Just watched the Tom Field, Steve Katz “interview.”
I might have identified one or two new threats or changes to the environment. Not sure I would do anything different as a result of what I heard. We need drastic changes to security to address the applications and environments that Steve described. I used to believe that risk increased in proportion to use, uses, and users but now it is increasing exponentially. We are around the knee of the “hockey stick” curve. Doing the same things harder is not cutting it.
We need strong authentication, adaptive authentication, federated identity, end-2-end application layer encryption (Network Defined Security) (“zero trust”), “least privilege” access control (or at least “read-only” or “execute-only”), multi-party controls for sensitive capabilities, strong accountability and control for privileged users (PAM), and greatly improved pro-active threat detection. We need out-of-band confirmations and alerts for all transactions, many data changes, and some uses. We need document management systems for intellectual property. Some enterprises may be doing one or two of these, almost none are doing all of them.
See my interview with Peter Denning. https://dl.acm.org/citation.cfm?doid=3314328.3306614