Hackers and IT security vendors have never had it so good. High-profile data breaches such as those of Anthem and Target, ransomware attacks on hospitals and the theft of $100 million from the Bangladesh Central Bank show how hackers are making their money. IT security vendors are selling ever more sophisticated products to help protect clients. So where does that leave the federal CIO who wants to know how security in 2017 and beyond will play out?
Double-edged as ever, new technology can benefit an agency, but can also be turned to a hacker’s advantage. CIOs who adopt new cloud and mobile services, who move to software-defined networking or who expand their use of virtualization and containers, will have to make time to adapt their security, too. Many of these new technologies have started to replace traditional “north-south” hierarchical data flows in datacenters by “east-west” lateral flows between web apps, microservices and distributed databases. New techniques are needed to detect attacks in this horizontal, instead of vertical mode.
The Threat of Organized Hacking
Cyberattacks have become highly organized. In many instances, it is endorsed and sponsored by national governments. Cybercriminals understand the advantage of working together to produce advanced persistent threats (APTs). The days of the lone, generalist hacker seem numbered, as attackers not only work in teams, but also specialize in particular types of attacks. CIOs will need to strategize in 2017 and beyond against the organized hack.
Double-edged again, but this time in a way that some CIOs may not realize. While big data must be protected like any other data, it can also be used to better predict and detect security breaches. Massive historical log data comparisons and “east-west” traffic flow analytics are just two examples for dealing with APTs, although CIOs will need to buy or build suitable tools for the purpose.
Mapping Out the New Security Perimeter
The new perimeter is defined by cloud, mobile and assets sitting virtually anywhere in cyberspace. That means the new perimeter doesn’t look anything like the old perimeter that could be conveniently protected by conventional firewalls. The more enterprise IT starts to exist off-premises, the greater the need for CIOs to re-evaluate not only their IT security arsenal, but also their basic IT security approach.
Effective security is built on robust, efficient processes. The traditional way of implementing IT security has been to layer it on after everything else has been done. Cloud and mobile computing paradigms now mean that security must be designed in from the start. CIOs will need to adapt IT processes accordingly or use new processes, where this is already true. DevOps, for instance, is gaining significantly in popularity, because it helps IT become more efficient and better aligned to business needs. As a bonus, it also offers built-in potential for improved IT security.
A high-profile cyberattack that causes damage to an organization can also derail a CIO’s career. Security of the public, of employees and of the enterprise security is a top priority, but job security for a CIO counts, too. Evaluations of security requirements must make sure that all bases are suitably covered, or that senior leadership understands the limitations and vulnerabilities. In the event of data or systems being compromised, the blame may then be shared more equitably and careers saved.
Finally, the growing sophistication of attacks will increase requirements for computing resources to fight them. With risk affecting every transaction and every session, more processor power and memory will be needed for security applications, as well as for simply running enterprise applications. CIOs will need to prepare and portion out IT budgets accordingly and well in advance. With each year’s budget needing to be prepared months in advance, it’s not too early to start thinking about 2018 now.