Security Trends from 2019 and Into 2020
So, the whole opportunity
bummer to this Internet thing is that things you post do not go away.
We’ve been making predictions about coming predictions about coming security trends, so we thought we’d take a look at where we were right and where we were wrong.
Below are each of the trends we identified that we saw developing in 2018, that we used to guide our expected trends in 2019.
How Our 2019 Predictions Held Up
Pulling the Teeth from Information Security Regulations
MISS – We thought that with the current political climate, we’d watch regulatory requirements and laws lose their teeth and the fines they could impose. We thought this would mean organizations wouldn’t be audited as much in the areas of privacy and security.
A lot of regulations did lose the power to enact their fines, but organizations were still hit with fines, this time through regulatory agencies investigating companies after breaches occurred.
Specific breaches — Mariott and Facebook — also started very public debates about privacy. We didn’t previously consider the scale of these penalties and the effects that they would have.
Regulatory penalties throughout 2019 on a global scale went through the roof. There was a shift towards punishing organizations that lacked an appropriate approach to individual privacy in the fines that were enacted:
- • Equifax: ~$700 million
- • British Airways: $230 million
- • Marriott: $124 Million
- • Facebook: $5 Billion
Removing Liability Caps in Security
HIT: In many business-to-business contracts, we started to see liability caps for cyber security and privacy issues become unlimited.
We’ve seen this trend continue, and it’s led to surges in the stringency of third-party assessments, expanded board interest in whether to take on a customer, along with increasing requests and requirements for cyber insurance.
The Diet Pill Mentality in Security
HIT: It’s safe to say that any time you have something difficult such as cyber security or privacy, organizations want to take the easy way out.
In the world of cyber security, this mentality was exacerbated by the venture community, which pushed out all kinds of AI and automation technology that many organizations bought.
But did of this technology get implemented? Not really.
Two out of three isn’t so bad, especially if this were a batting average in baseball.
Now let’s look at the trends we think we’ll see in 2020.
What Will We See In 2020?
As described in Part 1, there were three trends we talked about that have evolved from 2018 into 2019. We’ll see how these trends come to play as we move into 2020, as well as some new ones.
- • Continued regulatory fines associated with security and privacy
- • Increased due diligence in security
- • Fallout when the diet pill mentality doesn’t work
- • Privacy marries cyber security in a shotgun wedding
- • Repercussions from honesty in security in 2019
Continued Regulatory Fines Associated with Security and Privacy
The cat is out of the bag with this one.
Now that governments can successfully levy out huge fines for organizational breaches and associated information disclosures, you can assume that this trend will continue and continue to grow.
At least in the United States, significant cyber and privacy laws are also launching at the state level, compounding existing federal laws.
Increased Due Diligence in Security
Now that the liability caps for cyber security have disappeared and organizations have seen breach fines increase, due diligence has become more important. From an organization’s boards to customers measuring security in prospective services and products, and even during mergers, everyone has security at the front of their minds.
Fallout When the Diet Pill Doesn’t Work
There are organizations that have spent a lot on automation technology for security in 2019, but very few of them have successfully implemented them.
Organizations are starting to find that proper remediation requires time. Real security programs that can adapt and make progress start with effective process design and implementation. We anticipate that there will be more implementation projects throughout 2020.
Privacy Marries Cyber Security in a Shotgun Wedding
This trend started with HIPAA, where they had a privacy and security rule. The difference between now and HIPAA is that the fines they were suggesting never came into fruition.
This changed with GDPR and other privacy regulations that mix privacy and cyber security requirements. This has led to many situations where lawyers are trying to give cyber security guidance and cyber security professionals are trying to give legal advice.
Get ready for a lot of meetings that go back and forth forever.
Repercussions from Honesty in Security in 2019
As security and privacy are becoming more honest and candid, people are doing all kinds of wacky things that are hard to manage and predict as they bruise people’s egos.
In 2020, this honesty will continue, and so will the strange things that people do.
You can see early evidence of this in some of the positions that Mark Zuckerberg has presented, along with many things that people in the government have said about cyber security and privacy. Even pen testers have been arrested in Texas just for conducting their scope of work.
With these in mind, let’s look at tips for how to navigate cyber security in 2020.
How to Navigate 2020
If the overarching theme for last year was to start being honest, this year, we’ll see that honesty has either made people numb or has impacted egos in the common organization.
Many of the themes that emerge throughout the year are the kinds you can’t miss. Throughout 2019, items like compliance-based security failing, or the lack of authenticity at the board level were obvious throughout engagements in many security programs.
This year, with honesty and the emotion bubbling up around security, 2020 might be a bumpy ride in the industry. But those of us in cyber security can make a real difference in the overarching success of our world, both as a whole and in the industry.
So, here’s what we think you should focus on throughout 2020:
- • Focus on foundation, people and processes in your security efforts
- • Be open to “Staffing 2.0”
- • Integrate privacy with your overall security strategy
- • Test the backgrounds of your service providers
- • Be aware of the fear generated throughout the industry
Focus on Your Security Foundation
Organizations are being forced to build real, effective security programs if they want to navigate the current cyber security landscape. The best way to do this is with a solid understanding of the current state of your security program and building an appropriate roadmap to an ideal security program state.
From there, reaching the future security program state is all about designing any processes that are missing and developing the right security architecture for the environment. Once the foundation is in place, it’s essential to find the right staff for your security program. This could be in-house, outsourced, or a combination of the two.
All of this establishes a foundation of security that’s primed to make progress and continuously improve over time.
Be Open to Staffing 2.0
The development of cyber security professionals is currently broken. Our legacy training methods take too long, are expensive, and do not make candidates job ready.
On the hiring side, our job descriptions are a joke asking for everything under the sun for even the simplest cyber role, and we lose many viable candidates due to educations and on the job experience requirements.
The cyber security resource shortage is something that CISOSHARE is taking on, and we’re seeing a lot of success with these programs. We hope that in 2020, organizations are open to new ways of finding the right cyber security resources.
Integrate Privacy with Overall Security Strategy
As privacy and cyber security are coming closer and closer together, the best move would be to include both areas in your security program efforts.
Don’t engage lawyers to guide your company on cyber security, and don’t engage cyber security professionals to lead the way on privacy issues. Instead, establish project teams with both skill sets and expertise to work together to integrate both privacy and cyber security into the foundation of your overall program.
This team should understand the applicable requirements and what it would take to integrate these requirements into your framework. From there, it’s all about implementation.
Test the Backgrounds of your Service Providers
Cyber security might be an important topic in many companies today, but it’s still vast, confusing, and often highly subjective.
This means that many cyber security service providers are saying they can do just about anything, even if they really specialize in only a few areas. Think of IT specialists trying to provide vCISO services. Or security product companies trying to sell professional services.
Before you engage a provider, make sure you understand what your environment really needs, or work with a partner you trust to help you to define that need. Make sure that the vendors you work with have that need as a service in their core competencies.
Be Mindful of the Fear our Discipline is Creating
People are scared.
People are worried about potential violations of their personal privacy. Employees are scared that something they do will cause the next big breach. Boards are afraid that they’ll go out of business. Cyber security providers are afraid they could get arrested for doing their jobs.
Many of the actions that people take in cyber security now could have a lasting impact on the way people perceive the industry and their mindset.
Good luck in 2020… it should be a fun one!