woman standing in a hall lit by surrounding neon lights
PHOTO: Bit Cloud

Every year, I say I hate prediction posts. And yet every year I write a prediction post.

Putting your predictions into writing can be truly valuable. Forcing yourself to think about what’s going to be top of mind in the next 12 months makes you put your foot down and go on the record.

So here’s a look at what I think the big IT security trends of 2019 will be. Take them as you will.

Minimizing Risk Takes Precedence Over Building Stronger Walls

We’ve been building stronger walls to protect data for decades, but the list of companies that experience data breaches continues to grow. Target, Anthem, Equifax, Marriott — shall I continue?

The idea that we can build walls capable of preventing all breaches (or even most of them) is long outdated — only the least sophisticated chief information security officers (CISO) believe that they can protect their data most of the time. That doesn’t mean we should give up, of course. Quite the opposite: We need to be ever vigilant about protecting our data. But it does mean we need to be realistic about what we can and can’t do.

CISOs shouldn’t strive to stop breaches from happening altogether. That’s an impossible standard to live up to. What they should do is look for ways to minimize the risk associated with (inevitable) breaches. That’s a goal that is possible to accomplish.

The first step in minimizing risk is to determine whether your company has sensitive data that is unmanaged on repositories like shared drives and Sharepoint platforms. It’s also a good idea to identify any database applications that you weren’t aware of — because they probably aren’t being patched, and who knows what data they contain. Finally, you should determine how much stale and junk data your company has in its systems because, among other things, maintaining that data detracts from your ability to protect the really important information.

Those are important and difficult questions that you need to address if you want to manage information risk. They were top of mind in 2018 (or should have been) and will continue to be in 2019.

Related Article: How Much Information Security Is Enough?

We Will Recognize the Difference Between Privacy and Security

Many organizations think privacy and security are the same thing, much to the detriment of both.

Security efforts should focus on the day-to-day details of protecting information — strengthening firewalls and endpoint security systems, deploying data loss prevention (DLP) software, implementing access management systems, etc.

In contrast, privacy is (or should be) a higher-level concern associated with enterprise risk. Whatever security technology an organization uses is irrelevant (or at least tangential) to the mission of maintaining privacy. Privacy strategies should take into consideration the risk that sensitive information poses to an organization in light of privacy rules, regulations and standards, as well as internal corporate policies.

In the past year, an increasing number of organizations have begun to codify the distinction between privacy and security, either by hiring privacy officers whose roles are separate from those of CISOs or by more clearly delineating the difference between information security and privacy.

Either way, it’s important to recognize the difference, and I predict more and more organizations will be moving that way in 2019.

Related Article: Should the Chief Privacy Officer and Chief Information Security Officer Roles Merge?

Office 365 Will Drive Security Efforts

The Office 365 train is a-runnin’ and it will take everyone in the Fortune 1000 with it in the next 18 months. And when Microsoft turns off the on-premises option, look out — lots of companies will be scrambling to figure out what to do.

Complicating the problem is the fact that, historically, very few enterprises have considered the security requirements (and associated risks) an Office 365 migration brings. That’s changing. Most companies I’ve talked to in the past six months are acutely aware of the security and privacy risks of a move to Office 365, but they struggle to quantify them and formulate plans to address them.

I think they’ll figure out ways to handle that challenge in 2019 — because they have to.

Related Article: 12 Productivity Tools Baked Into Office 365

Tools Are Getting Better, and More Companies Will Use Them

It is impossible to minimize security risks without tools to help you assess the importance and sensitivity of all of the information you have.

Asking users to, for example, open every document on a shared drive to find out which ones contain confidential information is a nonstarter. That would take too long and cost too much.

There are, of course, software tools that are designed to help you do the job, such as the auto-classification tools that have been available for over a decade. However, despite the claims of the software vendors, the promise of true auto-classification is pretty much unfulfilled.

But while auto-classification systems may have failed to live up to their potential, file analytics (using regular expressions) have the ability to interrogate content and provide insight.

Make no mistake: This is dumb technology. You tell it what patterns too look for (for example, “###-##-#### = Social Security number”), but it works, and it works well. Under the hood, it’s all the same Israeli code, but the offerings are packaged with a variety of user interfaces (that may or may not meet your needs) and they are available at a wide range of price points — from $20,000 to $30,000 to more than $1 million.

The bottom line is that the technology has arrived and it is ready to help you take stock of the information you have so you can adopt appropriate security and privacy measures. I predict that organizations will increasingly adopt this technology to assess, and minimize, their security risks in 2019 at whatever price point.

Related Article: Is There an ROI for Investing in Information Security?

Good Luck in the Year Ahead

Infosec is a dynamic and ever-changing discipline — one that it’s hard to get your arms around. As a practitioner and consultant who sells strategic, program-level offerings, I have a certain bias. But be that as it may, I hope that you find my take on 2019 IT security trends valuable, and that it will help you figure out how to address your security needs this year.