As we kicked off our recent #SecChat on the future of network security, our first question was one of challenges: what are the biggest challenges that netsec professionals see today that weren’t an issue five years ago? Not surprisingly, two key challenges that our participants cited were cloud integration and information leakage through social media.
Both @Chort0 and @Sjvermeu noted that cloud-based services are causing a previously unseen loss of control for IT teams. With SaaS-based apps, the need for visibility and control over who is doing what on the network becomes more complicated, and as @BikramGupta pointed out, seamless integration is key.
In the realm of social media, @Lubinski and @JaysonStreet noted that social is a brand new attack vector that organizations are still scrambling to control. On the one hand, social can be extremely beneficial for business to connect with their staff and customers. On the other hand, as @JaysonStreet pointed out, malicious actors can now easily send malware-laden links directly to a CEO on Twitter. Not only that, but how can you protect employees when so many are bringing their own devices into the workplace? A laptop could be infected via a malicious link on Facebook or Twitter at home, and then get brought into the office the very next day.
Next, our conversation shifted to Next-Generation network security technologies like NGFW and NGIPS. As a general rule, our participants weren’t buying into the “Next-Gen” hype, since the term in many ways still lacks a hard definition. Still, there was agreement that some of these technologies may offer additional security, especially as time goes on.
On a related note, @Chort0 brought up a topic that resonated widely with our audience: the idea that smart security programs invest in people first, technology second. The consensus, in the words of @JaysonStreet, was that businesses must start understanding that every member of their workforce is part of the information security program. @JGamblin brought up the important point that information security people need to look at their employees as allies, not enemies, and that effective security awareness programs are key. On an amusing side note, he offered this video as an example of “broken” security awareness – darkly humorous when you realize that there are companies out there who actually show videos like this as a substitute for built-out awareness programs.
Other participants offered their thoughts as well, with @securelexicon chiming in that corporations should support employee attendance at security conferences – compensating them for time, etc. @JTyrus and @JadedSecurity also noted that security awareness must be a part of the onboarding process to set the tone and expectations for new employees before setting them loose on the corporate network.
Unsurprisingly, when @TylerbCarter asked our crowd what new security tools they would deploy today that they don’t already have (budgets aside), the most common response was increased investment in human capital. @Sjvermeu responded that organizations must start with their security teams; there are way too many large companies out there that currently have no one dedicated to network security. @Chort0 agreed, noting that if they had unlimited budget, they’d hire a lot of people before buying anything.
Finally, we wrapped up our discussion by asking for predictions: Where did folks see network security headed in the next six months, year, or five years? I think @Sjvermeu and @JadedSecurity summed up our conversation well by noting that as time goes on, organizations will start to realize that they have misappropriated resources in the past. We’re reaching a point where your network is my network – now companies need to start controlling it not only with technology solutions, but also by investing heavily in their most important resource: people.