This week’s Security Central takes a peek inside the newly released blue-ribbon report commissioned by President Obama, explores what information security practitioners think of global cybersecurity readiness and takes a look at the cybersecurity jobs market.
To say that cybersecurity has been a hot topic throughout the entirety of 2016 would be a massive understatement. It seems that barely a week goes by without news of a major company breached, or a report with findings pointing to the dismal state of security and awareness, or something involving Russia - there have certainly been a few common themes. Now, with the end of the year approaching and a new president-elect about to set foot in the White House, a lot of the same security conversations have once again surfaced and are swirling about. A few key stories this week showcase this summation of some of the biggest topics and conversations.
In a newly released blue-ribbon report commissioned by President Obama, two key items of particular note and concern were highlighted as tip-top on the list of cybersecurity priorities for the 45th President of the United States. The first addresses distributed denial-of-service (DDoS) attacks engineered specifically to disable web services. The second is security concerns surrounding the “Internet of Things” (IoT).
The “Report on Securing and Growing the Digital Economy” comes from The Commission on Enhancing National Cybersecurity, the nonpartisan group tasked by President Barack Obama to develop “actionable recommendations for securing and growing the digital economy by strengthening cybersecurity in the public and private sectors.” The report begins by emphasizing that recent events (think Yahoo, Dyn, etc.) have “underscored the importance and urgency of this effort.” We couldn’t agree more.
The Commission recommended as their very first action item that the incoming President should implement a private–public initiative. “Specifically, this effort would identify the actions that can be taken by organizations responsible for the Internet and communications ecosystem to define, identify, report, reduce, and respond to attacks on users and the nation’s network infrastructure,” the report says. The Commission said the initiative should include regular reports preventative action organizations are taking and any legal, technological or regulatory changes that would effect the measures necessary defend against cyber-attacks.
The report covers six major imperatives, and includes 16 recommendations and 63 associated action items. Number two on the list of major imperatives focuses on IoT security concerns, and vehemently urges the federal government, as well as private industry, to put things in place to drastically improve security when it comes to the Internet of Things. With IoT growing the way it is, this is something we can no longer ignore as service providers.
Like many governmental recommendations, the report provides more generalizations than specifics. And it's anybody's call how a Trump administration will receive this advisement. Regardless, this is just another call for channel folks to continue educating customers on the increasingly complex and harmful attacks that plague our networks. As we’ve talked about in past weeks, many MSPs are already working to boost the sophistication of their services, and some are broadening their security offerings and specialties.
In other news, world information security practitioners are handing out report cards these days. According to securitymagazine.com, the recently released 2017 Global Cybersecurity Assurance Report Card polled roughly 700 security practitioners in nine countries and across seven industry verticals in order to calculate a global index score concerning overall confidence in the world’s cyber defenses. Well, the results aren’t terrible, but they’re not great. The data showed that global cybersecurity confidence fell six points over the course of this year, resulting in an overall score of 70 percent — a “C-” on the report card. Not dismal, but not exactly something you’d run home after school to show mom.
Why the decline in confidence? Experts say that the drop-off is a result of a drop in the 2017 Risk Assessment Index, which “measured the ability of respondents to assess cyber risk across 11 key components of the enterprise information technology (IT) landscape.” For the second year in a row, practitioners cited the “overwhelming cyber threat environment” as the biggest challenge facing IT security professionals today, with “low security awareness among employees” and “lack of network visibility (BYOD, shadow IT)” coming in close behind. Addressing all three of these results should give security partners more heft in their sales presentations in 2017.
“Today’s network is constantly changing — mobile devices, cloud, IoT, web apps, containers, virtual machines — and the data indicate that a lot of organizations lack the visibility they need to feel confident in their security posture,” commented Cris Thomas, a strategist at Tenable Network Security. “It’s pretty clear that newer technologies like DevOps and containers contributed to driving the overall score down, but the real story isn’t just one or two things that need improvement, it’s that everything needs improvement.”
Here are some of the 2017 Key Global Findings:
• Cloud Darkening - Cloud software as a service (SaaS) and infrastructure as a service (IaaS) were two of the lowest scoring Risk Assessment areas in the 2016 report. SaaS and IaaS were combined with platform as a service (PaaS) for the 2017 survey and the new “cloud environments” component scored 60 percent (D-), a seven point drop compared to last year’s average for IaaS and SaaS.
• A Mobile Morass - Identified alongside IaaS and SaaS in last year’s report as one of the biggest enterprise security weaknesses, Risk Assessment for mobile devices dropped eight points from 65 percent (D) to 57 percent (F).
• New Challenges Emerge - Two new IT components were introduced for 2017: containerization platforms and DevOps environments.
DevOps is reportedly changing the way software teams collaborate through “increased consistency and automation,” but that unfortunately also comes with its own set of fresh security concerns. Survey respondents reported a mere 57 percent regarding confidence in the ability to assess security during the DevOps process. So it sounds like we still have a ways to go in this area, but, in the grand scheme of things, we can work with a C-.
To close out the week, a bit of encouraging news. In an article by Channel Partners Online, it is said that for those with cybersecurity backgrounds and skill sets, there are massive opportunities to be had. Essentially, “the national job market is their oyster.” According to CyberSeek, an online cybersecurity jobs locator tool, employers across the U.S. this year posted job openings for nearly 350,000 cybersecurity workers. The data shows that an estimated 800,000 people are currently in cybersecurity roles across the country, but employers had an estimated 348,975 job openings over the past year.
“We’ve seen a presidential campaign impacted by hacked emails, data breaches and hacks at government agencies, theft of personal information from social media sites, health-care providers, colleges and universities, and a host of other organizations," said Todd Thibodeaux, president and CEO of CompTIA. “This daily drumbeat of news about cyber-threats is a constant reminder of the need for cybersecurity readiness. Cybersecurity professionals are the frontline of cyber-defense. The need for skilled security workers has never been more pressing."
We’ve heard this before, but with the new/old cybersecurity climate the way it is, the urgency is indeed a bit more felt across the board. As we head into this next year, it will be vital to remember the hard-learned lessons of one the most tumultuous years in security the world has ever seen, and have them lead to a more informed, more secure 2017.