With over two decades of experience working in the world information security risk and data protect, Tenable Network Security Co-Founder and Chairman of the Board Ron Gula has seen it all.During his keynote at their year\u2019s AISA annual conference, attended by over 1000 infosec professionals, Gula said the security industry has done a poor job of answering a fundamental question \u2013 are we secure?In seeking an answer to that question, Gula says he has spoken to more senior IT execs over the last tow years than in the preceding years of his career. What he\u2019s seen is the emergence of three key issues. These are the rebirth of network forensics and detection, a focus on risk management and the new wave of resilient, secure design patterns \u2013 something he sees as the \u201cfuture of cybersecurity\u201d.With the establishment of commercial and open source sandboxing tools, Gula says their popularity was fueled by their ability to detect malware that had bypassed other defensive measures.\u201cBut it\u2019s impossible to ascertain and detect all the bad traffic and put it in one spot,\u201d says Gula.This lead to posture many organisations took by assuming they had already been breached.Gula says he like the idea of being able to capture all the network traffic and put it in one spot. But on massive networks that can be very difficult, particularly if much of the business is operating on SaaS platforms.At another recent conference, Gula noted many of the attendees, who were network engineers with a deep understanding of tools such as Net Flow, didn't know they could receive telemetry on the data moving to and from larger SaaS providers such as Salesforce or Office 365.Complexity is a significant issue says Gula. As we add more tools and processes around security we make things much harder for ourselves. But he says there\u2019s been a \u201crebirth in simple types of analysis\u201d.The new tools he\u2019s seeing are very similar to existing SIEM and monitoring tools but have a focus on the users rather than the masses of data. These employ User Behaviour Anomaly (UBA) detection\u201cThey\u2019re trying to simplify how to look at all of their users and look for that insider threat and detection\u201d.Risk management and compliance frameworks are important says Gula. However, they do have a negative reputation, particularly as they are perceived to stifle innovation.Security is a journey and no one is 100% perfect says Gula. The risk of being \u2018compliant\u2019 is that this is seen as an end-point."There's continuous improvement. A framework gives them a common language to talk about security".When it comes to designing for security, Gula says most people are not going to get to the point when they're secure. What we want is to create secure and resilient systems by design.An example of how this is already being done in through containerised builds. For example, many cloud services are delivered without a traditional operating system.In the past, when an application was deployed it needed a web server, operating system and some custom code. If the application was important there might be a second installation for redundancy. Then there\u2019s monitoring and other support services.Gula says that if you were building that same application today you would take a difference approach.Online providers, such as Amazon, make this much simpler.\u201cLet\u2019s look at Uber,\u201d says Gula. \u201cUber only wrote about 5% of the code they\u2019re running. All the rest of that code was done by Amazon and technology that was already out there. That technology is not only very robust - it\u2019s something that\u2019s tested over an over again by many, many people\u201d.Those pieces of code Uber and others use are relatively small. They execute without an operating system or hypervisor. By running on far less code, the software is easier to manage and, as it\u2019s simpler, has fewer vulnerabilities he says.For example, a web server that communicates over ports 80 and 443 doesn't need a lot of other supporting code. And with so many people using the same code, the odds of it being vulnerable are low as it has been heavily battle tested.This allows system designers to focus on building functionality rather than all of the other supporting components needed to make an application work.\u201cTaking away the operating system to run your unique code is brilliant,\u201d says Gula.