17 February, 2017
The next post in our series highlighting our 2017 Cybersecurity Predictions introduces our prediction about the prevalence of red team testing. Red team tests are simulated cyber attacks intended to assess a company’s ability to detect and respond in a real-world scenario. Typically performed without the knowledge of the broader security team, red team testing covers not only network and application breaches, but can involve social engineering and physical security attacks as well. If your organization is considering adding red team testing to its cybersecurity program, click here for tips on selecting a vendor.
Increased pressure from regulators worldwide will push in-house red teaming capabilities to accelerate in 2017, and companies that are not in the cyber business will face a different challenge: recruiting, motivating, and retaining highly technical cyber talent to keep their red teams at the forefront of cybersecurity. This push will likely first occur in financial hubs such as Hong Kong, Singapore, the EU, and even the United States.
In 2016, we predicted a boardroom shuffle in response to regulatory pressure. While policies and regulations continue to be discussed this year, we predict that red teaming will widely become the regulatory gold standard for the financial services industry, as it currently is in regions such as the UK. We also predict this will push adjacent industries that support financial services, such as telecommunications, to adopt this standard as best practice.
Additionally, we expect this increased regulatory focus to drive and facilitate an uptick in companies creating in-house security capabilities beyond the financial sector, for example, in the critical infrastructure and healthcare industries. Companies in sectors that already conduct adversarial testing in other areas, such as the energy sector assessing the vulnerability of their pipelines and other physical infrastructure, will conduct more cyber-focused red team testing. Outside regulated industries, first movers in sectors such as retail will tackle cyber risk with red teaming for the same reason – to understand their susceptibility to Advanced Persistent Threat (APT) actors.
Specifically, the threat of large scale APT and nation state attacks on regulated sectors will spur regulators to explore mandating policies on intelligence-led testing frameworks much like the Bank of England’s CBEST program. Launched in the UK in 2015, the CBEST vulnerability testing program is designed to identify areas where organizations in the financial services sector could be vulnerable to sophisticated cyberattacks[1]. The model provides testing scenarios that are based on realistic situations, derived from current threat intelligence.
Building red teaming capabilities and best practices will not come without challenges, however, as resource pools are shallow for frontline protection. It is predicted that there will be a shortage of two million cybersecurity jobs worldwide this coming year[2]. While leading universities are introducing academic programs and scholarships to close this talent gap, classroom training in red teaming will not be enough. Even from military and intelligence training programs, the number of individuals trained in the area remains small, and the strongest red teamers have deep practical and technical experience in the field.
As demand for these types of specialized security services increases, buyer organizations will need to be informed about the skills and expertise that a genuine provider should be equipped to offer. They will need to be discerning as some providers attempt to market standard security assessments as red teaming products. The most valuable external providers will be able to offer outsourced red teaming services, and also share their expertise in setting up and supporting internal capabilities.
BOTTOM LINE:
In 2017, regulatory pressure on financial institutions to conduct red teaming will spark an uptick in the number of organizations across sectors establishing programs and bringing these capabilities in-house. To meet the demand for these skills, there will be a concerted effort to build new marketplace strategies and education programs to strengthen the talent pool. Companies will face pressure to retain talent as forward-thinking competitors will be aggressively seeking out security professionals with this skillset.
To watch our recent webinar discussing this and our other 2017 Cybersecurity Predictions, CLICK HERE.
[1] Bank of England, CBEST Vulnerability Testing Framework Launch. http://www.bankofengland.co.uk/financialstability/fsc/Pages/cbest.
[2] Raytheon, “Securing Our Future: Closing the Cyber Talent Gap”, October 2015. http://www.raytheoncyber.com/rtnwcm/groups/cyber/documents/
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg
pjackson@strozfriedberg.com
Bill Sims, Managing Director, Stroz Friedberg
bsims@strozfriedberg.com





