Industry executives and experts share their predictions for 2018. Read them in this 10th annual VMblog.com series exclusive.
Contributed by Stephen Moore, Chief Security Strategist at Exabeam
The changing face of cyber security in 2018 and beyond
Recent high-profile cyber attacks have made it clear that having robust cyber security policies, technologies and processes isn't a luxury, it's an absolute necessity. But where and how IT security fits in many organisations continues to be a subject of ongoing debate:
- What role does the CISO need to have and who should they report to?
- Do organisations even need a CISO any more?
- Should cyber security sit independent of IT?
- Where should the IT security budget come from?
Such questions have played a key role in shaping the evolution of cyber security in recent years. Fortunately, signs are now emerging that suggest the cyber security industry is starting to mature; taking a more strategic, business-focused outlook. Many of these changes will transpire in the way business views the cyber security function, particularly its management and how it can be turned into an enabler, rather than a burden. Here are three ways the industry will evolve in 2018:
1) The role of the CISO will change
Since initial inception, the true role of the CISO has been the topic of hot debate. Are they legitimate influencers and c-suite members, or just sacrificial lambs in the event of a security breach? In recent times, we have started to see fewer CISOs reporting into the CIO (as is the traditional approach) and instead the role has become both more independent and more strategic within the organisation. A key driver is the fact that cyber security is now on the boardroom agenda in its own right, instead of being incorporated under ‘general IT issues to deal with'. As part of this, the CISO is finally becoming the focal point of all security messaging coming out of many organisations, as opposed to via c-suite "proxies" such as the CIO or CTO, which were previously relied on for such communications.
2) More cyber security experts will enter the boardroom
As the role of security grows increasingly important in the boardroom, expect to see a growing number of boards invest more heavily in recruiting the services of technical experts and consultants, both as voting members and advisors to lead board subcommittees. The subject of security risk will then become an increasingly hot potato during all potential M&A discussions, with poor security practices likely to cost organisations dearly. As part of this, a more cyber-aware board will take a far greater interest in any security investments made, and put more pressure on security teams to produce tangible results.
3) Security perceptions will change, with focus on enablement
Nearly every organisation around the world understands the importance of robust data protection. But while security used to be seen as a burden, now, sales teams will begin to use strong internal security programs as a sales tool in its own right. Not only can effectively communicating a strong security policy help to attract new customers, it also becomes a key weapon in retaining existing ones. Wise security leaders are realising the importance of correctly marketing security to prospects and are starting to use specialist communications staff to support the sales team in this respect. What's more, the use of third party risk evaluations will continue to increase, as CISOs look to give greater validity to existing security practices and leverage them effectively through sales.
The growing acknowledgement of the importance of cyber security at all levels of business is good news for everyone. Not only has it put security firmly on the boardroom agenda, it has also forced the security industry to look at ways to change its perception and become a more integral, accepted part of business operations.
##
About the Author
Steve Moore is Vice President and Chief Security Strategist at security intelligence company Exabeam. In his role, Steve helps drive solutions for threat detection and response, as well as advise customers in breach management and program development. He brings deep experience working with legal, privacy and audit staff to improve cybersecurity. Prior to joining Exabeam, Moore spent more than seven years at the US healthcare company Anthem, in a variety of cyber security practitioner and leadership roles, most recently as the Staff Vice President of Cyber Security Analytics.