The last few years have been hot for information security (InfoSec), driven mainly by high profile breaches at Target, Home Depot, Anthem, the DoD, NSA, Equifax and others. Add to that the weaponization of cyber attacks by nation states (think Stuxnet or Russia’s attacks on Estonia and elsewhere), and it’s no surprise that InfoSec is the priority for governments as well as public and private sector organizations of all sizes and in all industries.
With that in mind, I wanted to turn to four InfoSec trends I see as key for understanding the industry in 2018. These are not emerging trends by any means. All of them have been important features of the InfoSec landscape for at least the last 18 to 24 months. But in 2018, they’ll continue to drive the marketplace and increase in importance.
InfoSec Becomes a Priority
InfoSec has been important since the advent of digital business, but in the latest Gartner CIO survey, security ranks as the second highest priority for CIOs (AI was the first, IoT the third). Compare this to the reported priorities for 2017: digital ecosystems, interoperability and bimodal IT and 2016, where security ranked seventh.
Given the rising importance of InfoSec (over 3,000 CIOs responded to the survey), we can expect to see InfoSec’s cache in the organization increase, with a corresponding rise in capabilities and maturity heading into 2019.
Given the rising priority of InfoSec, it follows that Gartner predicts InfoSec spending will hit $93 billion globally in 2018, up 7 percent from 2017. This is big money … and good news for folks in the security industry. Budget is not the problem for organizations looking to tackle InfoSec. The problem is figuring out how best to address threats and risk as well as finding the staff to perform the work.
Which brings us to the next key InfoSec trend for 2018: the skills gap. In 2017 we saw double digit growth in positions year over year, 200,000 open positions and zero unemployment. Combined with the rapid growth in InfoSec spending, this creates a significant problem for the majority of organizations, i.e., where will they find the bodies to help execute on the dollars the have to spend?
Unfortunately, the jobs InfoSec requires demand specialized skills and extensive training. So even though the robust and lucrative job market will eventually attract a flood of entrants, it will take time for supply to catch up to demand. And in the meantime, organizations will find themselves in stiff competition for the candidates available to help them spend the increased InfoSec dollars they have (and open to extreme risk until they do).
Attend any InfoSec conference in the last few years, from national shows like RSA or the ISACs to regional shows, and you’ll hear the truism that the matter of a breach isn’t if, it’s when. Today, given the large, heavily funded organizations that have been breached, breaches are no longer anomalies … they’re the cost of doing business.
So given the fact that no amount of prevention can stop internal or external bad actors, organizations are facing the reality that they have to address the state of the information behind their firewall to meaningfully reduce the impact of the eventual breach. Most firms have terabytes of sensitive data that don’t need to be kept for legal or operational reasons and could be deleted immediately. However, the organizational hurdles to doing so are significant and have prevented data cleanup for a decade or more. The foremost among them is the inability to align policies, procedures, stakeholder expectations and technology capabilities in order to get off the dime and push the delete button.
And while the difficulty of doing so is as great as it has always been, the combination of CIO priorities, funding and the heightened risk of a breach will make addressing information risk a key priority not only for 2018, but for the foreseeable future.
Predictions With Low Risk
Predictions are notoriously suspect, and as a talking head for the last 15 years, I know the game of making predictions that no one will ever fact check — and often don’t come true. But given the rising importance of InfoSec to most organizations these days and the increasing risks of breaches, I think that these four trends will be key in shaping how firms address InfoSec risk and how they evolve into 2019 and beyond.