2018 was a year of ups and downs in the cybersecurity world.

On one hand, we saw some of the biggest data breaches ever recorded, including almost a billion records leaked in September alone.

But on the other hand, organizations across all industries took cybersecurity more seriously than we’ve seen in the past, and committed more resources than ever to protect their digital assets.

Now, with 2018 done and dusted and security professionals preparing to start the cycle all over again, we thought we’d cast our gaze forward, and cover some of the cybersecurity trends we expect to see in the coming months.

In this post we’ll be covering strategic cybersecurity trends — Keep an eye out for our follow-up posts, which will delve into the technologies you can expect to see flourish (or not) in 2019.

CISOs and Cybersecurity Leadership

The role of Chief Information Security Officer (CISO) has evolved tremendously over the last few years. In 2019, we expect to see a continued expansion of responsibility for CISOs, particularly in their capacity as primary security advisors to executive boards. cybersecurity has become a widely accepted topic at board level, and CISOs will be expected to advise on major concerns such as brand protection and compliance.

On that note, executive boards will increasingly want to see objective measurement of cybersecurity programs. Most organizations have invested heavily in cybersecurity over of the last few years, and there will be an expectation that security programs deliver measurable ROI. Senior executives, who are almost exclusively non-technical, will rely on CISOs to keep them up to date on key security concerns, and CISOs will need to develop a strong communications strategy with regular KPI updates to achieve this.

At the same time, cybersecurity has been identified as a top three area for increased technology investment across all industries. Gartner predicts global spend on cybersecurity will grow by a further $10 billion in 2019 to a total of $124 billion — an 8.7% increase — and boards will be relying on CISOs to identify and justify the most important areas for investment. Historically it has been difficult even for experienced security leaders to penetrate the marketing hype surrounding security solutions. However, with the market stabilizing, CISOs will be expected to provide concrete evidence of anticipated ROI when recommending further investment.

In addition to the continued expansion of the CISO role, we anticipate an increase in the use of independent cybersecurity contractors to advise on specific areas of concern. In particular, external advisors will be called upon to identify areas of cyber weakness — e.g., via risk assessment, penetration testing, and threat hunting — and provide vendor-neutral advice on how to close any identified gaps. Similarly, as larger organizations look to be at the forefront of newer technologies such as blockchain and IoT, they will engage expert contractors for advice and support.

Finally, in line with the increasingly mature nature of the cybersecurity landscape, in the coming year CISOs will be focused on the business logic surrounding cybersecurity programs. They’ll be aiming to answer questions such as:

  • Who is doing what, where, when, and why?
  • How do existing components of a cybersecurity program fit together?
  • How can systems and processes be better integrated?
  • What gaps exist, and how can they be filled?

The answers to these questions will inform further investment, and ultimately lessen the burden placed on overloaded security professionals.

The Cybersecurity Skills Shortage

With substantial increases in cybersecurity investment expected, it should be no surprise that the widely-publicized skills shortage will continue to cause headaches for security leaders across the board in 2019. Unfortunately, it seems there is no end in sight, as industry analysts forecast a shortfall of 3.5 million cybersecurity jobs by 2021.

In addition to insufficient numbers of skilled security personnel, three other factors will contribute to the skills shortage conundrum:

  1. An ever-increasing volume of cyber threats
  2. The corresponding rise in the number of technologies required to hold threats at bay
  3. Broader attack surfaces due to adoption of new technologies, e.g., cloud, IoT, and BYOD

Since 3.5 million new security practitioners aren’t going to appear anytime soon, existing security personnel are going to be faced with heavier workloads than ever in 2019.

So how will organizations respond to these challenges?

First, a focus on upskilling existing security personnel will be essential. As there is no guarantee new skilled personnel will be available to organizations looking to expand their cyber programs, there will be little alternative but to invest in training and support to help junior security practitioners develop in-demand skills.

Traditionally organizations have shied away from heavy investment in upskilling programs for two obvious reasons:

  1. cybersecurity training programs are often very expensive
  2. Once trained, security personnel have many opportunities for career advancement, and may simply leave

These concerns, while understandable, will need to be put to bed, or organizations simply will not have the necessary skills and experience to maintain a strong cybersecurity program.

Of course, not all security personnel requirements are permanent. Some security functions, such as penetration testing, threat hunting, and gap analyses can instead be filled by security contractors. While this approach is already popular, we expect to see a rise in the use of consultative security services across a range of temporary needs.

Increased Nation State Activity

Depending on the industry you’re in, nation state cyber activity may be either very important or totally irrelevant. Either way, 2019 is set to be a year of increased nation state activity in the cyber realm.

Over the past decade, nation states have continually pushed the boundaries of what could be considered acceptable cyber activity. However, now that some actors (Russia, China, and North Korea in particular) have been allowed to continually push the boundaries without repercussion, we can expect to see a further increase in nation state and state-sponsored cyber activity in 2019.

If you aren’t sure whether you’re likely to be a target, it may help to have a basic understanding of each of the major nation states’ motivations:

China — Economic, technological, and industrial espionage

USA — National security, both offensive and defensive

Russia — Geopolitical influence and financial gain

Iran — Military, political, and nuclear advancement

Israel — Political and military disruption (primarily directed at Iran)

North Korea — Open to speculation

Functionally, most organizations in the Western world need only concern themselves with the activities of Russia and China, since the other major nations have a very narrow focus for their cyber activities. In particular, organizations focused on technology innovation, telecommunications, research (e.g., universities), and national infrastructure should be aware they are very likely to be targeted by one or more nation state actors.

So what makes cyber activity so appealing for nation states? There are a number of factors:

  1. There are effectively zero consequences, even when activities are definitively tied to a particular nation — At a minimum, Russia, China, North Korea, Israel and the US have all carried out widely reported cyber attacks and suffered no consequences whatsoever.
  2. It can be highly effective. Russia successfully crippled the Ukrainian financial sector by deploying NotPetya. The USA and Israel managed to disrupt Iran’s nuclear program with Stuxnet. By releasing WannaCry into the wild, North Korea caused mass disruption.
  3. It’s cheaper, faster, and less committal than military intervention. And, as Russia has proven repeatedly, cyber activity also works well in conjunction with traditional military action.

Given all of the above, it’s no surprise that the idea of a cooperative international agreement (sometimes described as a “Digital Geneva Convention”) has been floating about for several years now.

But do we think it’s likely to happen in 2019? Probably not. At least, not in any meaningful capacity.

The difficulty is that while some countries will no doubt be happy to sign such an agreement — particularly those countries without an established cyber program — none of the six most active countries would be willing to do so.

As if to highlight this point, toward the end of 2018 French President Emmanuel Macron launched an international agreement on cyber activity at the Paris Peace forum. While the agreement was signed by 51 countries, none of the “usual suspects” were willing to put pen to paper. And if China, Russia, the USA, Israel, Iran, and North Korea won’t sign, there really isn’t much value to such an agreement.

Next Up: Technology Trends for 2019

2019 is going to be a busy year for security professionals as the cyber landscape continues to evolve.

Although cybersecurity budgets are rising, the corresponding rise in attack velocity means that in real terms security leaders stay in precisely the same position they have been in for the past several years — Never quite being in a position to cover all of their bases.

As before, then, a risk-based approach will be essential as CISOs and security teams look to build out their cyber programs.

This has been part one of our 2019 cybersecurity trends mini-series. In the next post, we’ll take a closer look at some of the technologies that will impact the cyber landscape in 2019, and provide insight into how you can expect to see them evolve.

Kudelski Security Team