Based on the popularity of their first report, Infosecurity Magazine decided to research and publish a second report, culminating in the State of Cybersecurity Report 2019, and it makes for a fascinating read.
According to Contributing Editor Dan Raywood, ‘A chief aim of our research was to avoid an issue that seems to affect many published threat reports: research determined to drive the reader to a product or service.
This year, we interviewed 60 industry professionals from across the globe, including investors, users, consultants, evangelists and business leaders, asking them what they felt were the key trends impacting the industry now and in the future. We then reviewed those responses and identified the common findings and now present them to you in this report.’
In this blog post we’ll outline the top five trends with expert soundbites and then we’ll list what they’ve called the ‘remaining trends’ as well as the single-mention trends and as always, we’d love your feedback on what you think on LinkedIn and Twitter.
The Five Trends
#1 – Better Defence & Products – 35%
The report says…
The trend that was cited most frequently by our respondents was the need for better technology, in terms of both the quality of detection and the convergence of technology itself.
The respondents say…
Simon Church, general manager and EVP Europe at Optiv: Consolidation gets harder as the threat landscape gets bigger, causing users to ‘stop talking to vendors or go with one to reduce the noise level’.
Andrzej Kawalec, CTO of cyber transformation and director of strategy and technology at Optiv advised that any new CISO in the first 90 days of a new job should not ‘buy any technology or products as they won’t know what they need’ in the early days of the role.
Nicola Whiting, CEO of Titania: A back-to-basics approach has come about because ‘people are realizing that the big-ticket solutions that they bought to solve a lot of their problems haven’t delivered.’
Marc Rogers, VP cybersecurity strategy at Okta: Security is ‘sitting on a massive mountain of old technology.’ Whether it’s applications written more than 15 years ago or protocols written 30 years ago, Rogers argued that we are too reliant on protocols such as SS7, ‘which has not evolved, as to change something so massive requires companies to change at the same time.’
Gil Shwed, CEO of Check Point: He highlighted complexity as a key driver, specifically with there being as many as ‘16 attack vectors for just 26 technology sectors,’ an imbalance that will increase over time. To solve that problem, “you need to be super sophisticated and smarter than Einstein.
#2 – The Human Factor – 31%
The report says…
According to 31% of respondents, the wide subject of the human factor in security was one of the main drivers in the industry. The reasons for this are broad: the human factor covers all elements of the apparent skills shortage, the need for better training and the ‘human is the weakest link’ consideration, as well as the concepts of awareness and simulation programs.
The respondents say…
Steven Furnell, associate dean of international and postgraduate and professor of IT security at the University of Plymouth: ‘It’s a shame that we still hear the mantra that ‘people are the weakest link’ and yet still see so few attempts being made to support them.’
Ed Tucker, co-founder of Human Firewall, argued that there needs to be an understanding that ‘everyone is a customer of security,’ as the user is the person who clicks on links. So if users are thought of as customers, it is ‘an opportunity to be better.’
Fareedah Shaheed, CEO and founder of Sekuva: She sees more investment in ‘empathetic awareness’ to better support people, rather than blaming them, which has been the case when humans have been held responsible for cases of data loss.
Ron Gula, president and co-founder of Gula Tech Ventures: ‘There needs to be more adoption of technologies to aid people, but there is not enough focus on training.’
Rob Clyde from ISACA: Until organisations are better equipped to deal with the challenging threat landscape, including making appropriate investments in their workforce and continuous training, the volume and impact of cyber-attacks will continue to escalate.
#3 – Compliance – 25%
The report says…
Compliance was the standout industry trend in our 2018 report, most likely because we were in the lead up to the deadline for compliance with the General Data Protection Regulation (GDPR). In the following year, the subject of compliance has remained a significant talking point with the introduction of the Network and Informative Security Directive and the California Consumer Privacy Act (CCPA).
The respondents say…
Analyst Bob Tarzey: While excitement about regulation has died down a little, regulatory controls will remain a driver in the EU and beyond.
Dr Jessica Barker, co-founder of Cygenta: ‘More and more organisations are changing the way they handle data’ in the face of changing regulatory requirements.
Izzy Vixsama from Vix Cyber: The ‘anticipation and stress of implementing GDPR and privacy’ was a problem for businesses in her native USA, as despite the May 2018 deadline, a lot of companies today are still not fully aware of what GDPR is and do not have a strategy for it. ‘Some companies are not trying to understand what it means for their organization and that is going to cause a shift in how data is collected here.’
Rob Clyde, chair of the board of directors at ISACA: There is an increased emphasis on landmark privacy regulations and that these ‘will put an added emphasis on the connections between cybersecurity and data privacy, and the need for a holistic approach to dealing with these challenges.’
#4 – The Company and Board Engaging with the Security Team – 18%
The report says…
According to 18% of our surveyed demographic, another driver impacting cybersecurity was businesses’ engagement with security teams and vice versa. The issues here are very clear: if the security team understands what the business is trying to achieve, then it has a better chance of succeeding. If the business understands who the security team is and its policies and challenges, then there is a better chance of a more secure culture.
The respondents say…
Thom Langford from (TL)2 Security: It is not the job of security to make the company more secure; ‘it is to help it sell stuff and help it meet the vision and the goals that the business has set itself.’
Dr Jessica Barker, co-founder of Cygenta: There is an increase in board awareness and global regulations, which are ‘converging to raise accountability for cybersecurity programs.’
Moss Adams CISO Nathan Wenzler: He thought that there had been a realisation that ‘culture and soft skills and human stuff [are] incredibly critical and important,’ because people working in cybersecurity are not pure technologists. Security teams know that it is ‘time to take action themselves.’ He claimed that people ‘want more power and more control,’ but security should be about helping businesses communicate with each other.
Steven Furnell pointed out that while cybersecurity ‘is undoubtedly taken more seriously by today’s organisations than it was in the past,’ if you took away drivers like GDPR, the default cybersecurity attitudes and behaviours possibly haven’t changed.
#5 Automation and machine Learning – 18%
The report says…
While machine learning is often maligned for being a marketing term used by vendors to better boost ageing detection technologies or even as an extension of monitoring technology, it’s hard to ignore the overarching trend of automation, which was cited by 18% of respondents.
The respondents say…
Ross Brewer, vice-president and managing director EMEA at LogRhythm: There is a lot of hype suggesting that ‘machine learning is the greatest thing since sliced bread.’ While machine learning and unsupervised learning are excellent at detecting anomalies, there is too much belief that anomalies are always bad, he said, when actually ‘they just show what is abnormal or different.’
Recorded Future’s Steer noted that a lot of companies are ‘riding on the bandwagon’ as different vendors say different things regarding the effectiveness of AI or machine learning.
Ed Tucker, co-founder of Human Firewall: Though there are concerns about a lack of understanding regarding different types of AI, there will come a time when we will have to ‘put faith in the accuracy of machine learning.’
The Remaining Trends
Alongside the top five trends, these next five came close, but no cigar. Thoughts on a postcard to the usual address…
Business Agility & Digital Transformation – 13%
Moving to a more agile business model can often be at the expense of infosec. Security researcher Adrian Sanabria says that ‘services are not given proper attention [and] companies can end up like another Equifax’ and we all know what happened to them.
For too long, security has acted like the gatekeeper, preventing forward momentum and the journey to the cloud and DevOps were about bringing siloed capabilities together but Zane Lackey, co-founder of Signal Sciences suggests that security is meeting an environment where apps, once changed every year and a half, are now changed 100 times a day. ‘If security wants to stick its head in the sand, the business is just going to move forward without them, and it is a powerful opportunity if embraced correctly.’
Cyber Hygiene – 15%
The vast majority of data breaches are down to bad cyber hygiene. Thales cybersecurity evangelist Jason Hart is ‘amazed by the number of organizations not doing the basics’ despite the increasing size and scale of data breaches.
He signed of with some chilling words; ‘If the basics do not include what your employees are doing and what they are made aware of, who is expected to take the blame for that?’
The Cloud – 13%
Ben Tomhave of Falcon’s View Consulting says that as IT security and risk professionals we should ‘embrace multi-cloud as a smart risk decision, but at the same time, we need to make sure smart decisions are made within each cloud provider’s environment, too.’
APT and Nation State Attacks – 13%
APT (Advanced Persistent Threats) and state-sponsored hacking scored highly and one advantage (if it can be called that) is that this constant over-the-shoulder-looking has pushed security forward much faster, so says Strategy officer at KnowBe4 Perry Carpenter.
He went on to say that ‘particularly with (often automated) social media posts that publicize inflammatory messages and human-generated actions where a phishing e-mail can appear to come from a country that attackers want to pin blame upon.’
Consultant and speaker Graham Cluley said that nation state attacks were, for him, the key trend at the moment, as many companies feel that the attacks do not affect them, but they may have ‘customers who are of interest to a nation state.’ He also said, and we’ve mentioned this before ‘too much childish behaviour and a failure to work together because of rivalries means that too much time is spent putting out fires, and we do not share information on organized businesses.’
Malware, Attacker Sophistication and Ransomware – 13%
Cybersecurity analyst Bob Tarzey called it the ‘the greatest concern expressed by security managers’ as attempts to gain access to networks continues to drive security and ‘keeping these threats at bay is a big driver.’
As attacks get more sophisticated – from botnets to AI – the number of exposed databases enabling phishing attacks will grow. The 2018 report said that 34% of respondents mentioned the expanding threat landscape and evolving attacks. Despite being predicted to be on the downturn, ransomware attacks were driving cybersecurity, according to ISMS manager Izzy Vixsama. In particular, there were more attacks on senior citizens as they tend to have more money and on younger individuals who have good or no credit history, as they can be targeted in fraud attacks.
The fundamental issue is that when companies are hit, they simply don’t know what to do.
‘The bad guys are ahead and will be for the foreseeable future.’
The Single-Mention Trends
These trends were mentioned, as you’ll no doubt have ascertained by now, by just one of the respondents. Are there any on this list that should have carried more weight?
Governance, risk & compliance tools • Certificate transparency • Managed services • Financial motivation of attackers • Ratings & metrics • Fraud • Bug bounties • Government factors • Fuzzing
That’s the state of cybersecurity in 2019. It remains to be seen what 2020 has in store…
Contact us today on info@koncisesolutions.com or call 020 7078 0789 and we’ll talk cloud security, cutting-edge IT solutions or what’s better, Coronation Street or EastEnders. Whatever you want.
Koncise Solutions
Go Back