Looking back to look forward on cybersecurity

Lots of activities over the past two years that will only gain more traction in 2017

By now, everyone in our industry has provided 2017 cybersecurity predictions, and I’m no exception. I participated in a 2017 infosec forecast webcast with industry guru Bruce Schneier, and ESG also published a video where I exchanged cybersecurity prophecies with my colleague Doug Cahill.

Yup, prognosticating about the future of cybersecurity has become a mainstream activity. But rather than simply guess at what will happen next year, I think it is useful to review what actually happened over the past few years and extrapolate from there.

ESG and the Information Systems Security Association (ISSA) recently published the second research report in a two-part series titled Through the Eyes of Cyber Security Professionals. As part of this project, 437 cybersecurity professionals (and ISSA members) were asked to identify some of the cybersecurity actions their organizations have already taken over the past two years. Here are a few examples of what they’ve done and what we can expect in terms of similar activities in 2017:

  • 49% of cybersecurity professionals said their organization engaged in one or more new cybersecurity initiatives over the past two years. These included cloud security projects, new types of endpoint security plans, etc. These initiatives will likely continue next year, but I also expect two other focus areas in 2017: more initiatives around data security (i.e. sensitive data discovery, classification, confidentiality and integrity protection) and security analytics and operations integration (a la my blog post on Security Operations and Analytics Platform Architecture or SOAPA).

  • 41% of cybersecurity professionals said their organization increased security controls and monitoring for privileged users over the past two years. This trend doesn’t get nearly as much attention as it should, since we know privileged users can inflict lots of damage (witness Edward Snowden). Expect more multi-factor authentication and auditing of privileged users in the new year.

  • 40% of cybersecurity professionals said their organization increased the size of its cybersecurity staff over the past two years. Yup, this, too, will continue, but it will be an increasingly uphill battle to recruit and hire talent. I also expect continued and possibly hyperinflation of cybersecurity salaries in 2017. I’m looking for a corollary trend: a rapid increase in professional and managed cybersecurity services.

  • 39% of cybersecurity professionals said their organization adopted some portion of the NIST cybersecurity framework over the past two years. This is good news, especially for an incoming administration with an aversion to new cybersecurity regulations. I expect the Trump administration to support and promote the NIST Cybersecurity Framework, so we should see continued momentum. Insurance companies may also pile on, making the NIST Cybersecurity Framework a risk management standard for premiums and customer service programs. 

  • 39% of cybersecurity professionals said their organization implemented stronger controls to limit user and device access to sensitive data and applications over the past two years. This is driven by security policies for business processes, regulatory compliance, and a goal of decreasing the attack surface. Look for a lot of 2017 chatter about attributed-based access controls and software-defined perimeters in 2017 in support of these objectives. If you’re not familiar with these concepts, check out what Google is doing with BeyondCorp. I believe many large enterprises will initiate projects in 2017 to create a similar model for access control.
  • 39% of cybersecurity professionals said their organization increased the cybersecurity budget over the past two years. Based upon past ESG research, my guess is that around two-thirds of organizations will boost spending again in 2017. 

Over the past month, I’ve been asked whether I expect any new cybersecurity trends in 2017. Yes, there will be nuanced changes, but in reality, we will simply be building upon what we’ve done over the past two years. A good start with lots more to do.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful cybersecurity companies