As our expectations of the internet to enrich our lives and enable our businesses grow, so too does our collective concern about the seemingly threat-infested waters.
Business and customer experiences are transforming at astounding speed. Ubiquitous mobility, the Internet of Things (IoT) and cloud-based services make it easier than ever to customize customer service, optimize supply chains, expedite citizen and patient services, scale products and develop new ones. This transformation also means that valuable personal information and intellectual property, not to mention critical infrastructure, are almost entirely accessible on and through the internet. But this meteoric expansion of internet reliance comes with a commensurate increase in the volume of cybercrime.
Digital isolation, once at the core of critical asset protection, is no longer viable technically or as a business strategy. As I travel the world meeting our customers on the topic of secure digital transformation, the conversations share a common thread. Organizations want to know which cybersecurity areas offer the maximum leverage of tomorrow’s Internet.
To that end, I want to expand on near-term trends that are brimming with opportunity to evolve organizational cybersecurity for mobile-first, cloud-first environments.
Privacy Regulations, a Chance for Innovation
On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect as the primary law governing the protection of the personal data of European Union (EU) citizens. Whether you’re located in one of the EU countries or providing goods and services to people living there, if your business collects stores and handles personal data it will be required to comply.
Adhering to the regulations requires a thorough review of the technology and processes in place to collect, use and protect this information. A lot of the discussion on GDPR may focus on its punitive aspects, such as potential fines for non-compliance, but GDPR’s aims also offer an opportunity to modernize information protection. So, while the regulation targets higher citizen confidence on matters of privacy, an additional likely outcome is more robust cybersecurity through centralized controls for data loss prevention, digital rights management and data retention – which will ease the burden of continued compliance as businesses add more users and data.
Public Cloud, the Security Platform of Choice
Security was once cited as a top inhibitor to public cloud-adoption, but this is no longer the case. From banks to government agencies, more and more critical workloads are ending up in the public cloud, and with good reason. Implementing security on premises has become complex and almost impossible to sustain given the number of security technologies required for a layered defense strategy. By contrast, public cloud providers have made enormous investments in technology and expertise to stand up reliable, secured platforms. Inherent in the model (though it differs in degrees by vendor) is a shared responsibility for maintaining information privacy and staving off threats, and this fact alone is likely to accelerate public cloud adoption as the cybersecurity skills shortage intensifies.
Boards Assume Central Role
Cybersecurity is rapidly becoming a standing agenda item in board meetings. Members are asking chief information security officers (CISOs) for better visibility into their organizations’ risk postures. They see cybersecurity as a risk to be managed and an opportunity for competitive advantage. They want dashboards and metrics to make informed decisions and showcase their company’s efforts to earn customer trust. Look for security products to add more visibility to organizational risk posture in the management interfaces of their products. The most advanced of these will offer actionable risk scoring with guidance on how to implement improvements and mitigations for managing security posture day to day.
Assumption of Compromise Puts a Spotlight on Detection and Response
The possibility that any organization’s network will be breached is a statistical certainty. Assuming bad actors will find their way into a network, or are already there, investment must be directed toward detecting installed malware and limiting hacker leverage of points of vulnerability. Organizations are beginning to redirect security budgets toward detection and response—hiring threat hunters or red teams when they experience an incident, even proactively. This trend will intensify as firms aim for cyber resilience for the long term. Incident response teams are now a core part of a security operations center, augmenting 24/7 network monitoring with the ability to quickly responds to threats. Given the severe skills shortage in cybersecurity, especially in small to medium-sized businesses, cyber resilience will be achieved through a managed service.
Artificial Intelligence in Security, on the Precipice
If marketing materials are to be believed, every security product incorporates machine learning and artificial intelligence in cybercrime detection is now mainstream. While this is not quite the reality, cybersecurity automation is poised for disruption. Firms would do well to prioritize security technologies that not only leverage machine learning and artificial intelligence but also rationalize how their algorithms and models are trained for accuracy. What makes artificial intelligence so promising in cybersecurity is that it harnesses the power of big data to establish baselines and identify patterns that are anomalous or consistent with an attack. Access to not only a lot of data, but also the right kinds will make all the difference in accurately predicting cybercrime. Only a few firms in the world can source and analyze that information at the scale required — look for those firms to take the lead among the crowded field of cybersecurity vendors.
Awareness Training Is Still ROI King
While security architectures and technologies are getting more sophisticated at detecting and even predicting attacks, most breaches are preventable through user training and good security hygiene. Phishing scams and weak passwords are still behind most successful breaches. Educating users on how to protect themselves and spot would-be hackers will go a long way toward reducing organizational risk. Investment here will undoubtedly grow. The key is to ensure that awareness and best practices are frequently part of a mandatory skills refresher for all employees, regardless of role.
The Cyber Skills Shortage Could Make Us More Secure
The cybersecurity skills shortage is a global challenge affecting every business regardless of size or industry. In 2015, the United States had more than 200,000 unfilled cybersecurity jobs, and that number will continue to rise. The skills dearth is spawning innovative talent sourcing strategies, which will make the cybersecurity workforce more diverse and, by extension, organizations more secure. Firms are now looking to build training and re-training programs to allow candidates from non-traditional backgrounds to enter the ranks of cyber defenders. By actively recruiting military veterans, high-school students, women and those without technology degrees, cybersecurity teams will have the benefit of varied backgrounds and thought, which ultimately lead to more creativity in problem solving.
About the Author
Ann Johnson leads enterprise and cybersecurity at Microsoft. Her organization empowers global enterprises to confidently move to the cloud by modernizing their architectures for maximum business agility and security. Ann is a recognized industry leader with a proven track record for building and leading high-performing global enterprise software go-to-market teams. Ann has a background in cybersecurity, infrastructure and storage and is a frequent speaker on topics of online banking fraud, information security, healthcare security, mobile security, workforce diversity, privacy and compliance. She currently serves on the board of the Security Advisor Alliance and is a board advisor to the biometric security firm HYPR.