Security in 2017

My obligatory 2017 predictions

Interesting times will continue for security pros into the next year.

2017 predictions

Many CISSPs finish December in a panic as they try to complete their required CPEs for the year. The good news is that there’s large number of vendor webinars for the cybersecurity year in review, and 2017 cybersecurity predictions, which a CISSP can view to finish the year in good standing.

As to 2017; Yogi Berra said that it’s difficult to make predictions, especially about the future. The truth be told, it’s not clear who first said that. Those with inquiring minds will like this Quote Investigator piece which attempts to answer the question.

With a focus on information security, many have grumbled that with hundreds of billions of dollars spent, why aren’t things getting better? Why will 2017 be a repeat of the security problems that have plagued us for the last decade? Ultimately, they want to know why we still have so many security and privacy problems.

With that, what does 2017 hold for information security? You may not get any CPEs for reading this article, but here are four of my predictions for 2017.


The voracious appetite for information security products, especially appliances that purport to solve everything will continue and 2017 will be a big spending year. With both expo floors at the 2017 RSA conference sold-out, there’s certainly a rosy future for information security software and hardware vendors.

In fact, 2017 looks to be a banner year for vendors as IDC writes in Worldwide Network Security Forecast, 2016–2020, that the worldwide network security market will have a compound annual growth rate of 9.2 percent, reaching $16.1 billion in 2020. This growth will be driven by a combination of products, including specialized threat analysis and protection (STAP) products, other specialized products such as DDoS and DNS security products, and Secure Socket Layer (SSL) decryption products.


The so-called information staffing crisis will continue into 2017, but not for reasons you’d think.

From a staffing perspective, the Forbes article One Million Cybersecurity Job Openings In 2016 caused a significant amount of consternation. The reality is 1 million jobs was simply hype. In a recent Computerworld article, U.S. says cybersecurity skills shortage is a myth, Patrick Thibodeau writes how the turnout at a government job fair was so great, that the government seems to think the dearth of security staff is no longer such an issue.

The truth is that there’s not an overly serious information security shortage. It’s about as real as the acute pilot shortage that airlines are supposedly facing. Back in 2012, the Wall Street Journal reported that U.S. airlines are facing what threatens to be their most serious pilot shortage since the 1960s, with higher experience requirements for new hires about to take hold just as the industry braces for a wave of retirements. In a rebuttal, the Coalition of Airline Pilots Associations astutely noted that when airlines continue to lower pay and benefits, reduce if not completely eliminate retirement plans and other similar career expectations, then quality individuals look elsewhere for employment.

Based on my experience and that of others, while there’s indeed a shortage of information security professionals; the underlying issue is that firms are simply not offering reasonable salaries to get the information security pros. Pay the people, and they will be on your payroll, it’s that simple.

Many firms also don’t know how to recruit security people. Even S&P 100 firms like Honeywell and Verizon think that by using large sets of low cost and clueless recruiters that they’ll be able to find qualified staff.

I don’t know of a single firm that pays reasonable market salaries to prospective employees that has significant issues finding qualified staff. Those that claim they can’t find information security staff need to understand that the reason for their predicament is their refusal to pay market rates for prospective employees.


2017 will be the year many European firms finally start taking the General Data Protection Regulation (GDPR) seriously. GDPR is a personal data protection regulation from the European Union (EU). It deals with the protection of personal data and the free movement of that. It supersedes the EU General Data Protection Regulation 95/46/EC of 1995.

The fact that it goes into effect in May 2018 may lead some firms to think they have adequate time to deal with it. Make no mistake, GDPR is an immense monstrosity of a regulation that any mid- to large-sized firm should have already been preparing for. Large firms have been busy on GDPR for a while; other firms should follow their lead.

How big is GDPR? Here’s but one example of many – you have to know who has access to what data, for what purpose, for how long, and what actions were performed on that data, and you must track all of that. For firms that must comply with GDPR, if it doesn’t scare them as much as The Conjuring, they simply don’t understand the regulation.

GDPR also includes a whole slew of other requirements from eDiscovery, encryption, mobile, incident response and lots more fun stuff. It’s important to realize that GDPR has a very broad notion of what personal data includes. It’s not just the traditional data and metadata; it now includes biometric, genetic, economic, cultural, social identity data and more.

Internet of Things

The explosion of Internet of Things (IoT) devices will continue to expand and security will remain the prime IoT deployment constraint. We’ll see a major IoT device compromise in 2017. Given how ubiquitous they are, we’re talking about millions of devices. And we’ll see that IoT is not just a consumer problem, it’s an enterprise security issue also.

In September, the Justice Department formed a threat analysis team to study potential national security challenges posed by IoT devices. Anyone looking for a blanket solution to fix IoT security issues will be sorely disappointed as no such solution exists.

[ ALSO ON CSO: Rise of the IoT machines ]

For those developing or implementing IoT, they should consider a structured approach to evaluate the risks. Pete Lindstrom and Robert Westervelt developed a threat model for IoT architectures to properly identify the attack vectors that an intelligent adversary may use to compromise or disrupt IoT solutions. Those considering large-scale IoT deployments should consider the Lindstrom/Westervelt model.

Bye-bye 2016

It’s never a dull moment, and often a very stressful one for those working in information security. Some will say may you live in interesting times. It’s always interesting times in information security. Have a great 2017.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)