cybersecurity Archives - Zenaciti https://zenaciti.com/tag/cybersecurity/ Zenaciti generates actionable intelligence for leaders and investors on sales, go-to-market strategy, and cybersecurity Fri, 29 May 2026 23:17:21 +0000 en-US hourly 1 https://wordpress.org/?v=7.0 https://zenaciti.com/wp-content/uploads/2023/03/favicon-150x150.jpg cybersecurity Archives - Zenaciti https://zenaciti.com/tag/cybersecurity/ 32 32 2026 Cybersecurity Predictions https://zenaciti.com/2026-cybersecurity-predictions/ Sun, 14 Dec 2025 21:19:13 +0000 https://zenaciti.com/?p=30525 Cybersecurity in 2026 will be easier thanks to cloud and AI advancements, but persistent executive apathy and new AI-specific threats may derail that.

The post 2026 Cybersecurity Predictions appeared first on Zenaciti.

]]>
In 2022, I released the 2023 Cybersecurity Anti-Predictions. They were a response to the litany of cybersecurity “thought leaders” who roll out annual predictions, which are extremely predictable.

However, since then, things have changed. Let’s revisit those predictions and make some new ones.

1. The Threat Landscape is Changing

2023: Not really.
2026: AI has entered the chat. 

For 2023 I wrote, “everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.

For the most part, this prediction remains the same. The threat landscape in 2026 will be about the same as 2025, 2024, 2023, and so on. Malware is still a threat. Credential theft remains the primary focus of attackers. And hackers still have the upper hand in every way.

However, when we look at AI systems, there are tremendous changes in the threat landscape. Perhaps the most interesting of these threats are data poisoning attacks. These specifically target AI systems and large language models (LLMs) to produce flawed or misleading output. In 2024, NIST released an advisory about this kind of attack based on a study they conducted titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This study is an interesting read. It is extremely thorough and even identifies some lingering cybersecurity challenges such as the dilemma of open versus closed systems.

The mitigating factor with this kind of treat is that it targets the AI platforms, and not the end users of those platforms. This limits the scope of this threat to a handful of AI platform providers, such as OpenAI, Google, Microsoft, etc. Furthermore, I could not to locate any confirmed instance of a data poisoning attack, however that does not mean it has not happened.

What is a larger issue are employees sending company data into AI platforms with no regard to the sensitivity of that data. This poses a complex challenge for organizations who want to enjoy the benefits of AI but need to protect sensitive data. It also poses a massive challenge for regulated systems under standards such as FedRAMP, CMMC, etc.

Fortunately, the industry is responding to this with ample technologies to manage, monitor, and control AI access as well as model context protocol (MCP) servers. Some examples of AI security providers in this space include Obsidian, Zenity, and Cyberhaven.

2. Executives Will Start Taking Security Seriously

2023: Probably not.
2026: No, and you can turn in your badge with security. 

For 2023, I wrote, “Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.”

Around 2016 or so, I noticed that many executives would tune out the moment cybersecurity was mentioned. I had CEOs once tell me he was sick of security slowing down his company. Here we are a decade later and this attitude has only become more prevalent. A recent example of this attitude happened in early 2025 when the Trump administration wiped out the entire Department of Homeland Security’s Cyber Safety Review board. The message was unambiguous: security is unimportant. 

Executive indifference to security is a massive barrier for security startups. Leaders only care about security when it becomes a catastrophe. And all they really want is to find somebody to blame.

3. Companies will Commit to Stronger Security Defenses

2023: No, they will stick with “good enough” security
2026: Good enough is pretty good.

What I wrote for 2023 remains relevant. “It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.”

Fortunately, “good enough” security is getting pretty good. One example of this was AWS’s recent announcement of their security agent product. This is a cool new AI technology that can scan an environment, locate vulnerabilities, and suggest improvements. While no AI agent will ever be as good as a skilled human penetration tester, for most organization, this agent is all they really need.

Another good example of how “good enough” has improved is Azure Sentinel. What used to be a mediocre SIEM and endpoint product, has evolved into a respectable security platform. Azure environments have Sentinel built-in, so Azure customers can access and use it easily.

4. We Will See a Megabreach that Cannot be Ignored

2023: We are already ignoring them.
2026: Megabreaches, what’s that?

I cannot even think of a megabreach from 2025 that had any significant impact. Apparently, Verizon had a massive leak in August, which they denied. Whatever. This is a classic “boy cried wolf” problem.

5. Security Staffing will See Improvements

2023: Not likely.
2026: Define “improvements.”  

For 2023 I said, “Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.”

The most significant change for 2026 is that AI is changing who companies are hiring. AI can do what a lot of security analysts and engineers once did. It even can write NGINX config scripts, which is something nobody can successfully do. (Yes, that’s a nerdy joke.)

AI can also do a lot of the grunt work industry analysts do, as Richard Stiennon has proved with his IT Harvest platform.

None of this is good news for job seekers. While the cratering US economy accounts for a lot the downsizing, AI is only making it worse. AI will never entirely replace humans, but organizations are testing the limits of that. Teams are being shrunk, and the remaining staff is expected to fill the gaps with AI tools.

This adds up to a bleak outlook for security staffing in 2026.

6. Cloud Eats Security

However, the ultimate prediction for 2026 is that security is everywhere, integrated into everything. In 2021, I identified a growing cybersecurity trend: Cloud Eats Security (also called “platformization”.) Cloud providers, like AWS, Azure, and GCP, and SaaS providers like Salesforce or ServiceNow, were (are) slowly consuming many of the traditional security capabilities (firewall, intrusion detection, vulnerability management, web-application firewalls, etc.)

The impact of this trend is that security is now integrated into the platforms companies use. Companies do not need to purchase individual point-solutions which demand complex and expensive integration efforts. However, even the point solutions are getting on board with this trend, making their products much simpler to roll out and fully integrated into cloud and SaaS offerings.

This was one of the reasons why Google paid $32B for Wiz in 2025. Wiz is a powerful platform that simplifies a lot of cloud security functions. Cloud security providers, like Cloudflare, are also rolling out new capabilities practically everyday. And some of those are free, such as Cloudflare Tunnels which allows anybody to securely host anything on the Internet.

To help monitor all these integrated systems, there are emerging AI-powered security operations products from companies such as AI Strike, Torq, and Dropzone AI.

If all this AI stuff seems unstoppable, and wildly insecure, well, it is. However, there are promising emerging technologies such as Automated Moving Target Defense.

And the final piece of this trend is the rise of automated, integrated managed security providers who can keep an eye on everything. In early 2025, I worked on an MSSP analysis project. I was stunned at how many MSSPs had fully embraced automation, AI, and the cloud in their offerings. Unless your organization is gigantic or a government agency, there is no reason to do security internally. Hire an MSSP. There are a lot of great ones out there that can further simplify security.

Conclusion

For 2026, I predict cybersecurity will continue down the path of more integration, more platformization, and more simplicity. This will not stop attackers, but it does swing the odds of success toward the defenders.

cats playing pickleball
AI is hard at work defending your assets.

As for the attackers, like the rest of us, they are going to use AI to do their dirty work. And like the rest of us, they are going to generate a lot of pictures of cats playing pickleball. Which means defenders do not need some whiz-bang quantum oscillating over-thruster to stop them. They merely need to make the most of the security tools they already have.

NOTE: The companies mentioned in this blog are for examples only. I received no compensation for mentioning them nor do I endorse them or their technologies. 

The post 2026 Cybersecurity Predictions appeared first on Zenaciti.

]]>
What New Yorkers Should Do After the Recent Social Security Number Data Breach https://zenaciti.com/what-new-yorkers-should-do-after-the-recent-social-security-number-data-breach/ Thu, 22 Aug 2024 01:00:42 +0000 https://zenaciti.com/?p=28875 Zenaciti CEO Andrew Plato comments on the 2.9 billion records hackers stole from background check company National Public Data

The post What New Yorkers Should Do After the Recent Social Security Number Data Breach appeared first on Zenaciti.

]]>
Back in April, a group of hackers reportedly stole over 2.9 billion records from a background check company called National Public Data.

“The information that was suspected of being breached contained name, email address, phone number, Social Security number, and mailing address(es),” NPD said. “We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you.” (The NPD site is now closed, due to this incident.)

CBS New York interviewed Zenaciti CEO Andrew Plato on what consumers should do. Check out the full story at CBS News.

The post What New Yorkers Should Do After the Recent Social Security Number Data Breach appeared first on Zenaciti.

]]>
Cybersecurity Anti-Predictions for 2023 https://zenaciti.com/cybersecurity-anti-predictions-for-2023/ Wed, 04 Jan 2023 23:52:06 +0000 https://zenaciti.com/?p=1490 Each year we are flooded with cybersecurity predictions. Each year these predictions are entirely predictable. This year, how about some anti-predictions?

The post Cybersecurity Anti-Predictions for 2023 appeared first on Zenaciti.

]]>
Every December, social media is flooded with cybersecurity predictions for the next year. With each passing year these predictions become — wholly predictable.

How many times have we heard some variation of:

  • Attacks against ____ will increase.
  • _____ attacks will continue to evolve and become more sophisticated.
  • The rise of ____ will give attackers new ways to _____ (AI is the latest in this category.)
  • Boards will finally get serious about security.
  • The cybersecurity staffing crisis will continue.

The cybersecurity industry is stuck in a loop. It keeps predicting the same things, repeating the same stories, and advocating the same exhausted cliches expecting things to change. Every year attacks increase, new technologies will save and/or kill us, and executives are on the edge of finally accepting security as a serious issue. These predictions never come true.

See the 2026 Cybersecurity Predictions

Therefore, I present my anti-predictions for 2023 cybersecurity industry:

The Threat Landscape is Changing

Not really.

In 2023, everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.

In fact, I believe that the threat landscape has remained static for the past 20 years. The threats of today are not dramatically different than 2003. Viruses and worms are now called ransomware, but they function largely the same. Hackers are still hunting for credentials and cracking passwords. The avenues of attack are mostly the same, email, websites, etc. Attacks cause more damage today, but that is relative. Everything is more complex and operating at a larger scale than 2003.

In 2023 we have more technologies to detect threats and more words to define them, but the actual threats are the same.

Executives Will Start Taking Security Seriously

Probably not.

One thing you can always count on when there is a big data breach is social media channels filled with “thought leaders” exasperated at how leadership ignored such obvious security problems. These insufferable Captain Obvious crusaders cannot comprehend how people can be so irresponsible.

The reason for executive inaction is simple, it is easy to blame somebody else. When a breach happens, the board or CEO can line up the IT department and blame them. They can then make a promise to fix everything. (See: Solarwinds case for proof of this.)

Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.

As such, they fall back to the next item on this list.

Companies will Commit to Stronger Security Defenses

No, they will stick with “good enough” security.

It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.

This is why executives are obsessed with copying what other company’s are doing. They reason that if a product is good enough for a big company, like Netflix or Apple, then it must be good for everybody. This ignores the fact that technology is useless unless it is implemented and managed properly.

Companies keep throwing technologies at security problems and consistently fail to operationalize those technologies. That is because doing the operationalization work is complex, unrewarding, tedious, and does not get you likes on LinkedIn. This is a positive feedback loop: bad security, begets more tech, begets more complexity, begets weaker security, and return to start.

Or as RoboCop’s Dick Jones says, “who cares if it works.”

We Will See a Megabreach that Cannot be Ignored

We are already ignoring them.

2023 will undoubtedly see plenty of data breaches. They will get plenty of coverage and then fade from memory. This is partially due to breach fatigue, but also because breaches are not that serious to most companies. They cause a brief period of turmoil, and then are quickly forgotten.

The recent Lastpass breach is a good example. While some of us dumped Lastpass, thousands shrugged off the news. It is too difficult, time consuming, and complex for most organizations to replace them. Once a technology is entrenched in organizations, removing it is painful.

Megabreaches are also so common these days, that they have lost their impact. There is little we can do to stop them.

Security Staffing will See Improvements

Not likely.

Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.

This is because working blue team defense in cybersecurity is like being the janitor’s assistant’s intern. All the miserable work (such as compliance implementation) is dumped on you. The executives treat you with contempt. If you report any serious issues, you are either ignored or retaliated against. When there is a breach, you are blamed, fired, and humiliated. Meanwhile, you are expected to know how to secure everything, everywhere, with flawless perfection.

The cybersecurity industry is top-heavy with self-important thought leaders who are unable or unwilling to get their hands dirty with the operational realities of security. The industry keeps venerating these people, while ignoring the regular folks who grind away everyday keeping things safe.

This also causes skilled security people to seek out careers that are safer, such as penetration testing. Oddly enough, breaking into environments is a more rewarding job than protecting them.

Bitter, Party of One

Okay, maybe all of this sounds a little bitter.

I point out these problems because I know they are fixable. I have seen organizations with strong, effective information security programs. I have met some brilliant operators who can single-handedly solve vexing problems. I believe…no…I KNOW there is a brighter future for security.

That brighter future is frustratingly difficult to achieve when there are so many impediments to success. Annual cybersecurity predictions are only perpetuating these problems.

The Brighter Future

Let’s set the cynicism aside and think about what we could do differently this year. Here are some of my ideas:

  • Stop buying new technologies, or settle on new ones and plan to stick with them at least a few years.
  • AI will not solve everything. It is merely a new tool. It must be mastered like any other tool.
  • Hire people that are slightly unqualified for security roles. Grizzled “experienced” people often come with a ton of baggage.
  • Focus security on operationalizing and automating every aspect of security.
  • Stop making excuses and move all your workloads to the cloud. Containerize as much as you can.
  • Pay your operators more so you can attract the smart ones. Hire more of them so they can learn from each other. Reward the creative ones.
  • If you hire a managed security provider, hold them accountable. If they cannot deliver, fire them quickly and replace them
  • Focus on changing faster, making people more comfortable with change, and making your environment able to change at a moment’s notice. Ability to change = effective security.
  • You are not going to educate your users. Users are human and all humans do stupid things. If your company cannot handle human stupidity, then you will never be secure. Human stupidity is a constant. Build systems that can withstand constant interactions with stupidity.
  • If you do not have a person on staff who can write (decent) documentation, get one. Now. Document everything. Follow it.

These are only a few ideas. I would love to hear your ideas. That is where real answers begin to emerge. When we accept that something is not working and want to make it better.

Conclusion

I predict in 2023 cybersecurity will make many of the same mistakes. I also predict, a few people will start to see a brighter future. They will become agents of change. They may be disliked and even feared. Yet, they will make a difference.

Making a difference is all any of us can hope for in the coming year.

This article was revised on 11/24/2023 to be a little less cynical.

The post Cybersecurity Anti-Predictions for 2023 appeared first on Zenaciti.

]]>
What Is Wrong with the CISO? https://zenaciti.com/what-is-wrong-with-the-ciso/ https://zenaciti.com/what-is-wrong-with-the-ciso/#comments Tue, 09 Aug 2022 18:17:56 +0000 https://zenaciti.com/?p=1362 What is wrong with Chief Information Security Officers (CISOs)? They are stressed, angry, and frustrated. What has CISOs so miserable?

The post What Is Wrong with the CISO? appeared first on Zenaciti.

]]>
What is wrong with CISOs?  They seem more stressed and angry than ever.  And the drinking!  I missed RSA last year, but the stories and social posts are soaked in alcohol.

I am not the only one noticing all these stressed out CISOs. Here are a few recent stories:

I spent time lurking in CISO hang outs recently.  I heard a lot of stories that all centered around a common adjective: frustration.  CISOs are under tremendous pressure to keep their organizations safe.  There is too much to do, too little time, and too few resources.  Moreover, the complexity of modern enterprises coupled with the persistent threat of ransomware attacks makes CISO jobs profoundly difficult.

However, frustration is only part of the story.  There is another adjective I heard frequently: hopeless. One CISO summed it up succinctly: “they blame me for everything that goes wrong.”

Yeah, I know how that feels.

Maybe this is why many CISOs get the title Chief No Officer slapped on them?  Faced with hopeless odds of success, it is easier to say no than to fight to make things work.  I used to think CISO that did this were weak leaders.  However, the more I hear them talk, the more I think they are stuck in a classic Kobayashi Maru (a no-win scenario). No matter what they do, they get blamed.

It works something like this:

  1. Company hires a new CISO
  2. The expectations are ludicrous:
    • Executives and board members expect the CISO to protect the business with absolute precision and perfection.
    • Other departments expect the CISO to implement security without disrupting any existing business functions.
    • Third party vendors expect the company to align with several intricate compliance regimens.
  3. The CISO implements a plan.  There are two common outcomes:

The CISO implements effective security controls: 

      • The controls fail, company gets hacked  > CISO blamed and shamed
      • The controls work, but it causes other systems to fail > CISO blamed and shamed
      • They work, security becomes routine and dull. Executives wonder why the company spends so much on security > CISO blamed and shamed

The CISO is unsuccessful, security languishes: 

      • Company hacked > CISO blamed and shamed
      • Company somehow does not get hacked, executives wonder why they have a CISO and no security controls > CISO blamed and shamed
      • Company fails a compliance audit > CISO blamed and shamed
  1. The CISO quits or is fired
  2. GOTO 1

There is no way to win.  Mistakes in security (and technology as a whole) are common.  Since many CISOs rose through the ranks from technical roles not business schools or investment firms, they usually lack the skills to navigate the petty politics of organizations.

When people are trapped in situations where they feel they cannot succeed, they become bitter, resentful, and eventually give up.  Why work hard when you will be blamed for every problem, whether you caused it or not.  I once witnessed a company put their entire environment at risk, because a vice-president wanted to spite the security team for using a different cloud service provider.  Eventually, the CISO tired of these antics and left the company.

It is unsurprising then that many CISOs feel frustrated and are quitting. With that in mind here are some ideas for CISOs stuck in a frustrating job:

  • Adapt Communications: Each person you interact with has a particular communication style. Take a moment to consider how people will listen to you more effectively.  Some people prefer to get right to the data, while others may require a gentler touch. Remember, you are responsible for being heard.  It is not the listener’s responsibility to understand you.
  • Stay Strategic: Play the long game.  Have a plan and stick to it. Avoid getting mired down in petty squabbles. Keep reiterating the value of security.
  • Snuff-out the Gaslighting: One-way bad leaders distract CISOs is with irrelevant questions and faulty logic.  For example, they may use anecdotal reasoning, where they recite some situation from their past an expect you to replicate that when you know it will not work.  Listen, show respect, placate where necessary, but stick with your plan.
  • Arm Yourself with Data: When the blame starts flying, have data on your side.  Data might not save you, but it is a powerful weapon against the forces of idiocy.  Make sure goals, plans, and commitments are documented.
  • Stay Off the Range: Security is an easy target for developers, IT, finance, HR…everybody who needs a scapegoat.  Do not allow your team to be unprepared.  Be on top of your goals, metrics, and plans.
  • Hold Vendors and Service Providers Accountable: Do not allow the companies providing you products or services to skip out on their commitments.  If a vendor promises you something, get it in writing and require them to deliver.  This is how you can show strength, resolve, and discipline.  Be firm, do not be a jerk.
  • Battle the Bullies: You may have board members or executives who think they are security geniuses because they have money and authority.  These people are often deeply insecure bullies.  Keep your discussions with these people focused on threats.  Talk about the competition, ransomware, hacker groups, and all the catastrophes that will unfold if security is sidelined.  Bullies innately understand threat.
  • See and Sell a Brighter Future: It is difficult to scapegoat a person who speaks of a brighter, better, and more prosperous future. While you may need to pound the bullies on the board with fear, spread optimism, vision, and hope elsewhere.  Optimism is attractive.

While I cannot fault anybody for giving up when things feel hopeless, you must take something from each experience that helps you in the future.  You might not make a difference in every place you work, but every place you work, can make a difference for you.

However, I would urge all CISOs to hang in there.  With persistence and perseverance, you can make a difference.  Lastly, make sure you mentor and train others along the way.  Leave your employer in a better place then when you got there.  The people you mentor will support you.

The post What Is Wrong with the CISO? appeared first on Zenaciti.

]]>
https://zenaciti.com/what-is-wrong-with-the-ciso/feed/ 1
Cloud Eats Security https://zenaciti.com/cloud-eats-security/ Fri, 03 Dec 2021 00:10:19 +0000 https://www.zenaciti.com/?p=617 Cloud providers, like AWS and Azure, and SaaS companies like ServiceNow and SalesForce are consuming the cybersecurity market.

The post Cloud Eats Security appeared first on Zenaciti.

]]>
The Unwinnable Game

Over the past 20 years, cybersecurity has played an unwinnable game. In this game, the attackers make all the rules, score all the points, and can quit anytime without losing.

Meanwhile, the defenders are encumbered with a cavalcade of rules, tools, and fools: insidious compliance rules that drag down progress, a messy assortment of security tools that never work together, and company executives that dismiss security as a nuisance inhibiting their success.

If you have ever had to implement enterprise information security you know that it is not merely difficult, it is profoundly difficult. However, what is the alternative? Companies must defend themselves. And so, security professionals diligently persevere. They buy new tech, hire more people, and fight enemies inside and out. After a while, the virtuousness of their perseverance becomes indistinguishable from insanity.

Beyond Human

The crux of this Unwinnable Game is that protecting modern IT systems exceeds human cognitive abilities. Information security, even for a modest sized organization, is insanely complex, volatile, and error-prone. This has left CISOs playing a game they can never win. See more about What is Wrong with CISOs.

If humans cannot handle security, then who or what can? Automation? Artificial Intelligence (AI)?

AI and automation both have tremendous potential to make security less complex and more reliable. Automation tools can repeatedly (and tirelessly) analyze data to identify outliers and potential attacks. AI can, theoretically, adapt to changing environments.

Unfortunately, these tools have massive hurdles to adoption.

First, implementing AI and automation are well beyond the technical capabilities of most security teams. Most security teams struggle to maintain basic hygiene. Expecting them to install, tune, and manage complex AI technologies is unrealistic.

Second, these tools demand standardization. Environments with disparate systems are impossible to automate and confound AI engines.

Lastly, AI engines demand vast amounts of data to build accurate propensity models. This means the engine must have both abnormal and normal data (and anything in between). Most security technologies discard or ignore normal data, favoring the abnormal. This is because the humans who manage those security products cannot handle the onslaught of both normal and abnormal data.

Introducing Platformization

This is the point when cloud providers, like AWS, Microsoft, and Google, as well as large SaaS providers, like SalesForce and ServiceNow join the chat. Cloud providers have huge advantages in regard to automation and AI. They are skilled at taking technologies and processes, and transforming them into standardized, easy to implement, and automated services. AWS has the people, purpose, and scale to build AI engines. Mostly, cloud providers have a huge advantage over the point players, like Crowdstrike or Splunk. Cloud providers can see everything, normal and abnormal. This makes them a logical place to implement security.

The reason computing workloads are moved to the cloud is because the cloud providers simplify complex technology into standardized services. Cloud and SaaS have already consumed entire markets, such as email. Ten years ago, if you needed an email server, you had to setup, manage, and secure your own. Today, with a few clicks and a script you can have an enterprise class email system at Microsoft or Google, pre-configured and secured correctly. There are few reasons to run your own mail server these days.

Security is no longer an add-on product. It is inside the platforms companies already use.

The New Cloud Order

By 2030, security will inside the platform, not outside it. These integrated services will extend out to endpoints and IoT devices as well. What we know today as the security industry, with thousands of vendors all selling point products will dramatically change. It will be more about integrating capabilities into existing cloud and SaaS platforms.

This trend is already in motion. The impact of this shift will be felt far and wide. Some of the things we can expect include:

  • The demand for point security products will not disappear, rather it will move down-market to SMB and laggard industries that refuse to adopt the cloud.
  • The market valuations for security point solutions will decline as they run out of customers.
  • The demand for in-house security expertise will decline. With cloud services and AI doing much of the dirty work, in-house teams will have less to do. This will make the security roles less about twiddling with tools and more about managing risk posture throughout the organization. This will also fuel expansion in the managed security segment.
  • Since everything in the cloud can be automated through an API, a new class of value-added resellers will emerge: automation integrators. These providers will repackage automations between different providers. They will offer pre-built architectures, with your preferred vendors (like ServiceNow or Salesforce) pre-integrated. With a few clicks you will be able to build an entire enterprise infrastructure with everything tightly integrated.
  • The market for managed security providers (MSSP) will grow, however they must adapt to work with the cloud. The traditional MSSP, with a big SOC managing hardware devices, will be less relevant. MSSP will also move down-market into SMB environments. It will be less expensive and simpler for organizations to outsource security monitoring than attempting to do it in-house.
  • Demand for stand-alone security awareness and application code scanning solutions will remain stable or increase. These services are difficult for cloud providers to adopt, due to the customized nature of them. However, security awareness training has already moved to cloud-delivery. Likewise, most application code scanners have SaaS delivered versions as well.
  • Hardware security products must refocus on access, with tight integration to cloud services. Many of the hardware vendors, like Palo Alto Networks and Fortinet have already begun this transition.
  • Compliance will be devalued. Compliant environments can be built, certified, and authorized through automated means. Compliance bodies will resist this at first, but the cloud providers will strong-arm them into adopting. You already see the beginnings of this, with the FedRAMP office push their standardized OSCAL language.
  • Multi-cloud will become more difficult as cloud providers find more ways to create lock-in strategies. This will also increase the need for automation integrators, which can smooth out multi-cloud adoption complexities.
  • Attacks and ransomware will shift focus to “softer” targets such as laptops and IoT devices.
  • AI engines will become increasingly more capable at identifying new attacks. However, people will need to manage the response and remediation.
  • Automation will extend to remediation tools. Cleaning up an intrusion will no longer require expensive engagements with outside consultants. Rather, automation tools will gather evidence, wipe out affected systems, and rebuild from known-good repositories.
  • Risk management will become more important to companies, as they shift from a purely reactionary approach to that of controlling risks.
  • Watch closely anybody AWS, Azure, Google, Salesforce, Service Now, Oracle, SAP etc. acquires. They will start vacuuming up technologies that will serve this change. AWS has already done a few.

Evidence

The evidence of this movement is already out there.

  • Microsoft Azure has their own Security Event and Information Management (SIEM) product: Sentinel
  • AWS has rolled out Guard Duty and WAF, rendering the need for standalone WAF or IDS/IPS less relevant.
  • Google’s Chronicle integrates multiple security functions as well as some AI capabilities.
  • At re:Invent 2022, AWS announced Security Lake a new SIEM product similar to Chronicle and Sentinel
  • Google purchased Wiz, with the intention to integrate it into their cloud offerings.
  • AWS announced Security Agent, an AI-based vulnerability identification and remediation tool.

Counterpoints

Of course, this trend will encounter resistance from all those vendors. Just as hardware vendors ignored the writing on the wall in the early 2000s, so too with the sea of booths at the RSA ignore the rising cloud waters around them. However, let’s consider some contrary points.

Cloud services are not as accurate or capable as dedicated point solutions.

This may be true, but it does not matter. The cost and complexity of implementing, optimizing, and managing point solutions is already higher than adopting cloud-native tools. Moreover, the quality of a product is largely irrelevant in the grand scheme of protecting a business. Most of the companies that experienced a large data breach possessed cutting edge security technologies. It is not the technology that protects a company, it is how the technology is implemented, managed, and monitored.

Cloud providers are incentivized to ignore or cover up security problems. You cannot have the fox guarding the henhouse!

Pushing the farm clichés aside, this is untrue. Cloud providers are under tremendous legal, regulatory, and reputational pressure to secure their services. For example, a few years back AWS took heat for customers with public S3 bucks. Even though this is a legitimate configuration, and customers are entirely responsible for setting this access, AWS still implemented improvements to lock down S3 buckets even more.

Furthermore, if you are going to entrust the entirety of your company’s data and processing to AWS, why can you not trust their security? Lastly, cloud providers are deeply incentivized to protect customer’s workloads for one less savory reason: lock-in. If a cloud platform is consistently having security issues, customers will leave and move to a competitor’s platform.

This is monopolistic, many organizations will reject using cloud-native security tools leaving a market for point-solution vendors.

Yes, some companies will resist, however this will not stop the cloud providers. Those companies that resist will be at a disadvantage. Security today is an insanely inefficient and error-prone precisely because there are too many tools which are difficult to interoperate. Automating and standardizing security is the only way to contain this expanding inefficiency. Those companies that resist, will lose the efficiency and effectiveness gains of those companies who do adopt the cloud-native security tools.

The follow-on question for this is: at what point do the cloud providers transform from merely providing a compute service, to being a utility. Where are the limits of their reach? That is a larger, complex question for another article.

Conclusion

Information security is stuck playing a game it will never win. However, unlike the sage wisdom of Wargames which suggested the only winning move is not to play, we do not have that choice. We must defend our data, our infrastructure, and our nations from cyberattacks.

Information security teams can win this game, if they leave defense to the robots. Only automation can adapt, react, and protect at the scale necessary to defend an enterprise. And only the cloud providers have the scale, resources, and motivation to be able to build these robots effectively.

This was originally published in December 2021 and revised a few times since then.

The post Cloud Eats Security appeared first on Zenaciti.

]]>
6 Reasons Unpatched Software Persists in the Enterprise https://zenaciti.com/6-reasons-unpatched-software-persists-in-the-enterprise/ Wed, 27 Oct 2021 22:17:40 +0000 https://www.zenaciti.com/?p=585 Patching is like flossing -- everyone knows they should do it, yet too few do it often and well. Explore why unpatched software is still ubiquitous, despite the risks.

The post 6 Reasons Unpatched Software Persists in the Enterprise appeared first on Zenaciti.

]]>
Patching is like flossing — everyone knows they should do it, yet too few do it often and well. Explore why unpatched software is still ubiquitous, despite the risks.

Zenaciti’s CEO Andrew Plato is quoted.

Read the full article at Search Security.

 

The post 6 Reasons Unpatched Software Persists in the Enterprise appeared first on Zenaciti.

]]>