Industry executives and experts share their predictions for 2019. Read them in this 11th annual VMblog.com series exclusive.
Contributed by Andrew Howard, Global Chief Technology Officer, Kudelski Security
5 Trends That Will Shape the Security Industry in 2019
This
year we not only saw the increased use of new technologies like blockchain, but
also how unprepared businesses are to safely and securely implement them. Given
Gartner's prediction that cybersecurity
spending will grow to more than $124
billion worldwide in 2019, where companies put that investment is
more critical than ever.
As
businesses and security practitioners plan for the new year, there are five key
trends to watch that will have a deep impact on their security plans. Those who
can balance the use of the latest technologies while keeping security at the
forefront will be best positioned to handle the shifting security landscape in
2019.
Cloud Adoption and Skills
Cloud services, including Identity as a Service (IaaS), Security as a
Service (SaaS), and Platform as a Service (PaaS), as well as and
cloud-based security services, will see an exponential increase, while base
security risks will become even more palpable. Enterprises have to start
assuming their role in securing whatever they store in the cloud; otherwise, we
will only continue to see the number of breaches increase.
The well-documented skills shortage in the industry is likely to be
exacerbated by the exponential move to the cloud, as it requires very
specialized skills that are in high demand and short supply. Encouragingly,
we're likely to see that gap close in the coming years as more individuals
obtain the necessary AWS and Azure certifications.
Internet of Things (IoT) and Operational Technology (OT)
The
‘connectivity of everything' trend will maintain its rapid growth, and security and
IT systems will continue to interface more closely with IoT and OT environments. That connection will
enable new lines of business and greater efficiency, but also open
organizations to new lines of attack. The
complexity of the IoT ecosystem will continue to drive security vendors to
research and develop products around IoT visibility, monitoring, and management.
In addition to greater attack surfaces, the proliferation of IoT devices will also lead to
increased privacy and security concerns. We will see attack services and
hacking tools also grow, which will have a direct impact on the cost of controls
and compliance as well as spur new regulations. IoT botnet exploitation will
also intensify and primarily target industrial IoT. With the increasing threats, industries
such as those heavily impacted by supply chains will begin to place greater
demands on their suppliers for security certifications and audit reporting, and
enterprise users with large deployments of IoT/OT systems will create demand
for a platform or services to help manage and monitor devices across their
ecosystem.
Adoption of Blockchain Technologies
The
adoption of blockchain-based technologies is also likely to grow in the next
year. The payment processing space will continue to rely on blockchain for
cryptocurrencies, but the identity space is on the rise. Most likely to appear
in decentralized identity models with zero knowledge proofs, it will allow validation
of users' identity or their access rights without having to transfer and store
personally identifiable information in multiple locations.
The risks will relate to the software development practices, when
companies assume security can come later in the process instead of being built from
the ground up. As we move into 2019 and companies start to trust blockchain for
critical information that can be monetized, we will see attacks moving from
only cryptocurrencies to data breaches.
Increased CISO Pressure
CISOs will be under even greater pressure moving into next year,
particularly given the increased focus on cyber spending at the board level. Many
boards will either begin or continue bringing on independent cybersecurity
advisors or board members with experience in cybersecurity, both adding to the
pressure but also giving CISOs potentially more support at that level.
Boards will also want to see objective measurement and validation of
security program effectiveness, meaning the effectiveness of such programs will
rely more and more on CISOs' ability to partner with the board and communicate
needs to them. CISOs that can
communicate a clear strategy and measurable plan will have increased support,
as well as funding for key initiatives.
More Cyber and Privacy Regulations
In
addition to safeguarding their organization from growing threats, cybersecurity
practitioners will have to ensure they are in compliance with the increasing
number and scope of relevant regulations. Although GDPR hasn't
yet made the splash many thought it would, we still expect U.S. companies to
face fines under GDPR in the coming months, leading to a renewed interest among
all businesses in ensuring they are complaint.
California and New York's efforts around cyber and privacy regulations
demonstrate there's a bigger appetite for such regulation that's likely to
spread to other states. Whether at the state or federal level, we should expect
both to more seriously consider privacy and breach notification legislation in
the near future.
##
About the Author
Andrew Howard, Global Chief
Technology Officer, Kudelski Security
As the chief technology officer for Kudelski
Security, Andrew Howard is responsible for the evolution, development and
delivery of the organization's technology strategy and solution architecture,
including selecting and validating third-party technologies and managing
research, development and labs. Prior to joining Kudelski Security, Andrew was
a laboratory director at Georgia Tech, spearheading the information security
research and advisory programs. He has served as advisor on emerging security
threats to Fortune 250 CISOs and government bodies and has extensive experience
as a security architect, strategist and technical leader. Andrew has an MBA in
management of technology and a master's degree in information security from the
Georgia Institute of Technology.