2016 was a tough year for celebrities and not an altogether great year for IT. I’m going to break from my normal annual predictions format and cover two things as we start 2017. I’m going to talk about lessons we need to learn from 2016 and things we should look forward to in 2017.
2016’s Tough Love
Weak IT = Weak Cyber. For a number of years, IT budgets have been shrinking on the whole while cyber budgets increase. This is not working. Cyber is too dependent on solid IT operations to be effective as a silo. Patching, identity management, and application management are critical for cyber and require a virile IT operations organization.
Cloud Security Is Not a Check Box. Many customers allowed business units to directly get their needs from the cloud. In pilot modes, this didn’t cause many problems, but as some of these solutions moved to production, they got hacked. Apparently checking the "Yes, I’d like security on my cloud solution" box did not completely secure the solution. This doesn’t really have to do with an inherent flaw in cloud security; it just needs to be provisioned correctly by someone in your IT department who understands your company’s assets and risk.
End Users Are Not in Charge. In a rush to provide a better IT experience, many IT groups worked to make a more consumable IT experience. BYOD, corporate app stores, and many other programs are designed to make users feel like internal IT was in the business of their personal satisfaction. Yes, but…
Yes, but not to the detriment of the company’s business needs. Yes, but not in a way that endangers company assets. End users can ask for anything they’d like. Sometimes we need to say no.
This Isn’t Staples and There Is No “Easy Button.” There are a number of technologies promising to solve everything without additional process discipline or headcount. They’re lying. Machine learning, behavior analytics, and isolation technologies all show promise. None of them are magic. None of them solve all the problems we have today.
2017 Predictions
IOT. There isn’t much we can do about people hacking into consumer devices for large scale denial of service attacks. However, I do think that parts of the IOT world will get serious in 2017. We get serious regarding corporate owned IOT. If you’re in cyber for a hospital and have no idea how to secure your own medical IOT devices, you need to fix that. Ditto for industrial control systems in places like public utilities and pharmaceuticals.
The Internet Is Dark. I blogged on this earlier this year. We’re going to be relying more and more on end point and proxy to give us key vantage points into unencrypted traffic.
Insurance Industry Wakes Up. People have been looking at cyber insurance as a means to mitigate some of their risk. Most of the policies that exist today are so narrowly written that they’re not much of a mitigation. Two things are happening here. First of all, there’s a market. Customers want it. Second of all, the insurance industry is getting smarter about what kind of risk any given client has. In the end, I think this helps everyone.
Mobility Hacks Come of Age. Expect more cell phone-specific hacks this year. It’s a great opportunity as more and more commercially valuable data is on cell phones and we haven’t done a great job protecting them.
Windows 10. 24% of business PCs sold are being ordered with Windows 10. That’s less than I expected last year, and surely less than MS would like, but I think 2017 will close the gap. By the end of 2017 more than half of enterprises will be using 2010.
Honestly, looking forward to 2017, I’m probably not concerned about what’s going to happen. I don’t think it’s all that different from what’s been happening already. What I’m really interested in is our reactions to the ongoing changes around us. We don’t control what’s going on, but we do control our reactions. As things get more serious with cyber but IT budgets continue to shrink, how will we react? Will we be more serious about limiting the catalog of IT services we offer? Will organizations try to create better boundaries around secure vs. insecure IT operations? Will shadow IT become a thing of the past?
These are the real questions and it’s something each business will need to work out for itself.