Each year opens a new Pandora’s Box for the security industry, with a slew of never-before-seen evil wonders that can throw anyone not prepared for a loop. That’s why risk management is so critical in our field – since we can’t know what’s to come, we need to prepare as best we can before that worst-case scenario happens. If you’re not a security expert, though, it can be difficult to figure out where to spend your energy over the year in terms of securing your organization.

To help give a bit of perspective to what top security experts are gearing up for this year, we asked eight of the world’s top security experts in various roles, including a pentester, several CISOs, a secure developer, a security engineer and an international speaker on security topics, to share their thoughts with us.

From Internet of Things insecurity to malware and ransomware to Europe’s General Data Protection Regulation and the ever-persistent XSS , here are some of the world’s top security experts with what keeps them up at night and what they’re planning on focusing this year in the world of security.

Troy Hunt, Microsoft MVP for Developer Security, Pluralsight author and international speaker

@troyhunt

“My top concern is that there’s not enough recourse post-breach to force companies to better protect their data. When we look back at 2015, we saw an absolute flood of breaches – very major ones – and bar the reputation damage and cost of remediation, there’s little else that actually impacts the organisation’s bottom line.

In 2016, I’d like to see legislative steps towards greater accountability; if an organisation does a poor job of their security and it adversely impacts consumers, they need to get hit where it hurts. Hopefully 2016 will take steps in this direction and force organisations to lift their game.”



Phil Cracknell, Director at Info-Secure Ltd. and Security & Risk Advisor at the Arriva Group

@pcracknell

My concerns: The “GDPR (the General Data Protection Regulation currently underway in the EU) and the forthcoming impact of it is certainly [going to be big this year].

Also, supply chain and security awareness remain high on my list!”

Josh Sokol, Information Security Program Owner at National Instruments and Creator of SimpleRisk

@joshsokol

“My biggest priority for 2016 is figuring out a better way to combat the large volumes of malware being hurled at us on a daily basis.”

Related: Read our interview with Josh on SimpleRisk and risk management here!



Mark Goodwin, Security Engineer at Mozilla

@mr_goodwin

Personally, I’m not looking forward to a world where I have to worry about security holes in my underwear.

— Mark Goodwin (@mr_goodwin) January 7, 2016

“To explain; we’re used to building things and then worrying about how to secure them later. This, combined with the proliferation of connected devices, is scary. See the Android security story for how badly this can work for connected consumer electronics. Take this problem, multiply by the number of internet-of-fridges / toasters / underwear / whatever else people will buy, and we’re in for a fun time.”

Ashar Javed, AppSec Expert at Hyundai Autoever Europe

@soaj1664ashar

“Nowadays I am working for automotive giants and our main concern now is to stop Malware and Advanced Persistent Threats (APTs) and minimize insider threats. We receive thousands of infiltration attempts every month. By keeping these things in mind, we have different solutions in place.

Considering my personal interest [in AppSec], I am focusing on XSS and work closely with developers so that we can at least eliminate [cross-site scripting] from our web properties. The problem with XSS is that there is no universal panacea for this epidemic. By keeping in mind business pressure and upcoming requirements, developers often introduce this bug in the code. It would be great if in 2016, we raise the bar for the attacker as far as XSS is concerned. Let’s see how far I can proceed, given the word “change” is not in the dictionary of Fortune 500 companies, although there are exceptions.”

Pierluigi Paganini, CISO at Bit4 Ltd. and Security Blogger at SecurityAffairs.com

@securityaffairs

“It is very easy to predict a significant increase in the number of cyber attacks targeting almost every industry. Among the phenomena that will characterize the next 12 months there will be for sure the consolidation of extortion as a criminal practice in the criminal ecosystem.

We will observe an increasing number of financially motivated cyber attacks that will rely on ransomware and DDoS attacks to extort money to the victims. The practice of the extortion will target new paradigms like the IoT (Internet of Things), for example by deploying a new category of ransomware specifically designed to infect Internet-connected devices, such as Smart TVs and wearables.

In 2016, we will see the consolidation of the model known as criminal-as-a-service, a growing number of cyber criminals and cyber mercenaries will offer their services to criminal syndicates that intend to invest in cybercrime, but don’t have the necessary skills.

The cyber espionage continues to be the first threat to the global economy, we will see a growing number of nation-state attacks that will target government entities and private companies. These attacks will be even more sophisticated and will target critical industries like the energy and IT sectors.”

Neira Jones, Independent Advisor and International Speaker

@neirajones

“Connect All The Things: Yes, with CES 2016 bringing us the usual amazing innovations, adding to all the noise about the IoT and wearables and creating new concepts such as “Pay-By Fridge”, security professionals will have their work cut out! Expect more innovations in IoT Security, from securing the devices to better authentication, with everything in between…

We suddenly realize we all have ears (and eyes, and sensors, etc.): going with the old adage of “there is strength in numbers”, I think we will see further developments in threat intelligence, with more cooperation within and across industries and law enforcement. This in turn will bring more consolidation in this market space.

‘Men are so simple and yield so readily to the desires of the moment that he who will trick will always find another who will suffer to be tricked’ – Niccolo Machiavelli, circa 1532

It is undeniable that 2015 was the year of social engineering! As we get better at protecting the perimeter, criminals have been very successful in obtaining legitimate credentials and creating havoc in all market sectors. Whilst we have seen a few companies concentrating on raising awareness and many organisation testing out their staff, I think 2016 will bring about more innovations in the area of behavioral analytics and deception technologies (yes, I know, honey pots have been around for a while, but some cool stuff is happening around deception). I also see quite a lot happening around monitoring and analyzing social media networks and behaviors (this incidentally will be further compounded by the explosion in fintech and we’ll all suddenly realize that the more digital we become, the more data floats about, and the more risk we face…). And one more thing: as email, despite many predictions, shows no sign of dying anytime soon, we’ll start addressing email deliverability, authentication and security, with DMARC, DKIM and SPF playing a big role.

Don’t worry, be API… Yes, everyone is at it, from banks partnering with innovative start-ups to governments making SDKs available to developers. We have entered the API economy. And whilst everyone races to integrate with everyone else to make the consumer experience ever more extraordinary, we all too often forget that APIs need to be protected like everything else. API security will start to come to the fore in 2016 (well, I wish it would!), but in the meantime, we’ll continue to see more tech coming in the area of mobile security and authentication, especially biometrics.

Regulate this and regulate that… From the EU GDPR to the EU Payments Services Directive II (PSD II), we will all be forced into better security one way or the other, lest it hits us in the pocket… Indeed, with PSD II, we have seen a set a financial services regulations that not only concerned itself with fraud (and all the other good things that finance types are concerned with, such as competition, capital adequacy, consumer protection, etc.) but also, for the first time, with 1) information security and 2) stringent requirements in authentication. So here’s my prediction: fraud prevention and information security will converge more and more. I have been an advocate of this for many years, but don’t take my word for it: already, both Visa and MasterCard have made moves in that direction by combining fraud prevention and traditional threat intelligence… More of this please!

That Three Legged Stool Is A Bit Wobbly… Of course, I am talking about our beloved triad: CIA (Confidentiality, Integrity, Availability). We’ve been pretty good at the C and the A, but the I has somewhat traditionally been left behind… Let’s face it, nowadays, criminals are not only after stealing data, they have the capabilities to change it to manipulate markets and economies… So come on, let’s start looking inside our own walls and not assume it’s safe in there, you never know who’s lurking there…”

Gary Hayslip, Deputy Director & CISO of the City of San Diego

@ghayslip

“My greatest concern right now is with the rate of change in technologies for a Smart City. Simply put, city networks are messy and there is inherent risk with the interwoven technologies most cities have deployed to provide services to their citizens.

As a CISO I am highly concerned at how quickly technology is changing and being added to this disparate portfolio as I try to manage the overall cyber/risk picture. As a CISO you want to provide the best service to your customers, however some of these technologies are so new it is hard to assess their true impact on the organization if you find out later there was an unforeseen security gap in the technologies code. So for 2016 my greatest fear is the assessing risk of new technologies that my Smart City wants to deploy.”

What are your top concerns for AppSec this year? Comment below!