2020 is here, and the predictions season is well and truly upon us. Each and every year, security practitioners worldwide offer their two pence on what the year ahead has in store for our industry. It seems to us that, in a profession as dynamic and unpredictable as cybersecurity, such future-gazing might be somewhat presumptuous. As part of Orange Cyberdefense, we at SecureData probably know more about cybersecurity than most, but sadly no crystal ball resides at SecureData HQ.
Although we don’t know what is going to happen in cybersecurity in 2020, we do have a pretty good picture of why it’s going to happen. SecureData’s Chief Security Strategy Officer, Charl van der Walt, discusses four of the systemic factors that will significantly shape events in cybersecurity in the year ahead, and which we as practitioners need to understand when looking at what the future might hold for our industry.
1) Crime is the dominant factor in cybercrime
There is a commonly held misperception that cyber technology is the dominant factor in cybercrime. It’s not. Crime is the dominant factor in cybercrime. If we want to understand where cybersecurity is heading, we need to recognise that it is the innovation in business models, monetisation and markets by criminals that are having the most significant impact on our industry, not technology.
A good example is the emergence of cryptocurrencies. Ransomware, crypto-mining, extortion are all contemporary and well-known forms of cybercrime that have emerged as a consequence of the rise of cryptocurrencies, not because of innovation in crime technology.
We can expect this to remain the case as more and more innovative technologies and platforms permeate the business ecosystem. If we consider the impact that the IoT, for example, will have on security, the question to ask is, what new forms of cybercrime does it introduce, rather than which of the technology’s attributes make it secure or insecure.
2) Impact of regulation
Regulation, and discussion around its necessity, has swept the cybersecurity industry over the last few years. A string of high-profile breaches brought the issue to the fore, and now the impact of regulation by the government, the likes of GDPR, and similar initiatives worldwide, are really making themselves heard and felt, shifting the landscape in two ways.
The first is a growing focus by the board on the security problem. The message du jour is that security is now a board-level problem, and this shift in dynamic has led to an expectation that security must be visible to the C-suite. This changes what is expected of security teams, and changes what is expected of security technologies and programmes. With the responsibility for security residing with the board, the culpable party is different. A different type of person, and with it, a different kind of security.
The second way that regulation shifts the landscape is the growing role of insurance in cyber. With the increased attention of the C-suite, the fundamental value proposition that insurance offers is going to have a huge impact on the way the cybersecurity industry operates. Towards the end of 2019, we saw this manifested in two concrete examples.
The first is that there are now some insurance industry initiatives and consortiums being formed that are offering guidance, not only on technology types but even specific vendors that they expect to see as part of a security program. It follows that as boards depend increasingly on insurance to mitigate risk and insurance companies grade their products and premiums according to perceived security posture, the insurance industry’s voice in the cybersecurity space is set to become ever more relevant.
The second is the impact that insurance has on crime. Insurance industry incentives are not necessarily aligned with societal goals in terms of security. Insurance companies will ask businesses to take the route of least resistance when it comes to dealing with an incident, and often that means paying a ransom, rather than choosing to mitigate the problem in another way.
Data released recently suggested that the average pay-out for a ransomware breach is now $45,000 per company. Our Incident Response teams have seen recent payments by insurance as much as €500,000 to attackers, with an additional fee of €250,000 paid to attorneys! A lot of that market dynamic is being driven by insurance companies’ willingness to payout, no matter the inflationary impact that has on the cybercrime industry and the negative long-term effects it has on society as a whole.
3) Demand for digital transformation
The next systemic factor is to do with digital transformation, agility and DevOps and the way that is transforming the enterprise. We’re dealing with a reality where old-fashioned paradigms for how security works are being reconsidered because of the demand for agility and enablement. This hunger for innovation and technological expansion in the enterprise threatens to severely test the way cybersecurity teams perceive their roles and is bound to have implications for the cybersecurity industry.
4) Skills gap
The last of these four important systemic factors is the skills gap – the challenge it represents for industry, but also in the way, it’s forcing us to rethink who we are, what we do and why we do it. To illustrate this point there is a simple but powerful narrative that requires the attention of our whole industry. This focuses on gender equality and ethnic equality in the security workplace.
The industry has often been criticised for a lack of equality, and diversity. The retort is often that women and minorities are simply not applying for roles or aren’t interested in the positions on offer.
Unfortunately, the conversation often stops there, but it may yet emerge that the job descriptions themselves, the way the roles are articulated, are very one-dimensional, a trait that is starving our community of fresh perspective.
The industry tends to describe the work through a very white, middle-class, masculine lens, which tends to be functional (this is what you would do), structural (this is who you would report to), and then transactional (this is what you’d get).
If we begin to articulate the security profession in terms of purpose, in terms of partners and stakeholders, and in terms of the desired outcome, we may find that the job will attract other kinds of people to space. Economists, psychologists and other members of our society – people who don’t think in terms of functional, structural and transactional contracts – may consider cybersecurity as a viable career.
At a systemic level, there is pressure on the industry and in response, we might just start seeing quite substantial changes in the way that we articulate who we are and what we do. Once we do that, we may find an injection of different thinking into our space that could really shift the landscape.
In security, much like in life, we never really know what’s around the corner, but when we look back at the events that shape cybersecurity in 2020, we will likely be able to trace some of them to these four systemic factors. Understanding them will be key.