Just when we thought we’d escaped 2018 without an attack on the scale of WannaCry, NotPetya or Equifax, we were struck by Marriott’s November news of a breach affecting 500 million guests and once again reminded that complacency is the enemy of cybersecurity. We were also reminded that predicting what will happen in the world of cybersecurity is a daunting task, especially amidst an increasingly complex and unpredictable political, economic, and societal landscape.
But that’s never stopped us from bringing our readers the most salient, forward-thinking predictions for the year ahead from some of the cybersecurity industry’s wisest minds!
This year we had more help; we added nine new members to our Advisory Board, each with a unique and varied background, and thus this year’s predictions took on a different tone.
Self-reflection, both within their own organizations and the larger infosec industry, shone through among all Advisory Board members as they balanced cautious optimism with the stark reality that we’ve got a long way to go.
Despite another year of forecasted increased infosec spending (up 8.7% to $124 billion in 2019, according to Gartner) and millions of investment dollars poured into security startups in 2018, most board members agreed with one thing: we can all do better.
Without further ado, we bring you part one of the two-part 2019 predictions from the new, expanded RSA Conference Advisory Board.
GDPR in 2019: A Year of Enforcement
“If 2018 was the year of GDPR implementation, 2019 will focus heavily on GDPR’s implications and its enforcement,” says Hugh Thompson (Program Committee Chair, RSA Conference and CTO, Symantec). “We haven’t yet seen big prosecutions by the data protection authorities, but I think we are going to see those in 2019. GDPR has emboldened many other nations to ask, ‘how and what should we regulate?'”
New AdBoard member J. Trevor Hughes (President and CEO, IAPP) also sees strong GDPR enforcement on the horizon. “There was a lag from the GDPR compliance deadline to enforcement, but we must expect more privacy enforcement on a global basis in 2019. Brexit has been a mess and there are many unanswered questions around what it means for the U.K.’s data protection post Brexit. Watch Europe, watch the FTC – with the number of privacy issues in the media, we’re entering the enforcement era of GDPR, in Europe and elsewhere.”
In Australia, home to Narelle Devine (Chief Information Security Officer at the Australian Government Department of Human Services), new Mandatory Data Breach Notification laws came into effect at the start of 2018. The Australian laws are provisioned for a 30-day notification period rather than the 72-hour reporting requirements of GDPR, which she notes “is quite early, when you really may not yet know the full nature of the breach.” While the legislation and corresponding vigilance around personally identifiable information has increased in the last year, much of the criminal activity would have occurred before this uplift, she says. 2019 will see identity theft continue to rise before the mitigations of 2018 become effective.
Diversity & Inclusion: Tip of the Iceberg
This was far and away the topic the Advisory Board members were most vocal and passionate about. According to a research report by The American Association of University Women (AAUW), women hold about 26 percent of tech jobs. In cybersecurity that drops to 11 percent. It’s been a pervasive problem in the industry and, as some Board members argued, must be addressed now. 2019 will see significant progress to foment parity, however, all acknowledge we’re at the tip of the iceberg.
“There will be a greater emphasis on diversifying workforces in 2019. We see our clients increasingly recognizing the value of diverse teams and taking more actions to hire and retain qualified underrepresented professionals at all levels.” says Joyce Brocaglia (CEO, Alta Associates & Founder of the Executive Women’s Forum on Information Security, Risk Management & Privacy). “We also see the role of the CISO continuing to be elevated in the coming year, requiring a diverse perspective and new set of executive level skills.”
Laura Koetzle (VP and Group Director at Forrester) agrees. “Better hiring and retention methods will raise the number of women CISOs to 20 percent,” she predicts. “As their exclusive pool continues to shrink, hiring managers hide behind the excuse of a talent shortage instead of broadening their search to green talent or applicants with other relevant skill sets. We’re slowly seeing companies recognize the necessity of recruiting from nontraditional cybersecurity backgrounds. In 2017, only 13 percent of the Fortune 500 had women CISOs. In 2019, we expect to see that number grow to 20 percent as companies search for new security perspectives.”
This talent gap has not gone unnoticed by Kim Jones (Professor of Practice, Arizona State University). We need to think long term, not short term,” he says. “The profession has done a good job of stimulating the entry level cybersecurity pipeline with innovative solutions, but many of these solutions are purely technology-focused instead of holistically focused on cybersecurity skills. This has left many, CISOs asking, ‘are these individuals prepared I to take the next step in their career?’ I think we’re going to start seeing the impact of this dilemma in 2019 as many young cyber professionals find themselves having to go back into academia (or other training venues) for additional skills or leaving the corporate sector to become individual consultants because they can’t take their career to the next level.”
What about recruiting these future diverse leaders? “Companies are focusing on their diversity numbers, but not on creating cultures within their organizations that will enable them to support the underrepresented workforce they attract,” says Dena Haritos Tsamitis (Director, Carnegie Mellon University’s College of Engineering’s Information Networking Institute). “If you don’t have a culture of inclusion embedded in your practices, behaviors, leadership, messaging, and marketing, your company won’t be welcoming. It goes beyond the diversity statistics, organizations need to focus more on creating an inclusive and equitable environment. Diverse candidates are in high demand and they will not tolerate workplace cultures that are unwelcoming and unsupportive.
Todd Inskeep (Director, Booz Allen Hamilton) adds that “we have so much diversity in the industry that we didn’t even know about. Many women have been in this space for a long time and remained invisible. In 2019 we’ll turn a corner in bringing more visibility into the diversity that we had and the value of diversity on teams.”
Sandra Toms (Vice President and Curator of RSA Conference) challenged the security industry to acknowledge a broader definition of diversity in 2019. “My hope is that diversity expands beyond gender to invisible diverse aspects like beliefs, religion, life experiences, sexual orientation, and education. All those things that make a person whole. My prediction is that we’ll broaden the scope of diversity to include more individuals; a lot of language we use in cybersecurity is militaristic, we should look at that and find ways to revise our language to help more people become comfortable. I’ve been talking to a lot of companies that have made big strides when it comes to diversity, and we’ve still got a long way to go.”
Risk Management: One Step Forward
Years of major headline-grabbing cyber breaches have begun to open the eyes of companies traditionally reticent to invest heavily in security, say some members. “Boards are paying more attention to the operational impacts of WannaCry and NotPetya, and are trying to figure out how to factor cyber in, but there’s not a consensus yet,” says Inskeep. “It’s getting better, but we’ve got a couple years until we have a consensus on how boards talk about and measure the impact of cyberattacks.”
Wade Baker (Independent InfoSec consultant and Co-Founder of the Cyentia Institute) agrees: “In the next year we’ll see a continuation of the balance of power between classic technical security professionals and more business-oriented board and non-security executives who will take more of a stake in cyber decisions.”
These massive breaches will also impact cyber insurance rates in 2019,” says Dmitri Alperovitch (Co-Founder and CTO of CrowdStrike Inc.). “We are coming to the end of an era of low cyber insurance rates. I think they will go up next year due to huge payouts from breaches like NotPetya and WannaCry. Insurance companies are getting a rude awakening to the risks of cyber. Many insurance policies were written years ago and did not take into account that liability from breaches can easily be up in the hundreds of millions of dollars, as we’ve seen with NotPetya attacks.”
(This post 2019 and Beyond: The (Expanded) RSAC Advisory Board Weighs in on What’s Next originally appeared on the RSA Conference website.)