Looking Back to Look Forward on Cybersecurity

city_road.jpgBy now, everyone in our industry has provided 2017 cybersecurity predictions and I’m no exception. I participated in a 2017 infosec forecast webcast with industry guru Bruce Schneier, and ESG also published a video where I exchanged cybersecurity prophecies with my colleague Doug Cahill.

Yup, prognosticating about the future of cybersecurity has become a mainstream activity, but rather than simply guess at what will happen next year, I think it is useful to review what actually happened over the past few years and extrapolate from there.

ESG and the Information Systems Security Association (ISSA) recently published the second research report in a two-part series titled, Through the Eyes of Cyber Security Professionals. As part of this project, 437 cybersecurity professionals (and ISSA members) were asked to identify some of the cybersecurity actions their organizations have already taken over the past two years. Here are a few examples of what they’ve done and what we can expect in terms of similar activities in 2017:

  • 49% of cybersecurity professionals said that their organization engaged in one or more new cybersecurity initiatives over the past two years. These included cloud security projects, new types of endpoint security plans, etc. These initiatives will likely continue next year but I also expect two other focus areas in 2017:  More initiatives around data security (i.e., sensitive data discovery, classification, confidentiality and integrity protection, etc.) and security analytics and operations integration (a la my blog on security operations and analytics platform architecture or SOAPA).
  • 41% of cybersecurity professionals said that their organization increased security controls and monitoring for privileged users over the past two years. This trend doesn’t get nearly as much attention as it should since we know that privileged users can inflict lots of damage (witness Edward Snowden). Expect more multi-factor authentication and auditing of privileged users in the new year.
  • 40% of cybersecurity professionals said that their organization increased the size of its cybersecurity staff over the past two years. Yup, this too will continue but it will be an increasingly uphill battle to recruit and hire talent. I also expect continued inflation and possibly hyperinflation of cybersecurity salaries in 2017. I’m looking for a corollary trend—a rapid increase in professional and managed cybersecurity services.   
  • 39% of cybersecurity professionals said that their organization adopted some portion of the NIST cybersecurity framework over the past two years. This is good news, especially for an incoming administration with an aversion to new cybersecurity regulations. I expect the Trump administration to support and promote the NIST CSF, so we should see continued momentum. Insurance companies may also pile on, making the NIST cybersecurity framework a risk management standard for premiums and customer service programs. 
  • 39% of cybersecurity professionals said that their organization implemented stronger controls to limit which users and devices can access sensitive data and applications over the past two years. This is driven by security policies for business processes, regulatory compliance, and a goal of decreasing the attack surface. Look for a lot of 2017 chatter about attributes-based access controls and software-defined perimeters in support of these objectives. If you’re not familiar with these concepts, check out what Google is doing with BeyondCorp. I believe many large enterprises will initiate projects in 2017 to create a similar model for access control.    
  • 39% of cybersecurity professionals said that their organization increased the cybersecurity budget over the past two years. Based upon past ESG research, my guess is that around two-thirds of organizations will boost spending again in 2017. 

Over the past month, I’ve been asked whether I expect any new cybersecurity trends in 2017. Yes, there will be nuanced changes but in reality, we will simply be building upon what we’ve done over the past two years. A good start with lots more to do.

The ESG/ISSA reports are available for free download here. Your comments and feedback are welcome. 

Topics: Cybersecurity ISSA