For me the Top 3 will be:
1. Data breach is the "new normal"
- The question now is not could or might, rather when.
- Are you prepared for it? How is your Cyber Security incident response plan?
- Many large organisations can absorboperational costs related to data breaches, but how about costs to reputation and brand damage? Reputation risks must be integrated into risk management process.
- Become part of cyber security defense/intel sharing community - we cannot fight cybercrime alone
- Share the 0 days that attacked you. 0 days have less value when they are known to public
- Have deterrence policies and tactics. Tell attackers what could happen to them but be careful not to send a wrong signal (e.g. taunting)
2. DevOps is coming and will prevail
- Developers will be the one doing operations making "segregation of duties" principle a challenge.
- Information security folks need to adjust to it. Like it or not, more and more businesses are doing this due to adoption of Agile software developments. It does not make business sense if DevOps can spin a server and app in a day or two but Security needs 2 weeks to review it
- Adjust, adapt, get involve earlier or we will be "bypassed
- Why not share information security budget with other department if it helps to address security weaknesses? Think of the "win-win" situation.
- Enterprises are moving more solutions and services to Cloud. Be it software, platform or infrastructure
- Cloud vendors are growing like mushrooms
- Vendor risk assessments are becoming more important than ever. Ensure you have one before engaging any cloud vendors. Be careful and do not rush, especially if we are talking about security tools. New vendor may have great ideas and technologies but are they strong enough to last?
Be prepared for Internet of Things (IoT)
- It might not become a big thing soon but it certainly walking towards it. Smart fridge, Smart Car, Smart Aircon, Smart Oven will all be connected together and if exploited, could allow adversaries physical alike access. We can't stop IoT from happening. The challenge will be how to make it secure?