What lies ahead for cybersecurity in 2016?

For a different take in our series of 2016 predictions six members of the team at cybersecurity firm Rapid7 LLC have shared what they are predicting for the year ahead.

IoT vendors will improve security

Tod Beardsley, Security Research Manager

Beardsley believes that the security issues dogging the Internet of Things will reach a critical level of both awareness and accountability noting that given attention from Federal Trade Commission and growing coverage in mainstream media outlets about the state of security with IoT.

“I expect to see vendors of IoT devices take on real responsibility for the security of their devices…we in the security industry all know that hacking IoT devices is like dropping back ten years, and I believe that the mass consumer market will drive creative and realistic solutions to the problems of old software, old build processes, and the fractured patch pipeline.”

Improved communication from the security industry

Rebekah Brown, Threat Intelligence Lead

Brown believes that the security industry will break free from what she refers to as the “echo chamber.”

“We are already seeing this with security researchers spending more time talking to law makers and infosec professionals actively reaching out to engage with non-security sector organizations. This trend will (hopefully) continue into 2016 and will help break down the communication barrier that continues to plague us as an industry.”

Increase focused by Government in cybersecurity

Jen Ellis,Vice President of Community and Public Affairs

Ellis believes the massive focus on cybersecurity in the policy sphere will continue, and perhaps even increase in the year ahead, with organizational and system changes made by the Obama Administration to reflect this prioritization.

“With this continued emphasis on cybersecurity in the Government, I hope we’ll see the level of engagement between policy makers and the security community increase, and I hope we’ll see it drive positive outcomes.”

“However, I am concerned that we’re likely to see some pretty scary legislation being proposed – we’ve already seen a bill that would prohibit independent security research on cars. It’s on us to educate legislators about the potential fallout of these efforts. I hope we’ll see the security community take a more collaborative, thoughtful, and productive approach to engaging policy makers, so we can avoid legislation that hinders security, rather than helping it.”

Increased transparency in incidence and breach communications

Trey Ford, Global Security Strategist

Ford wants people to come and see the softer side of security.

“My prediction is probably aspirational: I am hopeful we’ll see more transparency in incident and breach communications. The public isn’t afraid of “yet another breach,” they’re afraid the organizations they have a relationship with will violate their trust. In our series on the Vocabulary for Event Recording and Incident Sharing (VERIS), we’ve talked about the questions the public wants to see answered: who took what action, against what systems or information, with what impact, when, and what is being done about it?”

“Security will continue the shift of focusing more on trust than compliance”.

Security will become more of a concern, but we won’t be DDoSed by toasters

Guillaume Ross, Senior Security Consultant at Rapid7

Ross believes that privacy and security will become more of a concern for consumers in 2016, and perhaps a slight marketing advantage for hardware and software vendors, though it will not become the main criteria for most people choosing a device such as a smartphone or an operating system.

“As we are talking about things that will probably not happen, let’s get those un-predictions out of the way:

• The Internet will not get DDoSed by a botnet of fridges and toasters, though a few will certainly take hold.
• The Internet will not get DDoSed by a botnet of smartphones, as they will run out of power after an hour.
• Information Security jobs will not be filled rapidly, as companies will still be struggling to find staff, preferring managed services in many cases, where appropriate.

No, not everyone will be done patching Heartbleed, and no, the amount of services exposed to the Internet at the end of 2016, including SCADA systems, will not be lower than the amount of services exposed at the end of 2015.”

A growing gap been well and poor managed security

Corey Thomas, President and Chief Executive Officer

We’ll see a greater gap between the well-managed and the poorly-managed, our security version of income inequality. The poorly-managed will continue to ignore, pay lip service, and rely on mostly on controls. The well-managed will recruit teams directly or through partnerships and build effective programs.

Image credit: niexecutive/Flickr/public domain Government photo