Executive Insights on the Current and Future State of Security

This article is featured in the new DZone Guide to Security: Defending Your Code. Get your free copy for more insightful articles, industry statistics, and more!

To gather insights on the current and future state of security, we talked to 48 executives from 42 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides. 

1. Several elements were mentioned as being important to application and data security: 1) access; 2) encryption; 3) depth; 4) education; 5) data; and, 6) security by design.

Know who has access to critical mainframe resources and how. Have visibility into who has privileged access in your organization. Have flow-based access control and federated access. Have the ability to set-up fine-grained access control. As well as the ability to give people access to data without exposing PII.

Encryption should be standard for all data, as well as for every CISO and CIO. Have an encryption key and certificate, as well as assignment and key management.

Security is about having multiple layers and asking, "What if this mechanism is breached?" Have multiple solutions and layers to block threats.

It comes down to people. Developers, engineers, and staff need to understand the importance of security. Once the organizational commitment is in place, you need to train your teams and provide teaching through a center of excellence so continuous learning happens, given how fast the landscape is changing.

Figure out where all of your data is and assess its importance and risk. Classify data based on sensitivity level for compliance purposes. Follow a security by design mindset from day one. Integrate security into the SDLC and follow DevSecOps methodologies.

2. The three key ways the cybersecurity landscape is changing are: 1) expanded threat vectors; 2) the speed of change; and 3) legislation taking place.

The landscape, terrain, and targets are growing exponentially. There are more threat vectors including third-party applications, insecure IoT devices, mobile, and cloud technologies. 95% of the code is being built with open source software, and reusable code equals reusable vulnerabilities.

The landscape is changing on a daily basis with more devices and device types connected to the internet. One of the greatest challenges impacting organizations today is simply velocity. More things are connected to the network with poor security and plenty of bandwidth.

Legislation has amped up with GDPR and Australia's data breach disclosure requirements. There is a lot of legislative impact on security protocols and processes. This is the first time law enforcement is enforcing protection and data security around the world. Fines and mandatory reporting are causing organizations to take cybersecurity more seriously.

3. The most effective security techniques involve multi-level and company-wide engagement and ownership. Security involves prevention, detection, remediation, and response. Compliance and best practices are very important, as are modern application security principles, a DevSecOps methodologies, and security analytics tools. Organizations are the most effective when people, processes, and technology are all integrated into a continuous cycle that can adapt readily to change.

Employees need to become part of a security culture. Educate your staff on the need to follow the principle of least privilege, granting access to only those who absolutely need it. Security teams need to act more as coaches and consultants to the teams deploying code.

4. There is a tremendous breadth of use cases spanning 12 industries and 23 applications across the professionals with whom we spoke. As expected, financial services and healthcare were the most frequently mentioned industries while the most frequently mentioned applications were fraud detection and cloud security. Following are a few specific examples:

Alipay processes 100,000 payments every second. China Telecom has 450 million clients making billions of calls. All payments and calls are added to a graph database in real time, fed into a machine learning tool, and encrypted as they are sent out for fraud detection.

A security company performing background checks needed to collect 100 points of identification including tax returns, passports, and other information which was stored and encrypted as long as the data was needed for verification.VMware is building microservices and is using a solution that could scale, provide visibility into the threat surface, have an inventory of the code, and check the security of the open source code on the frontend without slowing down the development process.

5. The most common issues negatively affecting security are: 1) lack of compliance; 2) human error; and, 3) lack of skills and knowledge.

While many organizations have a well-defined security policy, enforcement and compliance are a challenge. Weak credentials or credentials reuse have been responsible for breaches of websites like LinkedIn. It is rare for an organization to adhere to best security practices.

Human error and poor habits are the most common issues affecting security in the digitally connected world. People need to be trained and notified when they are doing something that jeopardizes the security of their network or device.

Awareness and security training is lacking. There is a shortage of qualified security professionals, and there is disagreement on whether developers need to be educated and if they should be expected to be responsible for the security of their code or the applications they are building. While many organizations are ready to embrace DevSecOps, others are not.

6. Everyone interviewed had concerns regarding the current state of security. The most frequently mentioned concerns were lack of knowledge and governance as well as the speed and efficacy of the attackers.

There’s a lack of knowledge, education, and understanding. There needs to be a cultural shift so everyone in the company realizes security is their responsibility. Organizations are focusing too heavily on technology solutions and not enough on improving the basics of training and recruiting the right mix of personnel. Microservices are new to virtually everyone, and we see many more vulnerabilities per line of code than traditional applications.

Very few organizations or developers follow a security by design methodology from day one. There is a logical need for a well-developed and engineered solution. We need better standards, methodologies, and governance policies as well as more security oversight.

Hackers are getting smarter. The magnitude, frequency, and efficacy of security hacks are increasing. We’re seeing a lot more automated and sophisticated attacks that combine several pieces of malware from different pieces of the kill chain.

7. The future of security is automation supported by artificial intelligence (AI) and machine learning (ML). Ability to automate removing much of the repeated tasks and using a platform to complete the task is critical to keep pace with all of the changes and different types of attacks. Likewise, organizations need the ability to automate the response to a threat hence the need to adopt intelligent automation powered by AI/ML.

Identify how we can adapt to changing scenarios using AI/ML and understand AI/ML so we can optimize and implement it well and understand how an adversary might use AI/ML against us. The future belongs to intelligent machines that will augment security functions while working alongside humans.

8. Regarding security, developers need to think about security by design in mind along with a myriad of best practices. Embrace security early in the process during design and have it fully automated and integrated into the SDLC. Treat security like the nucleus and most important feature of the product. GrabDevSecOps with both hands and automate. The more developers know about security and the more secure code they develop, the more valuable they become.

Make secure development principles part of the way you think and work. Know the three key security frameworks: 1) Microsoft’sSecure Development Lifecycle (SDL); 2) Open Web ApplicationSecurity Project (OWASP); and, 3) Industrial Internet Consortium(IIC). Avoid basic mistakes like injection and overruns. Seek security awareness training. Follow secure development best practices, Interact with security engineers. Understand security is a team sport and everyone needs to be thinking about it.

However, ultimately, it’s the developer’s application and they are responsible for its security.

And if you're curious, here’s who we talked to:

• Jim Souders, CEO, Adaptiva
• Murali Palanisamy, CTO, AppViewX
• Amir Jerbi, Co-founder and CTO, Aqua Security
• Andreas Pettersson, CEO, Arcules
• Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
• Andrew Avanessian, COO, Avecto
• Nitzan Miron, Vice President Product Management, Barracuda Networks
• Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curphey, CA Veracode
• Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
• Cliff Turner, Senior Solutions Architect, CloudPassage
• Mark Forrest, CEO, Cryptshare
• Antonio Challita, Director of Product Management, CyberSight
• Doug Dooley, COO, Data Theorem
• Patrick Lightbody, SVP Product Management, Delphix
• OJ Ngo, CTO, DH2i
• Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
• Paul Kraus, CEO, Eastwind Networks
• Don Lewis, Senior Marketing Manager, EdgeWave
• Anders Wallgren, CTO, Electric Cloud
• Venkat Ramasamy, COO, FileCloud
• Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
• Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R&D, Illusive
• Roy Halevi, CTO and Co-founder, Intezer
• Darren Guccione, CEO, Keeper Security
• Andrew Howard, Chief Technology Officer, Kudelski Security
• Rajesh Ganesan, VP Product Development, ManageEngine
• John Omernik, Distinguished Technologist, MapR
• James Willet, Vice President of Engineering, Neustar
• Gary Duan, CTO, NeuVector
• Randall Degges, Head of Developer Advocacy, Okta
• Dan Koloski, Vice President, Security and Systems Management, Oracle
• Heather Howland, CEO, Preempt
• Randy Battat, CEO, PreVeil
• Arkadiy Miteiko, CEO, QbitLogic
• Linus Chang, Founder, Scram Software
• Altaz Valani, Research Director, Security Compass
• Ed Adams, CEO, Security Innovation
• Neill Feather, CEO, SiteLock
• Oded Moshe, VP Products, SysAid
• Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
• Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
• Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
• Erik Nordmark, Co-founder and Chief Architect, Zededa

This article is featured in the new DZone Guide to Security: Defending Your Code. Get your free copy for more insightful articles, industry statistics, and more!