Industry executives and experts share their predictions for 2019. Read them in this 11th annual VMblog.com series exclusive.
Contributed by Joe Kucic, Chief Security Office at Cavirin
Transforming the Cybersecurity Boundary
As new technologies empower
cybersecurity to extend the enterprise boundary while consistently reducing
overall infrastructure operating costs, we expect business executives to embrace
cybersecurity in 2019 as a primary business responsibility and not simply a
"technology issue". We also expect new federal and state laws and regulatory
guidelines to improve privacy protections and reduce exposure to state-sponsored
attacks.
Similarly, government and
commercial entities will continue their push to strategically reposition
technology services as vendor-managed services, while transitioning primary
responsibility for IT to business operations units. In turn, cyber/information security
will transform from a technology function to a legal function.
Cybersecurity
is not IT's responsibility
Business executives have
dedicated resources for Legal, Marketing, Operations, and Sales functions. Even
though IT is increasingly integral to the business, they often have to fight
for resources across units. Corporate IT guidelines and requirements tend to
impede the flexibility needed to drive strategic initiatives. When new business
unit initiatives depend on technology involvement, that unit should fund,
manage, and monitor the IT resources. Moreover, they should also take cybersecurity
ownership because they understand the potential risks and impacts involved.
Since the introduction of the
first US Privacy Law (Gramm Leach Bliley Act) the technology paradigm has
changed remarkably. While States have started to enact new legislation designed
to protect their constituents against the risks inherent in new business models
and technology mediums, if these risks are not addressed at the federal level,
significant gaps will remain. I expect that individual privacy protections will
be expanded and higher penalties imposed, reflecting GDPR influence. These new
laws will shape the type and scope of changes we need to implement in current
operations models. If addressed correctly, these changes could transform an
organization's technology and cybersecurity posture over the next year.
Cybersecurity
should transform how you operate
The US is privileged to
have an abundance of resources for designing and manufacturing technology
within its borders. Given the threats from state-sponsored hackers and recent
acts of sabotage and espionage involving technology embedded in hardware, we
expect that critical infrastructure businesses and their suppliers will increasingly
be required to produce and source their technology within the US.
This shift, coupled with
new cybersecurity and privacy laws and regulations, will create a unique opportunity
for US businesses to undertake massive technology upgrades and replacements. In
addition, as many US businesses have healthy cash reserves and access to low
interest rates. It's an ideal time leverage these to expand competitive
advantage, address human resource shortages, and lower operating costs.
Technology-as-a-Service is
here to stay. Cloud Service Providers will continue to expand their position
but will face new competitors as most established technology providers become
their own CSPs. In the near future, it will be rare for any business to
purchase services from only one solution provider. This continued trend will
make cybersecurity more central to the business executive's mandate.
Companies will need a new,
business-centric approach to managing hybrid and multi-cloud solutions consistently
across the enterprise and routinely providing cyber risk posture reports to
leadership. Based on legislative and regulatory changes, transformative
technology investments, and the need for agile resources, 2019 is the ideal
time to accelerate transitions to the cloud. This transition is a fundamental
step towards addressing cybersecurity risks via coordinated efforts throughout
the extended enterprise instead of siloed internal IT programs.
Cybersecurity
belongs in the GC's office
Cybersecurity breaches are
a major business event, and should be shielded through client-attorney privilege.
This is best achieved by having the Chief Information Security Officer (CISO)
and his direct team report to the Chief Legal Officer (General Counsel). This
arrangement protects all entities hired to support cybersecurity activities
under client-attorney privilege as well. In the past, the CISO was either hampered
by poor visibility into overall company risk profile and/or financial restrictions
on technology initiatives. These limitations were the result of reporting to
the CIO or CFO, who inherently view trade-offs differently (but have often
severely underestimated brand risk and/or legal liability).
Requiring input and
acceptance from the Chief Legal Officer will be a natural transformation as
technology oversight moves to business units and more IT services are provided
by external suppliers. We can predict with certainty that patch management will
improve tremendously when the business executive and/or supplier has to
regularly update legal regarding business exposure assessments.
Cybersecurity
has to stretch to the edge of human understanding
New advances in technology
- quantum computing, artificial neural networks, generative adversarial
networks, integrated location guided services, and beyond - will create new
security challenges. When state-sponsored hackers, organized crime syndicates,
and rapidly emerging sci-fi technology converge, it's time for all hands on
deck. In 2019, we must work to keep security, privacy, and risk management
measures at the heart of the enterprise mission.
##
About the Author
Joseph
(Joe) Kucic is Cavirin's Chief Security Officer, bringing to Cavirin over 20
years of enterprise and security experience. At Cavirin he is responsible for
hybrid cloud infrastructure security strategies with CSOs, CIOs and CISOs and
their teams across both enterprises and managed service providers / global
system integrators.