This time of year, we tend to get pensive about what happened over the past 12 months and what the prospects look like for the new year. When it comes to the cybersecurity market, this means we have a lot to think about! There is no doubt 2017 was a headline-making year.
There were numerous, very public ransomware attacks, forcing companies of all sizes to pay to unlock their data and resume their operations (ransomware damages are expected to eclipse $5 billion this year). We saw the proliferation and evolution of phishing attacks that continue to evade secure email gateways and spam filters to trick users into clicking links, downloading files, etc. that mark the start of an attacker’s onslaught (Ironscale estimates up to 95% of all successful cyberattacks start with phishing). And we can’t forget the high profile breaches of OneLogin, the ripple effects of which are still unknown, and Equifax, which exposed the records of approximately 143 million consumers.
The reality of this threat landscape, the damage of which is expected to cost businesses worldwide $6 trillion annually by 2021, has put cybersecurity on a new trajectory. Instead of being a checkbox item, where organizations implement only what they must to appease regulators and prevent being seen as negligent, cybersecurity has become a strategic initiative. It’s become a staple in the boardroom and an integrated component (even driver) of the overall IT plan. It’s no longer a line-item, operational expense, rather it’s an initiative of strategic importance that can add value to the bottom line and deliver a competitive advantage to the business.
As a result, Gartner expects information security (a subset of cybersecurity) spending to hit $86.4 billion in 2017, with global spending on cybersecurity products and services predicted to exceed $1 trillion over the next five years, from 2017 to 2021. So, what will be driving or influencing factors for this spending? My top three thoughts on what to consider in 2018 follow:
- Attacks will continue to increase in number and sophistication.
The threat landscape continues to evolve, requiring organizations to look at new cybersecurity technologies that can better adapt and evolve to defend against the advanced, ever-morphing tactics hackers are using. Of course, there is no silver bullet, no single solution available to make an organization impermeable to attack.
Adding a number of point products to bolster defenses, however, isn’t the answer. Individual solutions that provide protection against specific threats aren’t going to deliver the return on investment that they should – primarily because organizations don’t have the resources needed to deploy, manage and maintain all these different solutions.
Instead, to be effective, organizations need to look at cybersecurity holistically. Cybersecurity must be integrated into all their policies, processes and decisions. To achieve, organizations should look for expandable platforms that can help them achieve a consistent security stance across all their cloud, on-premises and remote site environments, not to mention all their distributed endpoints and things (IoT). This includes picking vendors and cloud providers that share the responsibility and are willing to work with the organization to ensure security measures and controls can be implemented at all layers/levels.
- The skills shortage needs to be addressed.
A quick look at the numbers shows how hard it’s going to be for organizations to keep pace with all the threats they are facing. Cybersecurity expertise is hard to acquire – by 2021, its predicted there will be 3.5 million unfilled cybersecurity positions – which means organizations need to be smarter about how they apply their resources and take steps to enhance the skills and expertise of their existing staff.
Automation and artificial intelligence (AI), which have played around the edges of cybersecurity for years, are going to need to be realized. Cybersecurity solutions must start pushing the boundaries and incorporating automation/AI in a much bigger way. The goal is to empower every IT worker, not just cybersecurity experts, to take the necessary steps to defend the organization’s data, applications, devices and people. The right automation/AI can eliminate tedious, manual tasks that consume precious resources, and simplify the orchestration of cybersecurity responses to improve the overall strength and agility of the organization’s security, while reducing operational costs.
Managed services that can effectively augment and fill gaps in an organization’s resources are likely also going to gain in prominence. I have written in the past the role managed services can play in an organization’s cybersecurity strategy and believe, going forward, it’s only going to grow in relevance.
- Data privacy will be king.
On May 25, 2018, the world of data privacy changes. That’s when the European Union’s (EU) General Data Protection Regulation (GDPR) takes effect. It will serve as an update to current laws, adding to the matrix of existing regional and industry-specific regulations – e.g. Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), Financial Industry Regulatory Authority (FINRA) guidelines, U.S. Managing Government Records Directive, etc.
These laws aim to hold organizations accountable for their actions and ensure effective protections are in place to protect against damaging breaches and data leaks. Any organization that processes or stores any personal data, in the EU, or personally identifiable information (PII), in the U.S., is obligated by the appropriate regulatory body to provide better controls and transparency – that’s basically everyone.
As a result, 2018 might go down as the year that organizations get serious about data privacy, which means they will need to get serious about achieving full visibility and applying consistent controls across their distributed on-premises, public and private cloud environments. Failure to comply can result in steep fines and even the halting of business operations in certain areas – companies that do not follow the new GDPR law could face strict penalties and fines of up to 4% of global turnover (in previous financial year).
Overall, I expect we will see more interest, investment, accountability and transparency in cybersecurity, in 2018 and beyond. As you move forward, make sure you have the trusted partners that can help you develop a holistic strategy and provide the know-how and resources you are going to need to support your business and compliance objectives, today and in the future. Remember we are always here – we are seeing it all and are ready to help.