INTELLIGENT ENTERPRISE SECURITY
Regulations,
complexity, agility,
will dominate demands
from security
Complying with regulations in 2018, coping with complexity
of responsibility, and agility will be some of the key
expectations in 2018, says Greg Day at Palo Alto Networks.
T
his time of the year is always a
chance for a little reflection on the
past twelve months, and perhaps
more importantly, what is likely to happen
next. Here are some of my thoughts on
what I think we will see kicking off in
the coming year, along with suggestions
for how to manage these risks. In all
likelihood, the impact of these will be felt
for a few years to come.
Takeaways, your 2018 resolution
Cybersecurity must be more agile. In
an increasingly digital world, the pace
of change is certainly not linear – it us
exponential. Most security professionals
no longer do horizon scanning, as the
pace of change makes it hard to see more
than a few years out – just as mobile
phone IT lifecycles are shortening from
years to months. At the same time,
interconnectivity and, by association,
dependencies are increasing, bringing
increasing regulatory pressures.
All this means that cybersecurity must
become more agile to keep pace. Much like
DevOps capabilities, we must be ready to
evolve incrementally on a daily or weekly
basis. So how can we achieve this?
Not so many years ago, I surveyed
some peers, and it dawned on me that
the majority of their time and resources
were spent on sustaining the cybersecurity
legacy they had built, with little time or
resources to evolve. If we are to scale for
the future, we need to refocus our time
38
and resource usage, so only the minority
is spent on sustaining legacy, and the
majority is supporting the exponential
agility our businesses are embracing. As
such, consider a New Year’s resolution
to detox your legacy to ensure you can
embrace your future.
Significant new EU regulation
will hit the streets
A number of new regulations, are coming
into effect in 2018. In fact, between
January and May, we have GDPR, the
NIS Directive and PSD2. Like any new
legislation, it will take time for businesses
to understand the impact these regulations
will have on their business. All carry
potentially significant penalties for
infringement, so 2018 will be a big year
for businesses in coming to grips with
what each of these mean when it comes
to applying cybersecurity and managing
ongoing requirements. For all of these,
I can only encourage you to quickly get
to grips with the legal details of what
these will mean to your business, both
legally and practically. Ensure you have
the right level of executive support and
start, or continue, the work to achieve and
maintain compliance. More insight on
GDPR can be found on our microsite.
Focus on responsibilities
and accountability
From the shared model of cloud security,
where the provider secures the cloud
and you secure what you put in it, to
shared cloud collaborations, and the
push for more open commercial models
such as PSD2 that aims to enable new
fintech offerings to better compete in the
payment services industry, the common
denominator is complexity.
The number of organisations and
processes is increasing, which widens the
scope for error, and therefore requires
increased understanding and visibility of
where responsibilities and accountabilities
reside. The likely outcome is that every
business will be looking at contract details
and regulatory requirements, to be clear
where these lie. By the same token, they
will also be looking to keep richer audit
trails and logs, detailing each transaction
to be able to validate when, where and why
incidents happen.
Cyberattack impacts will change
With some of the ransomware attacks
in 2017, in which medical facilities were
impacted, it is clear that cyber incidents
are now having real-world, physical impact
on people. With the growth of digital
twinning-creating a digital counterpart to
an existing process or system, we can only
expect more of the same affecting many
more facets of everyday life. So how does
that change cybersecurity?
It is very probable that we will continue
to see even more regulation step in
to continue to drive baseline security
higher and ensure confidence in cyber
systems that impact society. The Network
Information Security Directive, which goes
live in 2018, includes a new digital service
providers category. As cyber has greater
physical impact on society, we must expect
to see more categories along these lines
being developed, beyond the traditionally
defined, critical national infrastructure, or
operators of essential services.
In this context, the role of security
leaders, such as the CSO, must evolve. If
there is harm to citizens due to technology
failure, there will likely be public requests
to understand if and why there was
neglect, who bears responsibility, and
what relevant actions must be taken.
Consequently, while just a short time ago
CSOs were often worried about being
fired in light of an incident, liability
Issue 14
INTELLIGENT TECH CHANNELS