In order to keep up with the rate at which technology is evolving, CISOs and their security teams must be mindful of the areas of change. Marco Rottigni, Chief Technical Security Officer EMEA, Qualys, offers seven predictions where he thinks security will develop most this year.
Hacks still happen, software vulnerabilities get discovered and patches have to be applied, but the pace of change around security has gone up so much that the old processes are no longer enough. At the same time, cloud and container deployments can change at any time based on demand for those applications and services. So how will security have to change in 2020 to keep up?
Prediction #1 – Security will have to change in order to keep up
This year, there will be more emphasis on real-time updates around any assets that are getting created. The alternative is that images are getting created, used and then deleted without the security team even being aware that these assets exist. That is a potentially frightening thought and one that should lead to more changes throughout the year.
Prediction #2 – Digital biodiversity will force teams to deal with different work paces
There are so many different platforms in place within enterprises and each of them has to be kept secure. However, they all live at their own pace. From the traditional and legacy IT assets that move as fast as sloths through to the hummingbird pace of cloud, each platform will change in its own way over time.
Getting insight into these changes will be necessary so planning ahead around patch windows and major events should happen early. This will help teams prioritise and plan ahead, regardless of whether a change comes in suddenly or not.
Prediction #3 – Shared responsibility for cloud still needs to be understood
Cloud deployments are getting more and more popular. Providers like Google Cloud Platform, Microsoft Azure and Amazon Web Services all offer a range of options for hosting, managing and implementing applications. Companies are also looking at multi-cloud and running across different cloud services where locations are available.
These issues will continue as developers rush to get their applications finished or miss out working with IT security teams on moving services into production. To avoid this, companies will have to take more responsibility for their deployments. Educating developers is part of this, but building better DevOps processes that incorporate security tools into the release workflow will be just as important. This will make security ‘business as usual’ rather than an additional headache.
Prediction #4 – Operational technology assets getting onto the Internet of Things will need more security
The growth of the Internet of Things (IoT) continues. While there have been lots of consumer devices launched that simply add an Internet connection to an existing product, the market opportunity for the future is growing around the enterprise. From initial pilot projects, IoT implementations are growing in supply chain, logistics and services companies.
In practice, this means that more assets are getting connected, including some that pre-date the Internet as it is today. Manufacturing execution systems and operational technology assets that have to run around the clock can benefit from connectivity, but they also tend to be older and very difficult to update. In some cases, application providers may have gone out of business years ago.
In the rush to make use of the IoT, it’s important that companies don’t create security risks where they did not exist previously. The role for airgapping will continue to be important, while understanding IT assets in context will also spread to the operational technology sector too.
Prediction #5 – More security purchases will be by DevOps, not IT security
Traditional IT security sales were made by specialists to other specialists. This meant that the CISO was the arbiter of who a company would work with and how these solutions would be managed.
This will change this year. Rather than security being solely the preserve of the IT security team, the DevOps team will be responsible for purchases or hugely influential on what gets implemented. When companies work around a CI/CD pipeline, the DevOps team is the new buyer that has to be impressed.
Prediction #6 – Vulnerability detection will move to real-time, not scheduled
Traditionally, vulnerability management programmes ran to schedules. You knew that Microsoft would release patches once a month, as would Adobe. Oracle would release patches once per quarter. Managing these would sort out the majority of problems. Looking for vulnerable software could be scheduled around these updates.
However, today’s issues are getting exploited faster than traditional patching schedules can cope with. The sheer variety of platforms in place means that changes can affect multiple systems running in different places. New technologies like cloud and containers can run intermittently, getting missed by scheduled scans. More companies will have to move over to real-time vulnerability scanning, looking for issues as they occur.
Prediction #7 – Integration and orchestration will become critical for security teams
This year, security teams will look to learn from DevOps teams around how they achieved their results and what changes were needed. At the same time, they will be looking to recruit more people with skills and understanding in building integrations and automated processes too. Security Operations Centres in particular will want to automate processes around data where they can, making existing staff more productive and helping those team members focus on more high-value tasks.