From an information security perspective, 2015 was a headline-making year, and not in a good way. Major breaches occurred at healthcare insurance companies, an online dating site, financial firms, and government agencies including the FBI. The challenges facing security pros are daunting. These are a few of the things they need to make their jobs easier:
• Integrated security tools.
There are plenty of security products out there, including firewalls, intrusion detection systems, data loss prevention tools, threat feeds, and security information and event management products, but they mostly provide independent services. Security pros wish for integrated tools that would provide a comprehensive view of the network security posture and work together to address threats.
• Increased security awareness.
Security doesn't make money for companies, so it often gets little attention—and money—until after a problem has occurred. Security pros wish consciousness of the importance of security would penetrate the entire business hierarchy, from the boardroom where strategic funding decisions are made to the lowest-level employees who are vulnerable to phishing and social engineering attacks.
• Security implemented throughout the technology stack.
It's no longer possible to secure corporate data by securing the network. Security needs to be built into applications and databases to defend against attacks that originate from within the network. Security concerns should be part of an application's earliest design phases, not an afterthought ineffectually bolted on at the tail end of the development process.
• Security focused on major risks.
It's impossible to provide effective security when you don't know where the biggest risks are. Companies need to perform risk analysis to understand which data is being used by which applications and where that data is being stored. Then security efforts can focus on protecting sensitive data which would do the greatest harm if exposed, rather than applying equal levels of protection across all applications regardless of risk.
• More security engineers.
There's a shortage of security professionals, so even when a business is committed to investing in security, it's hard to find employees with the skills to implement the necessary tools and policies. Engineers with solid training and up-to-date security certifications will find plenty of opportunity in the new year.