By now, every vendor, analyst, and media outlet has already published their cybersecurity predictions for 2015. I actually described some of mine on a Co3 webinar with Bruce Schneier last week, so I thought I’d put together a quick list. Here are ten predictions in no particular order.
- Widespread Impact from the Cybersecurity Skills Shortage. Demand will exceed supply for cybersecurity professionals, leading to salary inflation. CISOs who can’t hire the right talent will have no choice but to look for help from MSSPs and security SaaS vendors. As a result, 2015 will be another boom year for all types of security service providers. See my recent blog for more details.
- Expanding Attack Surface. While most attacks will still center on Windows PC, browsers, and common applications, sophisticated cyber-adversaries will start to poke around with hacks for mobile devices, cloud applications, IoT, Macs, and Linux. The industry will pitch individual threat management tools for each of these threat vectors, but CISOs should avoid the point-tools trap and create an expansive all-inclusive strategy to safeguard the growing attack surface.
- Healthcare Heartache. Cyber-criminals need new industry targets as the return on credit card theft is steadily decreasing. Healthcare industry beware: You are the next mark. Look for hackers to launch attacks on major hospital groups and healthcare insurance providers throughout 2015.
- Mobile Payment Popularity and Vulnerability. Led by Apple Pay, mobile payment will take off in 2015, leading cyber-criminals to focus on vulnerable software, devices, and protocols. I expect an explosion of near field communications (NFC) hacks by next summer.
- Peace Out, Passwords. Closely related to mobile payment, consumers will become more comfortable with smartphone-based authentication and biometrics in 2015. Apple has the lead but the recently published FIDO 1.0 specification will bring similar functionality to Android and Windows phones as well. By the end of 2015, many enterprises will start to explore ways to integrate mobile phone-based authentication into their IAM infrastructure. On a related note, CISOs will get much more involved in IAM decisions next year as IAM assumes the role of a security perimeter for cloud, mobile, and internal IT assets.
- Beyond AV. The endpoint security market has been a cozy oligopoly for many years, dominated by 5 AV vendors: Kaspersky, McAfee, Sophos, Symantec, and Trend Micro. This exclusive club is now being invaded by a slew of newbies including Bit9, Bromium, Cisco, Confer, Digital Guardian, FireEye, Guidance Software, Hexis Cyber Solutions, IBM, Malwarebytes, Palo Alto, RSA, Triumfant, and Webroot. Why? Security pros realize that AV alone isn’t enough, so they are adding advanced anti-malware layers and/or endpoint forensic software. By the end of 2015, at least one vendor will exhibit extreme chutzpah by telling customers to abandon AV altogether and redistribute legacy endpoint dollars at new types of tools.
- Washington Cybersecurity Wannabes. Get ready for a steady diet of bellicose cybersecurity rhetoric when congress returns from vacation. This is likely because of the Sony breach and the other GOP’s majority in the house and Senate. We may see unprecedented funding of cybersecurity education programs (good stuff), tax breaks for private sector cybersecurity investments (good stuff), and a ton of other Pork Barrel cyber programs (wasteful stuff). By the end of 2015, someone or some group will step up to become a cybersecurity watchdog for billions of dollars in federal funding (note: This could be me).
- Enterprise Security Co. Enterprise security based upon an army of point tools, manual processes, and limited IT visibility doesn’t work. CISOs recognize this and are now looking to build an integrated, scalable, enterprise security architecture. Think ERP (SAP) as a replacement for departmental apps in the 1990s. Which vendors can address this burgeoning enterprise security requirement? Leading candidates: Cisco, McAfee, IBM. Fast followers: Check Point, FireEye, Fortinet, HP, Palo Alto Networks, RSA, Symantec, and Trend Micro. Others?
- Security Analytics Maturity. Most of the enterprise organizations I speak with are collecting, processing, and analyzing a heck of a lot more security data today than in the past. What kind of security data? Logs, packets, threat intelligence, endpoint forensics, IAM data—you name it. We are passing from the age of SIEM to a much broader and more holistic security analytics era. A market free-for-all will ensue as startups, service providers, and established vendors (i.e., AlienVault, Arbor Networks, Dell, LogRhythm, Narus, Splunk, etc.) vie for big security analytics projects. Look for vendors to highlight hybrid cloud offerings, massive threat intelligence integration, remediation automation, and visual analytics capabilities next year.
- Cybersecurity Intelligence Intelligence. Speaking of security analytics, 2015 will be a big year for cybersecurity intelligence, driven by the eventual passing of the Cybersecurity Intelligence Sharing Act (CISA), and momentum around FS-ISAC’s Avalanche and Soltra. On the enterprise side, CISOs want to rationalize their threat intelligence consumption, use, and integration while figuring out which threat intelligence feeds are really worthwhile and which are simply redundant information. Vendors will remain in the evangelical selling phase, but innovators like BitSight, iSight Partners, Norse, Vorstack, and ThreatStream with unique information or advanced integration should do well. OpenIOC, STIX, TAXII, and other cybersecurity standards are bound to come along on this ride.
I could go on for a while longer but these are the ten that came to mind. I hope you find them useful and entertaining.
To all those who read my blog and have provided me with feedback over the past year, thank you very much. Happy holidays to my many colleagues in the cybersecurity community. Relax and enjoy your holidays—next year is likely to be a doozy.