“Worldwide spending on information security products and services will reach more than $114 billion in 2018, an increase of 12.4 percent from last year, according to the latest forecast from Gartner, Inc. In 2019, the market is forecast to grow 8.7 percent to $124 billion.”
That’s good, right? Well maybe-not-so-much. The current dystopian cyber-crime landscape paints a very dismal picture of the effectiveness of that spending, given the following predictions:
- Cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
- There will be 3.5 million cybersecurity job openings by 2021.
- There will be more than 26 billion global IP networked devices or connections by 2020 (up from 16.3 billion in 2015).
So to summarize the predictions, despite the increase in cyber security spending, cyber criminals will double their take from company revenue in two years, there will be a huge shortage of cyber defenders and the attack surface the bad guys have to work with will add another 10 billion devices. When vendors remark their product is evolving to meet the threats of tomorrow, I would counter with “Not. Fast. Enough.”
The cybercrime issue is not necessarily without hope, but hope comes in the form of a security revolution and a new metaphorical “reign of terror” against:
On Premises & Hybrid IT
Cisco provides some predictions on where IT systems will be found by 2021, suggesting 94 percent of workloads and computing instances will be processed by cloud data centers; six percent will be processed by traditional data centers. Building your own data center seems like a not-so-great idea.
Seventy-five percent of the total cloud workloads and computing instances will be Software-as-a-Service (SaaS), up from 71 percent in 2016. The slow death of client-server on premise applications continues to linger.
So if most of the IT systems will be found in cloud data centers by 2021, the security revolution in tools & training has to be applied to securing those cloud data center hosted systems. The endpoint defense-in-depth or layered security model is still relevant, but the investment in those layers needs to change; with most of those systems located in the cloud and as SaaS offerings, credential management along with multi-factor authentication becomes the most important layer. This is something which very few companies are doing today (mostly due to legacy systems), and it’s no wonder that cyber criminals keep pillaging them. There is an unexpected ally in user account management in SaaS – the accounting department. In the SaaS monthly billing model or pay-as-you-go billing, the question will be near constant: “can we shut that account down to save money?” Look for accounting to become the “Committee of Account Safety” and be wary of their budget guillotine.
Applications and Data on the LAN
Implicit in the prediction of where the IT systems will be found by 2021 is where the data in those systems will be found – “in the cloud data center.” As we move towards an environment where endpoints connect to SaaS and SaaS systems talk to each other using APIs, it becomes increasingly necessary to secure access to those systems with strong credential management with less important on the hygiene of the endpoint. Credential-stealing payloads and even ransomware payloads become less impactful when no important data is found on an endpoint and it can’t be accessed because of multi-factor authentication protections.
The future of business IT can be found in moving business applications and data into cloud-hosted services (as quickly as possible) and reducing exposure of any data in an unencrypted format on any endpoint. With robust credential management in place, the detection of a compromised endpoint becomes easy (failed login due to multifactor account protection alerts), and the impact of that compromised endpoint from a compliance perspective becomes minimal. No data on the endpoint = no data to disclose in an unauthorized manner or to encrypt with ransomware.
From the IT management perspective, imagine if the build you have stops at the web browser of the user’s choice, completely platform-agnostic with all the applications the user needs found as webservices. Access and provisioning are controlled by the user’s manager through a console, and one of the only large expenditures in security is on the multi-factor authentication and VPN solution for mobile workers. Vulnerability management on the endpoint as well as anti-malware defenses are still required for compliance, of course, but the impact of a security breach will be significantly decreased and confined.
So, how close are we to the security utopia I propose? It depends on who you ask. 56 percent of C-level executives believe that their organizations have migrated workloads to the cloud. But 35 percent of IT directors who believe the same, with 53 percent of companies committed to a hybrid approach (combination of on-premise and cloud).
Sigh, it appears we are only halfway there, and for those companies that are not moving to the cloud with all do haste, their security posture may be living on a prayer.
About the Author: Ian Thornton-Trump, CD, CEH, CNDA, CSA+ is an ITIL certified IT professional with 20 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. Ian previously managed IT projects at the Canadian Museum of Human Rights and is currently the Cyber Vulnerability and Threat Hunting Team Manager for Ladbrokes Coral Group plc.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.