There is still time for any list of the \u201ctop information security issues of 2014\u201d to be rendered obsolete. The holiday shopping season is just getting into high gear, after all, and everybody knows it was from late November to mid-December last year when the catastrophic Target breach occurred.But this list is about more than attacks and breaches \u2013 it is about broader infosec issues or trends that are likely to shape the future of the industry.Several experts offered CSO some thoughts on their top picks, what can be learned from them and whether that knowledge can help organizations improve their security posture in the coming year.Cyber threats trump terrorismAn Associated Press story\u00a0this past week on the federal government\u2019s $10-billion annual effort to secure its multiple agencies noted, almost in passing, that, \u201cintelligence officials say cybersecurity now trumps terrorism as the No. 1 threat to the U.S.\u201dThat makes sense to Sarah Isaacs, managing partner at Conventus. While cyber attacks have been expanding and evolving for decades, Isaacs said there has been a qualitative change: It is not just criminals trying to steal money \u2013 it is nation states using it for espionage and even military advantage.In May, \u201cthe Department of Justice indicted five members of China\u2019s People\u2019s Liberation Army on felony hacking charges for stealing industrial secrets,\u201d she said. \u201cWe\u2019ve never seen that before.\u201dThen in September, \u201cNATO agreed that a cyber-attack could trigger a military event,\u201d she said. \u201cThis is about more than protecting credit cards. This is escalating to new levels.\u201dEveryone is oversharing everything. The threats are broad and potentially catastrophic.Author, security guru and Co3 Systems CTO Bruce Schneier, would likely agree. In a recent blog post, he wrote that increasingly sophisticated attacks, especially advanced persistent threats (APT) that are not about financial theft, are coming from, \u201ca new sort of attacker, which requires a new threat model.\u201dThere is evidence of that in a recent study\u00a0by ISACA on APTs. CEO Rob Clyde said 92% of respondents, \u201cfeel APTs are a serious threat and have the ability to impact national security and economic stability.\u201dIncreasing cloudinessClouds \u2013 private, public and hybrid \u2013 are not new. But the steady increase in the use of cloud storage services is posing larger risks to businesses.Schneier, in his blog post, said the continuing migration to clouds means, \u201cwe've lost control of our computing environment. More of our data is held in the cloud by other companies \u2026\u201dWhile experts say cloud service providers frequently provide better security, that may not be true of so-called \u201cshadow\u201d or \u201crogue\u201d use of clouds\u00a0by workers who believe that is an easier way to do their jobs than going through IT.Internet of Everything (IoE) \u2013 a hacker frontierThe Internet of Things (IoT) is so last year. It is now the IoE. Smart, embedded devices in homes, cars, electronics, machines, and worn by individuals are now mainstream. They already number in the billions, and estimates of their growth\u00a0range from 50 billion by 2020 to more than a trillion within the next decade.And that means a growing tsunami of data flowing to the Internet, where it can be sold for marketing purposes or stolen for more malicious means.Isaacs, who says she is among those who uses an exercise wearable, said she used \u201cdummy data\u201d to register it. \u201cSo nobody knows it\u2019s my data,\u201d she said. \u201cIt can\u2019t be mapped directly to me.\u201dIn general, however, she said, \u201ceveryone is oversharing everything. The threats are broad and potentially catastrophic. I\u2019m very nervous about the smart cars I see.There does seem to be an increasing awareness of the privacy implications of smart cars. The AP reported\u00a0this week that 19 automakers that make most of the cars and trucks sold in the U.S. signed on to a set of principles, delivered to the Federal Trade Commission (FTC), that seek to reassure vehicle owners that the information gathered by those vehicles, \u201cwon't be handed over to authorities without a court order, sold to insurance companies or used to bombard them with ads \u2026 without their permission.\u201dThe vulnerabilities of \u201csmart\u201d devices to hacking have been demonstrated\u00a0numerous times, prompting Phil Montgomery, senior vice president of Identiv to call for, \u201ca more regimented standards-based security approach that relies less on outdates processes around username\/password technology and more on stronger forms of authentication.\u201dNo parties for third partiesThis was the year that the risks of breaches through third-party contractors made it into mainstream consciousness. The Target breach, which exposed 70 million records, was just one of many that came through outside vendors.Regulatory agencies are trying to maintain that awareness. Stephen Orfei, the new general manager of the Payment Card Industry Security Standards Council (PCI SSC) noted in a recent interview\u00a0that, \u201csecurity is only as good as your weakest link \u2013 which means the security practices of your business partners should be as high a priority as the integrity of your own systems.\u201dEmployee negligence was at an all-time high in 2014.Christine Marciano, president of Cyber Data-Risk Managers, said that in addition to vetting vendors for rigorous security standards, companies should, \u201crequire their vendors to carry and purchase cyber\/data breach insurance, to indemnify them for any costs associated with a data breach caused by the vendor\u2019s negligence.\u201dThe porous, sometimes malicious, human OSWhile third parties may be a weak link in the security chain, that is less likely due to technology and more due to the human factor.It was former National Security Agency contractor Edward Snowden who brought the risks of malicious insiders to international attention in 2013, but the danger to enterprises can be just as great from loyal insiders who are simply "clueless or careless,"\u00a0and fall for social engineering scams.Joseph Loomis, founder and CEO of CyberSponse, said he is, \u201csure there are major companies out there with little controls over their employees and their access rights. Who is watching who and what they\u2019re doing?\u201dIt is also about employees controlling themselves when presented with ever-more persuasive social engineering attacks.The federal government reported earlier this year that 63 percent of the breaches of its systems in 2013 were due to human error.According to Marciano, \u201cemployee negligence was at an all-time high in 2014,\u201d with the problems ranging from, \u201cfailure to perform routine security procedures to lack of security awareness, routine mistakes and misconduct.\u201dEldon Sprickerhoff, cofounder and chief security strategist at eSentire, noted that, \u201cphishing emails are getting better and better. I\u2019ve seen some that were so well targeted, so well done that I could not tell the difference.\u201dAnd it is not just the average worker who is a problem. Identity Finder CEO Todd Feinman said the problem goes all the way to the top. \u201cMany executives don\u2019t know where their sensitive data is so they don\u2019t know how to protect it,\u201d he said.Ubiquitous BYODWhile BYOD is now mainstream in the workplace, Isaacs calls the increased focus on mobile computing, \u201cvery scary, and it\u2019s going to get even worse.\u201dBYOD is now bringing, \u201cextremely unreliable business applications inside the walls of corporations,\u201d she said. \u201cThere are a lot of software vulnerabilities. Every app that is free or 99 cents, probably doesn\u2019t have great level of security. And people don\u2019t install patches either.\u201dAccording to Clyde, \u201cthere are now many times more mobile devices than PCs in the world. In fact, in many regions of the world, mobile devices are the only way most users connect to the Internet,\u201d yet security remains a relative afterthought.ISACA found that, \u201cfewer than half (45%) have changed an online password or PIN code.And now, connected wearable devices (BYOW) are becoming common in the workplace, yet, \u201ca majority of professionals say their BYOD policy does not address wearable tech, and some do not even have a BYOD policy,\u201d Clyde said.The age of Incident Response (IR)All of the above issues have led to an increased focus on IR. According to Schneier, this is not just the year but the decade of IR, following a decade of protection products and another of detection products.In his blog post, he cited three trends: More data held in the cloud and more networks outsourced; more APTs by nation states and; a continuing lack of investment in protection and detection, leaving the bulk of the burden on response.Incident Response is, 'the hardest job in security'.But IR\u00a0has been more on everybody\u2019s lips in 2014 than even a couple of years ago. The mantra of security experts is that it is not a matter of if, but when, an organization will be breached, and that an effective IR plan (combined with detection) can make attacks more of a nuisance than a disaster.Getting IR right is crucial, but Tom Bain, vice president of CounterTack, calls it, \u201cthe hardest job in security. You can have all the technology in place to detect, prevent and analyze, but if your workflow is broken, or the team is so inundated with incident investigation, you are still vulnerable,\u201d he said.More regulation, pleaseAn industry that generally decries government regulation \u2013 retail \u2013 is now singing the opposite tune when it comes to cyber security.A Nov. 6 letter\u00a0signed by 44 state and national organizations representing retailers, addressed to the leaders of both houses of Congress, called for, \u201ca single federal law applying to all breached entities (to) ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.\u201dSprickerhoff said such a law would be, \u201ca good first step. There are 38 states with different definitions of what is a breach, so things are getting a bit out of hand,\u201d he said. \u201cIf you had unifying description of what needs to be done, that\u2019s not a bad thing.\u201dBut, of course, notification is not the same as improving security. And there are limits to what regulation can accomplish in that area.I would prefer that organizations focus on results or outputs, like what was the time from detection to containment.\u201cI worry that \u2018compliance with frameworks\u2019 attracts a lot of attention,\u201d said Richard Bejtlich, chief security strategist at FireEye. \u201cI would prefer that organizations focus on results or outputs, like what was the time from detection to containment?\u201cUntil organizations track those metrics, based on results, they will not really know if their security posture is improving,\u201d he said.What to do?There are, of course, no magic bullets in security. Isaacs said, noting that it\u2019s almost impossible to say what is the biggest threat. \u201cI heard a speech where it was described as, \u201cdeath by a thousand cuts,\u201d she said.But experts do have suggestions. Sprickerhoff said more training is crucial, not just the security awareness of employees, but the next generation of IT security experts.\u201cI don\u2019t think it\u2019s ever been harder to find good people in IT security,\u201d he said. \u201cThere\u2019s not much in course work at the college level.\u201dEyal Firstenberg, vice president research, LightCyber, said improving security is going to take a combination of technology and training.\u201cThere is a need for fast and accurate alerts and notifications, which ultimately determine the outcome of these cyber engagements,\u201d he said, but added that, \u201corganizations need more professional diagnosticians on staff who are trained to know what threats are real and need to be addressed, and which ones aren\u2019t.\u201dAshley Hernandez, an instructor for Guidance Software, calls for more communication among organizations. \u201cSecurity professionals need to have a way to share intelligence about patterns or attack types to others in their industry or trusted security groups,\u201d she said.Clyde notes that ISACA, \u201chas a number of programs, from risk governance frameworks like COBIT 5 to the Cybersecurity Nexus (CSX), to ensure cybersecurity professionals have the skills they need to defend enterprises from the plethora of threats.\u201dFinally, Loomis offers a short list:Improve procurement processes. \u201cIt takes too long to buy new tools,\u201d he said.Start educating your staff on what the DHS and NIST Frameworks really are. Read the MITRE book on the 10 strategies to a world-class SOC.Stop believing the marketing and get real-world feedback on tools. \u201cSecurity has put a lot of money into marketing, but that doesn\u2019t mean the solution is right for the organization,\u201d he said.Run simulations. \u201cWhen was the last time a company ran a real cyber drill?\u201d he asked.Stop following paper policy, \u201cMilitarizing your team, running drills, making it second nature is what will help the response process, not following a check list,\u201d he said.