If the past 12 months saw a dramatic increase in data breach activity, then the year ahead promises to bring an entirely new set of concerns, says Booz Allen
Increasingly, companies are exploring a more “active defense” approach to cyber security, while preparing for an entirely new set of threats to medical data, connected vehicles, mobile payments, and Internet of Things as well as emerging technologies like “wearables.”
Internet of things expands cyber “attack surface” – For enterprise IT managers, cyber threats have existed in largely two dimensions – behind the firewall and beyond. But with the “Internet of Things,” cyber risk now stretches across a third dimension. Employees may come to work with a compromised wearable device, or pull their hacked connected vehicle into the company parking lot.
“Proactive defense” becomes best practice – Recent corporate victims of cyber attacks have one thing in common: they all thought they were prepared. Tired of being a step behind, companies will gravitate to a more active, anticipatory approach to preparedness and defense, one that looks over the horizon at emerging criminal patterns and active threat actors. We will see more organizations take an “intel to operations” model that enables companies to use real-time intelligence and threat assessment data to shape decision making, fine tune defenses and pre-empt emerging threats.
“Incident response” hype meets reality – The cyber market is crowded with companies that market an “incident response” capability in the event of a data breach. Yet is there enough experienced cyber talent to staff up all of these companies? Do these offerings include the right balance of multidisciplinary expertise necessary to be successful (e.g., Crisis Communications, Legal, Policy, Business and Technical)? Expect CISOs and other corporate leaders to take a more discerning look at the latest incident response offers; the people behind them, and their step-by-step methodology.
Preparedness moves beyond dollars, compliance – Companies are devoting significant resources to building up their cyber defenses – and often quantifying those steps in dollars spent and compliance achieved. Yet as data breaches multiply and their reach broadens, scrutiny of preparedness will shift away from the “how much” to the “how” and “who.” Cyber security will continue to evolve from a compliance issue to a strategic, business-critical priority.
Embedded Security is now an undeniable requirement – It is a new necessity that presents a competitive opportunity. As Internet connectivity touches everything from light bulbs to vehicles and electric turbines, cyber security and risk management increasingly must be accounted for when designing and producing products.
The c-suite rethinks cyber response – To date, the CIO or CISO has taken the reigns (and, too often, the blame) when a cyber crisis hits. Yet as companies understand the inevitable business impact of a cyber event there is movement to a new model. For example: adding a business leader within the c-suite with the explicit role of driving data breach response activities across all facets of the organization. A move a way from the current approach of assigning this job to a technology executive. Fueling interest in a different approach: workforce changes, new, emerging threats, and constantly evolving “best practice” response tactics.