The current worldwide attack from WannaCry is going to have lasting impact for information security. The question is: what will that be and who will benefit? In this blog post I will take a contrarian viewpoint and suggest that it will not be beneficial to security practitioners or security businesses. I think business leaders, who fund security programs, will take alternative approaches to mitigating this risk.
At present, we have over 1600 security firms offering solutions to attacks like WannaCry. Unfortunately, this patchwork quilt mitigation approach isn’t working. Not because of the security firms, but because there are too many potential leaks in the ship to manage. So, I predict that business leaders will change ships and increasingly move legacy systems and new systems into the cloud. This is already happening and incidents like WannaCry will accelerate it. No business person is going to upgrade XP systems to Windows 2016, when they can hand over security responsibility to someone else. Of course, security is still a joint responsibility, but the optics make it look like the cloud vendor owns it. For a good summary of cloud growth trends today check out Forbes here. The consensus summary for cloud growth is 18-19% per year through 2020!The other beneficiary will be the cyber insurance industry, especially in areas hardest hit. WannaCry brings cyber remediation costs to the attention of the board. Board members understand enterprise risk and insurance mitigation. They don’t understand the technical details of ransomware and phishing attacks. But before cyber insurance takes off we will need a common language to describe risk. The NIST Cyber Security Framework (CSF) represents such a framework. The new Cybersecurity EO requires that Federal Agencies utilize the CSF. If this moves in broader use in private industry, we will have a basis for stronger insurance mitigation of cyber risks. Security professionals need to understand the benefits and limitations of these insurance policies and include them as an active part of threat mitigation.