Industry executives and experts share their predictions for 2019. Read them in this 11th annual VMblog.com series exclusive.
Contributed by Members of the RSA Conference Advisory Board
To 2019 and Beyond
Toy
Story's Buzz Lightyear was in a perpetual fight against the Emperor Zurg, who
was secretly building a weapon with the destructive capacity to annihilate an
entire planet. Sounds a bit like our plight against cyberattacks, doesn't it? In
the new year, we can reflect on the months behind us and apply what we learned
to the incidences ahead. Not only were we faced with seemingly endless data
breaches and cyber risks - from airlines to financial institutions - we saw a
larger push for data privacy and enforcement with GDPR. We also were pulled to
recognize the importance of working together on collaborative solutions to make
cybersecurity and our world BETTER.
This
collective desire to do more in 2018 led RSA Conference to add nine new
members to its Advisory Board, all with unique backgrounds,
perspectives and knowledge. Here are their predictions for the new year.
GDPR in
2019: A Year of Enforcement
"If 2018
was the year of GDPR implementation, 2019 will focus heavily on GDPR's
implications and its enforcement," says Hugh
Thompson (Program Committee Chair, RSA Conference and CTO, Symantec). "We
haven't yet seen big prosecutions by the data protection authorities, but I
think we are going to see those in 2019. GDPR has emboldened many other nations
to ask, ‘how and what should we regulate?'"
New
AdBoard member J. Trevor Hughes
(President and CEO, IAPP) also sees strong GDPR enforcement on the horizon.
"There was a lag from the GDPR compliance deadline to enforcement, but we must
expect more privacy enforcement on a global basis in 2019. Brexit has been a
mess and there are many unanswered questions around what it means for the
U.K.'s data protection post Brexit. Watch Europe, watch the FTC - with the
number of privacy issues in the media, we're entering the enforcement era of
GDPR, in Europe and elsewhere."
In Australia,
home to Narelle Devine (Chief
Information Security Officer at the Australian Government Department of Human
Services), new Mandatory Data Breach Notification laws came into effect at the
start of 2018. The Australian laws are provisioned for a 30-day notification
period rather than the 72 hour reporting requirements of GDPR, which she notes
"is quite early, when you really may not yet know the full nature of the
breach." While the legislation and corresponding vigilance around personally
identifiable information has increased in the last year, much of the criminal
activity would have occurred before this uplift, she says. 2019 will see
identity theft continue to rise before the mitigations of 2018 become
effective.
Diversity
& Inclusion: Tip of the Iceberg
This was
far and away the topic the Advisory Board members were most vocal and
passionate about. According to a research report by The American Association of
University Women (AAUW), women hold
about 26 percent of tech jobs. In cybersecurity that drops to
11 percent. It's been a pervasive problem in the industry and, as some Board
members argued, must be addressed now. 2019 will see significant progress to
foment parity, however, all acknowledge we're at the tip of the iceberg.
"There
will be a greater emphasis on diversifying workforces in 2019. We see our
clients increasingly recognizing the
value of diverse teams and taking more actions to hire and retain qualified
underrepresented professionals at all levels." says Joyce Brocaglia (CEO, Alta Associates & Founder of the
Executive Women's Forum on Information Security, Risk Management &
Privacy). "We also see the role of the CISO continuing to be elevated in the
coming year, requiring a diverse perspective and new set of executive level
skills."
Laura Koetzle (VP and
Group Director at Forrester) agrees. "Better hiring and retention methods will
raise the number of women CISOs to 20 percent," she predicts. "As their
exclusive pool continues to shrink, hiring managers hide behind the excuse of a
talent shortage instead of broadening their search to green talent or applicants
with other relevant skill sets. We're slowly seeing companies recognize the
necessity of recruiting from nontraditional cybersecurity backgrounds. In 2017,
only 13 percent of the Fortune 500 had women CISOs. In 2019, we expect to see
that number grow to 20 percent as companies search for new security
perspectives."
This
talent gap has not gone unnoticed by Kim
Jones (Professor of Practice, Arizona State University). We need to think
long term, not short term," he says. "The profession has done a good job of
stimulating the entry level cybersecurity pipeline with innovative solutions,
but many of these solutions are purely technology-focused instead of
holistically focused on cybersecurity skills. This has left many, CISOs asking,
‘are these individuals prepared I to take the next step in their career?' I
think we're going to start seeing the impact of this dilemma in 2019 as many
young cyber professionals find themselves having to go back into academia (or
other training venues) for additional skills or leaving the corporate sector to
become individual consultants because they can't take their career to the next
level."
What about
recruiting these future diverse leaders? "Companies are focusing on their
diversity numbers, but not on creating cultures within their organizations that
will enable them to support the
underrepresented workforce they attract," says Dena Haritos Tsamitis (Director, Carnegie Mellon University's
College of Engineering's Information Networking Institute). "If you don't have
a culture of inclusion embedded in your practices, behaviors, leadership,
messaging, and marketing, your company won't be welcoming. It goes beyond the
diversity statistics, organizations need to focus more on creating an inclusive
and equitable environment. Diverse candidates are in high demand and they will
not tolerate workplace cultures that are unwelcoming and unsupportive.
Todd Inskeep (Director, Booz Allen Hamilton) adds
that "we have so much diversity in the industry that we didn't even know about.
Many women have been in this space for a long time and remained invisible. In
2019 we'll turn a corner in bringing more visibility into the diversity that we
had and the value of diversity on teams."
Sandra Toms (Vice President and Curator of RSA
Conference) challenged the security industry to acknowledge a broader
definition of diversity in 2019. "My hope is that diversity expands beyond
gender to invisible diverse aspects like beliefs, religion, life experiences,
sexual orientation, and education. All those things that make a person whole.
My prediction is that we'll broaden the scope of diversity to include more
individuals; a lot of language we use in cybersecurity is militaristic, we
should look at that and find ways to revise our language to help more people
become comfortable. I've been talking to a lot of companies that have made big
strides when it comes to diversity, and we've still got a long way to go."
Risk
Management: One Step Forward
Years of
major headline-grabbing cyber breaches have begun to open the eyes of companies
traditionally reticent to invest heavily in security, say some members. "Boards
are paying more attention to the operational impacts of WannaCry and NotPetya,
and are trying to figure out how to factor cyber in, but there's not a consensus
yet," says Inskeep. "It's getting
better, but we've got a couple years until we have a consensus on how boards
talk about and measure the impact of cyberattacks."
Wade Baker (Independent InfoSec consultant and
Co-Founder of the Cyentia Institute) agrees: "In the next year we'll see a
continuation of the balance of power between classic technical security
professionals and more business-oriented board and non-security executives who
will take more of a stake in cyber decisions."
These
massive breaches will also impact cyber insurance rates in 2019," says Dmitri Alperovitch (Co-Founder and CTO
of CrowdStrike Inc.). "We are coming to the end of an era of low cyber
insurance rates. I think they will go up next year due to huge payouts from
breaches like NotPetya and WannaCry. Insurance companies are getting a rude
awakening to the risks of cyber. Many insurance policies were written years ago
and did not take into account that liability from breaches can easily be up in
the hundreds of millions of dollars, as we've seen with NotPetya attacks."
##