Cybersecurity past to predict the future

As part of the recently published research report from ESG and the information systems security association (ISSA) titled, The Life and Times of Cybersecurity Professionals, 343 infosec pros were asked to identify the cybersecurity actions their organizations have taken over the past few years.  This list serves as a good foundation for what we can expect in 2018. 

The top responses were as follows:

• 52% of organizations adopted some portion or all the NIST cybersecurity framework (CSF). If you haven’t been paying attention to this, you’ll be surprised to find out that the NIST CSF has become a standard risk management tool across many industries and has also evolved to produce baseline metrics for cyber insurance.  The 1.1 draft was recently published, promising to bring even more clarity, a common language, and extensibility to the cyber supply chain.  Finally, CSF will likely be adopted in tandem with the Committee of Sponsoring Organizations (COSO) risk management framework (part 2) which is more focused on business and enterprise risk.  In aggregate, look for more risk management efforts in 2018, including my recent description of advanced prevention. 
• 50% of organizations increased cybersecurity training for the security and IT staff. Okay, that’s the good news.  The bad news is that 62% of cybersecurity professionals surveyed believe that the level of training they receive from their organization is still inadequate.  Cybersecurity training will increase in 2018 but probably not as much as it should.
• 49% of organizations increased the level of cybersecurity training for non-technical employees. This may be a good investment but too many organizations go through the motions with cybersecurity training, viewing it as a checkbox exercise.  Regrettably, this will continue with many organizations increasing their training budgets slightly but getting little, if any, ROI in the process.  I see leading companies going the extra mile with user-centric penetration testing, like white hat phishing campaigns, using tools from KnowBe4, PhishMe, Wombat Security, and Webroot.  I also see better communication like explaining why user actions were blocked rather than simply blocking them and presenting cryptic messages to employees.  Continuing education is important so I hope CISOs and HR managers look to improve and not just increase user training in 2018.
• 48% of organizations increased their cybersecurity budgets. ESG will soon publish its IT spending intentions research for 2018 which includes highlights on cybersecurity budgeting.  Spoiler alert: A majority of organizations will increase their cybersecurity budgets in 2018 across all industries.  Even with this increase however, security teams will find it challenging to invest in all areas of cybersecurity.  In 2018, CISOs will develop a portfolio management approach to investment, looking for ways to use machine learning technology, security operations automation/orchestration tools, managed services, and software-defined security options, to address requirements AND act as a countermeasure toward escalating costs.
• 48% prepared to adhere to one or several new regulatory requirements. In 2017, New York State pushed new regulations on financial services firms while many global companies started their GDPR preparation.  With the May deadline approaching, GDPR will continue to be an area of intense investment in 2018, but I doubt whether this will be the end of the line.  I expect a lot of scrutiny and perhaps some initial regulations on IoT device security in 2018.  Oh, and one big data breach or service disruption could certainly change legislative attitudes overnight.  As a US citizen, I hope Washington pays attention to lessons learned from things like Equifax and GDPR to start working on reasonable data privacy and cybersecurity regulations here on the home front. 

What the ESG/ISSA data suggests is that the cybersecurity past is prologue.  Let’s hope that CISOs do more than get more cash and go through the motions in 2018.  Rather, I for one hope they assess needs, processes, and resources, and use increasing budgets for fundamental cybersecurity improvement.