Threat actors and threat agents are just continuing to advance what they were doing. By and large, the sad part is, we've all been using such crappy controls that the industry has sold us for years, and marketed as something that would solve the problem, that all the bad guys need to do is a little tweak to their attack vectors in order to get through most corporations. It's basically a rinse, wash, repeat cycle for most attacks today- on consumers, or on enterprises. So, unfortunately, on that side of it, not a whole lot has changed, because we've frankly done a pretty crappy job of protecting our organizations. When you go to the information asset cycle of it, the usage models have certainly changed a lot. We've got the explosion of Internet of Things, more device types, more applications, and growing proliferation of bring-your-own-device, or bring-your-own-application, or bring-your-own-cloud. So that attack surface continues to evolve and change. Now the good side is, some portions of the security industry have certainly evolved. I've started seeing an innovation cycle in the startup areas, of people trying to approach things differently. You've got automated penetration testing. The problem is, we're doing it in such an ineffective, inefficient fashion, we're creating our own economic burden, and then we can't actually go and solve the problems that are found from it. You've got companies that are doing a good job- SafeBreach is one of them- of automated penetration testing, automated controls validation etc. I say, strip the labor away. Make it more effective and more efficient to do control validation. There are companies that are improving the security development life cycle and privacy by design by creating a level of automation to build containers. They're building them in a verifiably secure and compliant way that speeds up the development process making it way less vulnerable. I'm really excited about the innovation cycle that's happening, and hoping that the Cylances of the world, the SafeBreaches of the world, and some of the other companies upend and put out of business the rest of the security industry.
Layers of security from MFA, patching, SIEM, etc… all the way to user education. Plan for the worst (reliable backups and DR) as you continually harden systems, applications, devices and processes. Can’t do everything as at some point you slow down the business and that’s not going to go well. Keep up on latest threats and especially those in your specific industry. Disable anything not needed. If you have a VP that insists on using something crazy like XP then call that out during the next Risk Assessment and have the Steering Committee and that VP approve the risk. Odds are they will approve the solution instead.