This is the third post in a series on the future of information security, which will be the basis for a white paper. You can leave feedback here as a blog comment, or even directly submit edits over at GitHub, where we are running the entire editing process in public. This is the initial draft, and I expect to trim the content by about 20%. The entire outline is available. The first post is here and the second post here.
What it Means
The disruptions and trends we’ve described don’t encompass all the advances in the worlds of technology and security, but represent those that will most fundamentally transform the practice of security over the next decade. For example, we haven’t directly addressed Software Defined Network (crudely lumped into our cloud, hypersegregation, and Software Defined Security descriptions), malware ecosystems, or the increasing drive towards pervasive encryption (driven, in no small part, by government spying). Our focus is on those changes that most fundamentally alter the practice of security, and the resultant outcomes.
The changes will come in fits and spurts; unevenly distributed based on technology adoption paces, economics, and even social factors. However, in aggregate, we believe a picture emerges we can use to guide our decisions today, both as organizations and professionals. All of these changes are currently in process, with plenty of real-world examples to draw from.
This report focuses on the implications for three groups — security professionals, security vendors and providers, and cloud and infrastructure providers. Those tasked with implementing security, those who create the tools and services they use, and the public and private IT departments managing our platforms and services.
Let’s start with some high-level principles for understanding how security controls will evolve, then dig into the implications for our three audiences.
Security Controls Evolution
There is no way to predict exactly how the future will turn out and how security controls will evolve as these trends unfold. But asking one key question, and a few logical follow ups, most-quickly helps us identify how our security controls will likely adapt (or need to adapt) in the face of change.
How does this enable my security strategy?
What does the provider or technology give me? What does it do? What do I need to do? The idea of the question is to hone in on where the security lines shift in the face of change.
For example, when choosing a new cloud provider what security controls do they provide? Which can you manage? Where are the gaps? What security controls can you put in place to address those gaps? Does moving to the provider give you new security capabilities you otherwise lacked?
Or, when looking a new security tool like active defense. Does this obviate our need for IPS? Does it really improve our ability to detect attackers? What kind of attackers and attacks? How do we adjust our response strategy?
Here are two interrelated examples:
iOS 7 includes hooks for mobile device management to restrict data migration on the device to only enterprise-approved accounts and apps, all strongly encrypted and enforced by stringent sandboxing. While this could significantly improve data security over standard computers, it does mean losing Data Loss Prevention monitoring and having to implement a particular flavor of mobile device management. However…
Cloud storage and collaboration providers keep track of every version of a file they hold for customers. Some even track all device and user access, on a per-file basis. Use one of these with your mobile apps and although you lose traditional DLP, you gain an in-depth real-time audit of all activity with that file, including every device that has accessed it.
The combination provides a security and audit capability that is essentially impossible with “traditional” device management and storage, but does require changing how you implement a series of security controls.
Focus on your security strategy. Determine what you can do, what your provider or tool will do, who is responsible, and the technology capabilities and limitations, rather than how to migrate a specific, existing control to the new operating environment.
Implications for Security Practitioners
Security practitioners in this future will rely on a different core skills set than many professionals possess today. Priorities also shift as some risks decline, others increase, and operational practices change. The end result is a fundamental alteration of the day to day practice of security
Some of these are due to the disruptions of cloud and mobility, but much of it is due to the continued advancement of our approaches to security (partially driven by our six trends, but also influenced by attackers). We covered cloud computing in depth in our paper What CISOs Need to Know About cloud Computing. Let’s look at the different skills and priorities we think the overall combination of cloud, mobile, and our six inherent security trends will emphasize.
New Skills
As with any transition, old jobs won’t be completely eliminated immediately, but the best opportunities will go to those with the knowledge and expertise best aligned to new needs. These roles are also most-likely to command a salary premium until the bulk of the labor market catches up, so even if you don’t think demand for current skills will decline, you still have a vested interest in gaining the new skills.
All of these roles and skills exist today, but we expect them to move into the core of the security profession.
Incident Response is already seeing tremendous demand growth as more organizations shift from trying only to keep attackers out (which never works) to more rapidly detecting, containing, and remediating successful attacks. This work takes extensive security expertise, and is not something that can be handed off to operations.
Secure Programming includes the ability to assist in adding security functions to other applications, evaluate code for security issues (although most of that will be automated), and program Software Defined Security functions to orchestrate and automate security across tools. It requires both programming and security domain expertise to be truly effective. Some may find themselves more on the secure application development side (integrating security into applications) and others more dedicated to developing security applications themselves, but the same basic skills apply.
Big Data Security Analytics is needed to make sense of the massive security data sets we are already starting to accumulate. This skill is essential to better detection and remediation of security incidents, and is critical to visualization and closing the action loop. Most security information and management tools are already migrating to big data platforms, but making sense of this information isn’t something that can be necessarily completely automated, especially as organizations add their own custom application feeds.
Security Architects will help design secure applications, assess and recommend security controls and integration across different cloud and infrastructure providers (especially as we gain more ability to directly manage security in the infrastructure itself), and work with security programmers to design and implement internal security orchestration and automation applications.
Audit/Assessment and Penetration Testing increases in importance as we need to spend more time assessing external providers, and host more of our internal applications on Internet-accessible services. Vendor risk assessment of cloud providers is already a major challenge for most organizations, especially making sense of the wildly divergent third party attestations, self assessments, and provider documentation and contracts.
Chief Information Security Officers will continue to rise in importance and require experience in the skills sets we have described. The position will be as political as it is technical. The trend towards CISOs with more responsibility and accountability started years ago as organizations increased their reliance on Internet-based technologies and cybercrime started resulting in more visible losses. There is no reason to think this focus will abate, and successful CISOs will need a solid grounding in the skills we described above.
Shifting Priorities
Skipping forward ten years and the average security team will operate quite differently than most do today. Not only do skills evolve, but priorities change to better align with the new ways organization consume and deliver technology, and the different capabilities of security tools and the platforms they protect.
We expect to see a much greater emphasis on assessment and vendor risk management, including penetration testing. Some companies we talk with today already use hundreds of different cloud services, many smaller Software as a Service providers with niche offerings targeting particular business units or initiatives (like a short term marketing campaign). There is little security or documentation consistency across options and we don’t expect this to change anytime soon. Mobile platforms also differ wildly in terms of security capabilities, never mind an incredibly diverse ecosystem of mobile applications.
It is already challenging to understand the security controls, baseline security, options, and Service Level Agreements in a single provider or platform. Then add the complexity of using this information to adapt security controls, align the security strategy, and integrate the new service into security operations. Add in compliance and legal requirements. Lastly, all this has to be considered in the business context of the use case. Expand to dozens, or hundreds, of providers, platforms, and services all innovating on a daily basis to stay competitive and you get a sense of the new scope of assessment.
Many organizations we talk with today look at this as an outsourcing problem (at least, or cloud computing). However, we feel the fundamental technology differences of cloud, such as abstraction and automation, matter more than multitenancy, and thus will require technology assessment skills, not just RFP and contractual evaluations.
Some providers bring more security to the table, others decrease it, and others merely shift where the risks are. All this needs to be tracked and evaluated on an ongoing basis. Then compiled into audit reports to meet compliance obligations.
As we’ve mentioned, more resources will be dedicated to incident response. Right now spending on incident response technologies and operations is a small fraction of the average security budget, but we expect this to shift to possibly even a majority of the budget as security drops other operational tasks, and advances like hypersegregation harden platforms and push attackers to ever more advanced techniques. IR also ties together our trends of active defense and closing the action loop (including big data security analytics) to better detect and then contain attacks. Our infrastructure becomes harder, and we shift the resources to detection and response.
Security will also focus more on integrating directly into IT operations at a deep technical level through Software Defined Security. This is enabled by the proliferation of APIs to manage infrastructure, platform, and service security features directly, instead of security relying so completely on external boxes and rerouting of traffic as we do today. We already see this happening today with examples like next generation firewalls integrating with Software Defined Networking, IAM integrating with external services using SAML, and new logging and auditing features exposed by various cloud providers. We even see automated vulnerability assessments kicked off by integration with cloud controllers when new instances launch.
All this is only possible due to the ongoing operationalization of security that allows security professionals to focus where their expertise matters, even when it means letting go of security-sensitive tasks that can be easily managed, with guidance, by non-security IT operations.
- Rich
(0) Comments
Subscribe to our daily email digest