What Happened in Information Security in 2018?
Different trends in information security throughout 2018 have set the stage for 2019, which is the year that we’ll all have to look in the mirror and think about where our moral boundaries lie in security.
Before we dive into the upcoming information security trends in 2019, we need to understand different events and trends from 2018 that surround our predictions for next year: the unenforceability of regulatory requirements, shifting liability in information security, and the persistence of the diet pill mentality.
Pulling the Teeth from Information Security Regulations
Some people might argue that the current state of security can be attributed to the state of near-constant attacks.
While these attacks have been prevalent over the past years and will continue, they aren’t the sole reason that security will cause everyone involved to re-evaluate their moral compasses.
One of the true causes, at least in the United States, began when Trump came into office. Regardless of political ideology, or judgments about Trump as a leader, it’s clear that the US government moved to a strategy that removed the regulatory teeth out of many of the cyber security and privacy regulations, as well as associated regulatory penalties and fine programs that Obama supported.
It’s not that the penalties changed, but the amount of assessments and audits for compliance with these laws have been removed or highly limited. Thus, the fines that would support non-compliance to these regulations have also vanished.
Most impacted was Office for Civil Rights (OCR) with the enforcement of HIPAA (Health Insurance Portability and Accountability Act) and CFPB (Consumer Financial Protection Bureau) which were performing assessments and audits all over the place in 2014 – 2016. Now? Not so much.
Business leaders noticed this change to a free-pass for compliance in the U.S., but they’re thinking about security in a different way.
Most organizations are making a lot of money right now, and while the attacks are still increasing, the attackers are not as focused on stealing customer data, as they are with more profitable endeavors.
This is primarily because there is not much money in stealing customer or personally identifiable information anymore since already been stolen and the black-market is flooded with it.
Businesses must face problems in more profitable schemes like ransomware attacks that can impact the availability of an organization’s business systems. This hinders the organization’s ability to make money, which is always bad, but it’s an even bigger problem while an organization is making a lot of money.
It doesn’t help that the average organization, regardless of size, is still immature from a security perspective. They have limited safeguards to protect against these attacks, even if they’re more than willing to spend money on security as long as it helps them keep the money coming in.
This leads to the next two concepts that set the stage for security in 2019.
Removing Liability Caps in Security
Attacks have progressed to the point where a breached business is often used to start an attack or bring down their customers and business partners. This magnified by the highly interconnected digital world we now live in.
This means that there’s more liability and more risk that a business can be disrupted and be used to disrupt their partners from an attack — all during a time when everyone is making more money.
As a protection for this, most organizations in business-to-business arrangements have removed liability limits for cyber security related items such as for a breach in their contracts with business partners, suppliers, etc.
Considering most organizations aren’t in good shape from a security perspective, everyone involved bends the truth a bit, which is cause for security professionals to check on their moral compasses.
People often want to do the right thing but might not be able to because of their circumstances.
Salespeople often aren’t truthful during the sales process regarding the true current state of cyber security at their organization when asked by prospective clients.
Internal leaders often report flawed information to their boards that they are better at security than they really are because this is what they expect from them.
Most boards have increased their security spend over the last couple of years, but they don’t realize the underlying security programs won’t just be improved with more cash — we’ll touch on this later.
Furthermore, the organizations that are asking for these contractual protections usually aren’t being truthful either since they want to use the business to business service or product to help them keep making money while knowing they’re being lied to.
Finally, everyone is lying to the cyber security insurers. They also know this, and either put a ton of exclusions in their contracts or charge insane premiums.
This leads to the final moral consideration in 2019: the diet pill mentality.
Remember that we mentioned that boards are spending a ton on security. If this is the case, why aren’t security safeguards improving in the common organization?
The Diet Pill Mentality in Security
The “diet pill” strategy in human culture isn’t anything new, and organizations have continued to fall for it in the realm of cyber security.
This is something that all of us in the cyber security discipline must look in the mirror about in 2019.
Organizations want to fix their security problem. They do this most often with the hopes that buying specific technologies or solutions will be enough to make them secure in the quickest means possible.
This emphasis on technologies that contributes to the diet pill mentality has primarily been driven by banks and venture firms that put pressure on organizations to purchase specific technologies from their partners to get a security pass and secure funding.
Although some of these technologies work, they can be expensive, and they don’t always address the true problem within an organization’s security program.
Right now, what most programs need is more skilled cyber security resources to implement and perform their security program’s processes in a repeatable manner.
Trying to find a quick fix to security never worked in the past, and it isn’t going to work moving forward.
So, What Can Organizations Do?
Ultimately, it comes down to the basics: processes and resources.
Organizations need strong security processes and should take care in developing them properly. They also need the right resources to perform these processes regularly.
Technology can be used to automate the key process steps where possible, but unless the processes have been established beforehand, the technology by itself won’t provide any value. It’s best to build the processes out and ensure that you’ve got the resources to carry them out.
All of this sets the stage for the coming information security trends in 2019.