Why 2018 could be the year cyber-security finally comes of age
Why 2018 could be the year cyber-security finally comes of age
In recent years, the cyber-security industry has been going through something of a renaissance, fuelled by the alarming rise in headline-grabbing cyber-attacks on businesses that many (unwisely) thought were impenetrable. These attacks have made it painfully clear that robust cyber-security is a necessity. But exactly how and where information security fits in to the business has been a subject of debate for years. Does it sit within IT or should it be independent? What should the key performance indicators be? Who should the CISO report to? Should organisations even bother hiring a CISO? These questions and many others have played a key role in shaping the cyber-security evolution. 

Some would argue that the industry often hasn't helped itself either; for example, using 'shock and awe' reporting tactics, reminiscent of a Hollywood film, instead of more level-headed and productive approaches to explaining cyber-security risk and exposure. Thankfully, in the year ahead, we can expect the cyber-security industry to evolve, mature and take a more strategic, business-focused outlook. Here's just a handful of ways in which this could transpire:

The CISO will be reborn (and rebranded)
The purpose of the CISO has been a topic of hot debate ever since the job title was first invented. Some have viewed them as legitimate organisational influencers and boardroom members, but others see them more as sacrificial lambs in the event of a security breach. Either way, we have certainly started to see fewer CISOs reporting into the CIO (as was the traditional approach) and instead the role is being seen as more independent and more strategic within the organisation. A key driver of this is the fact that cyber-security is now on the boardroom agenda in its own right, instead of being simply another “general IT issue to contend with”. The CISO is also finally becoming the focal point of all security messaging, as opposed to the CIO or CTO, which were previously relied on for such communications.

'Shock and awe' security reporting will come to an end
For a long time, the security industry has been guilty of using shock and awe tactics to try and hammer home the importance of network and data protection. However, this dramatic style of reporting is now starting to give way to a more level-headed, factual approach. Huge headline numbers like spam counts are increasingly being replaced with more useful and pertinent information such as proximal and distal levels of risk, and how to remedy any gaps identified. This increasing focus on results-based measures and the levels of effort required, particularly around detection and response, will help to move the security conversation forward in a constructive way, rather than using shock tactics to try and scare boards into increasing security budgets.

Boards will add new seats to the table
As the role of security grows increasingly important at C-level, expect to see a growing number of boards invest more heavily in recruiting the services of technical experts and consultants, both as voting members and advisors to lead board subcommittees. The subject of security risk will also become an increasingly hot potato during all potential acquisition and divestiture discussions, with poor security practices likely to cost organisations dearly. As part of this, security teams will also come under greater scrutiny than in the past, with any investments made coming with significant pressure to produce tangible results.

Incident response will overtake and drive traditional disaster recovery programmes
A robust Disaster Recovery (DR) strategy has long been seen as the cornerstone of good security practice. Some larger organisations even have entire departments dedicated to effective DR. However, a recent shift has seen many DR activities start to become subsumed under a larger process known as Cyber Incident Response (CIR). As cyber-attacks become more sophisticated in nature and more frequent in regularity, CIR provides a more comprehensive overview of potential risk, impact and loss in the event of an attack. While effective DR remains critical to recovery, the completeness of visibility, applied value of analytics and speed/repeatability of response will be the new measures of security success. 

Security programmes will increasingly be used to drive sales
With the importance of robust data protection being felt by nearly every organisation around the world, robust internal security programmes are starting to emerge from the corporate shadows to become sales tools in their own rights. Not only can effective communication about strong security policy help to attract new clients and customers, they also become a key weapon in retaining existing ones. Wise security leaders are realising the importance of correctly marketing security to prospects and are starting to use specialist communications staff to support the sales team in this matter. Furthermore, the use of third party risk evaluations will continue to rise as CISOs look to give greater validity to existing security practices and leverage them effectively through sales. 

Growing acknowledgement of the importance of robust cyber-security at all levels of business is good news for everyone. Security is now firmly on the boardroom agenda and the security industry has been forced to take a good look in the mirror as it strives to become a more integral part of business operations. The shift towards industry maturity is already underway and will continue to manifest itself in 2018 and no doubt beyond. The world of cyber-security is full of surprises, so who knows what other factors may dramatically re-shape the landscape over the coming days, weeks and months!

Contributed by Stephen Moore, chief security strategist at Exabeam

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.


Stephen Moore, Chief Security Strategist at Exabeam