ESG's Doug Cahill and Jon Oltsik share their thoughts on the future of Cybersecurity in 2019
Read the related ESG Blog: Cybersecurity Predictions for 2019 - Part 2
Doug: So welcome back for another discussion on 2019 Cybersecurity Predictions. Jon, at the end of the last video, we were talking about the role of the cloud in the threat landscape, the role of the cloud to optimize security analytics at scale. What about data privacy?
You know, as more data is stored in cloud services, how do we think about data privacy and regulations? What's your thoughts on this area for next year?
Jon: Yeah, it's incumbent upon CISOs and the staff to operationalize data privacy. So data privacy tended to be historically more of a legal activity and now because of GDPR, because of all the personal data out there, we have to operationalize it.
Now, part of that will be governance for cloud-based data and we have to be much more thorough on that. So some of the things, Doug, you and I have been looking at for years: data classification, data discovery, the right controls, the right monitoring. Those all have to be operationalized and automated. We can't just throw people at them.
Doug: So some are your set of best practices and processes, but for those organizations that do have a cloud footprint, it's got to be "cloudified" for lack of a better way to put it.
Jon: Yeah, absolutely. And then with GDPR, I think we have to be conscientious of maybe there was a little bit of a grace period in 2018. I personally believe this. In 2019, the fines will get stiffer, the enforcement will get tougher, and so companies really do have to understand their data privacy and operationalize it much more.
Doug: Yeah. Now we're starting to see state level, here in the U.S., we're seeing state-level data privacy regulations which is going to add some complexity. Even if the one in California doesn't go into effect quite yet, organizations are starting to prepare for it. And there are differences between like New York and California, so it creates more... So to operationalize, you've got to consider those nuances between the states.
Jon: Yeah, I don't anticipate federal cybersecurity regulations unless we have some major event and then it will become a panic type of legislation. But in the meantime, yeah, the states will take the lead. But, with data privatization, with all these operations, you need people. And so what are you seeing on the skills front?
Doug: Yeah, so I don't think either of us would predict that the skills shortage issue doesn't become better next year, unfortunately. But specifically to cloud, you know, one of the things we have been tracking is the role of the cloud security architect and we're finding many organizations have recently created this role. And our research has also found that the cloud security architect typically reports to a C-level individual, not necessarily the other security architect.
I think it's indicative that these people have a really strategic role within the organization and it's arguably going to be a cybersecurity skill, if not the cybersecurity skill, that is in the most demand in 2019 as organizations have to sort of retool for their use of the cloud, and they need security professionals who understand the cloud. They understand the cloud threat model, they understand the differences of cloud infrastructure.
It's going to be a really, really front and center, hot skill to have this coming year.
Jon: Yeah, it came out number one in our ISSA research in 2017. I'm sure it will in the 2018-19 time frame. And then that person has to coordinate because there's still a hybrid architecture. So it can't be cloud-only security, it has to be hybrid security.
Doug: Absolutely. So given the skill set shortage issue, do we expect to see advances on the technology side to provide greater operational efficiencies?
Jon: Oh, absolutely. That's pretty much tantamount to being a cybersecurity vendor at this point. So your tools have to become easier to deploy, easier to use, the time to value has to accelerate. So we're seeing artificial intelligence. We're seeing automation and orchestration built into products. We are not going to make any kind of inroads on the cybersecurity skills shortage.
And so we really have to make our people more efficient and I think every vendor is really aimed at that. One of the things, as you know, we've been tracking is the growth of cybersecurity platforms. So integrated suites, maybe with some open APIs, maybe with some partners, and that appears to be, at least in the enterprise, that appears to be a major trend in 2019.
Doug: At in endpoints, specifically, we're really seeing a move toward single-agent end platforms. And for the last couple of years, we've had layered controls, which seems to have consolidation really, to platforms and single agents. I think that's going to be a big theme for 2019, too.
Jon: Yeah, that could be a big migration path for lots of different organizations. I mean, we're talking an organization with 40,000, 50,000 endpoints. That's a major project and that could be a big transition in 2019.
Doug: You bet, you bet. Hey, so as we close out sharing with everybody what's on our radar screen for 2019, step back and take a global perspective. So trade wars. Specifically, you know, between the U.S. and China right now, with tariffs increasing and so forth. Do you think this translates into the cybersecurity context?
Jon: Yeah, I think so. More animosity with global relations and there is more of an impetus to go and look around and do more cyber espionage. So there has been sort of a detente in that over the past few years. I expect to see a lot more especially if trade wars escalate.
Doug: Arguably, we need the equivalent of the Geneva Convention for cybersecurity, right? So we've got, you know, sort of an agreed upon set of rules and engagement and that's reciprocal across all nations.
Jon: Love to see it. Not optimistic. There are nations like the United States who still believe they have enough offensive advantage and they don't want to jeopardize that. But at the same time, I think the United States is more vulnerable than other nations and certainly, Europe is as well. I'd like to see progress on that.
I think what it will take, unfortunately, is some kind of major breach or major attack to motivate people to do that.
Doug: You bet. So all of us in cybersecurity are always extremely busy. We have a really full research calendar for 2019 and it touches upon many of the topics that we chatted about today. So just scratched the surface of these topics in these couple of videos, but we look forward to connecting with everybody as a follow up to all of our research.
Jon: It ought to be a wild and crazy year as it always is in cybersecurity, Doug.
Doug: So true, Jon.
Doug: Thanks for joining us.