Infosec's wish list for 2016

infosec wishlist
Wishing

Information Security is one of the fastest-growing and most dynamic fields in technology, due to the increasing sophistication of attacks and the interesting new challenges facing InfoSec professionals. As we approach 2016, several security experts provided their InfoSec Wish List for the new year. Some experts wish for the cyber equivalent of world peace, while others are just hoping for their digital Red Ryder air rifle.

Real accountability
Real accountability

Dr. Chase Cunningham, Director of Cyber Threat Research and Innovation, Armor:I wish that boards and higher leadership would actually hold companies and their leaders accountable for their negligent actions in not securing their infrastructure and ignoring the advice and experiences from years of data breaches. It's time for pain and punishment to be real in the industry -- no more huge breach announcements and then just waiting until things go away.

A True Username/Password Replacement
Credit: Alfred Shum
A true username/password replacement

Morey Haber, VP of Technology, BeyondTrust: While no viable solution exists yet to solve this problem, biometric authentication is being positioned as the Holy Grail to bury this legacy approach to authorization and authentication. This approach could have massive security ramifications if the biometric data itself is ever compromised like the OPM breach. A method to validate a person and their permissions without the risk of biometric data loss would solve many of the data breach problems we have been experiencing.

03 encryption machine
Credit: brewbooks
Encrypt everything of value

Joey Peloquin, Sr. Manager, Threat and Vulnerability Management, Citrix: The next best thing to preventing attackers from compromising the environment is removing access to the goal or objective of their mission: usually an organization’s data. Organizations can jump off the hamster wheel of APT and targeted attack whack-a-mole by first determining what they prize most (again, usually data), and then encrypting it, while properly managing authorized access and usage of it. Without the threat of losing the crown jewels looming over security practitioners, they can focus on moving the security program’s proverbial ball forward.

04 targets
Less easy targets

Steve McGregory, Director of Application and Threat Intelligence, Ixia:We need to ensure that our security defenses are tough enough to withstand the script kiddies or hackers looking for the low hanging fruit. Give us a deep understanding of what is in our network and clear visibility so we can quickly identify an advanced or targeted attack that can compromise our network; i.e. protect our corporate assets.  

A Patch for the PEBKAC Bug
A Patch for the PEBKAC Bug

Ryan Olson, Unit 42’s Director of Threat Intelligence, Palo Alto Networks: Despite years of warnings and training, users continue to click on e-mail links and attachments which result in their systems getting infected with malware and their credentials falling into the hands of attackers. A patch for this “Problem Exists Between Chair and Keyboard” problem would eliminate one of the primary vectors used to infiltrate our networks.

More Efficient Ticketing Platforms
More efficient ticketing platforms

Tom Gorup, Security Operations Manager, Rook Security:A ticketing platform that makes life easier on my analysts as well as myself. Current ticketing systems just don't have what it takes to ease the burden on security analysts, directors, or CSOs. The granular metrics and reporting are lacking in most platforms, especially if you're looking to identify increased efficiency from process changes. Even more so, if you're trying to build in automation to create that efficiency, like one-click blocks, easy research, and other areas of opportunity for automation.

Appropriate InfoSec Budgets
Credit: Frankieleon
Appropriate InfoSec budgets

Jeremiah Grossman, Founder, WhiteHat Security:InfoSec needs to more closely align its scarce resources with how IT invests in the business. For example, if 10% of IT’s budget goes to building networks, then InfoSec should spend 10% of its budget protecting the network. If IT spends 50% on software, InfoSec should spend 50% on software security.