[BreachExchange] Why 2018 could be the year cyber-security finally comes of age

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 12 13:59:17 EST 2018


Change is afoot in the cyber-security industry - from the shift in
reporting styles and measures of success, to the evolving role and
responsibilities of the CISO. Here's how this development could transpire
in the year ahead.

In recent years, the cyber-security industry has been going through
something of a renaissance, fuelled by the alarming rise in
headline-grabbing cyber-attacks on businesses that many (unwisely) thought
were impenetrable. These attacks have made it painfully clear that robust
cyber-security is a necessity. But exactly how and where information
security fits in to the business has been a subject of debate for years.
Does it sit within IT or should it be independent? What should the key
performance indicators be? Who should the CISO report to? Should
organisations even bother hiring a CISO? These questions and many others
have played a key role in shaping the cyber-security evolution.

Some would argue that the industry often hasn't helped itself either; for
example, using 'shock and awe' reporting tactics, reminiscent of a
Hollywood film, instead of more level-headed and productive approaches to
explaining cyber-security risk and exposure. Thankfully, in the year ahead,
we can expect the cyber-security industry to evolve, mature and take a more
strategic, business-focused outlook. Here's just a handful of ways in which
this could transpire:

The CISO will be reborn (and rebranded)
The purpose of the CISO has been a topic of hot debate ever since the job
title was first invented. Some have viewed them as legitimate
organisational influencers and boardroom members, but others see them more
as sacrificial lambs in the event of a security breach. Either way, we have
certainly started to see fewer CISOs reporting into the CIO (as was the
traditional approach) and instead the role is being seen as more
independent and more strategic within the organisation. A key driver of
this is the fact that cyber-security is now on the boardroom agenda in its
own right, instead of being simply another “general IT issue to contend
with”. The CISO is also finally becoming the focal point of all security
messaging, as opposed to the CIO or CTO, which were previously relied on
for such communications.

'Shock and awe' security reporting will come to an end
For a long time, the security industry has been guilty of using shock and
awe tactics to try and hammer home the importance of network and data
protection. However, this dramatic style of reporting is now starting to
give way to a more level-headed, factual approach. Huge headline numbers
like spam counts are increasingly being replaced with more useful and
pertinent information such as proximal and distal levels of risk, and how
to remedy any gaps identified. This increasing focus on results-based
measures and the levels of effort required, particularly around detection
and response, will help to move the security conversation forward in a
constructive way, rather than using shock tactics to try and scare boards
into increasing security budgets.

Boards will add new seats to the table
As the role of security grows increasingly important at C-level, expect to
see a growing number of boards invest more heavily in recruiting the
services of technical experts and consultants, both as voting members and
advisors to lead board subcommittees. The subject of security risk will
also become an increasingly hot potato during all potential acquisition and
divestiture discussions, with poor security practices likely to cost
organisations dearly. As part of this, security teams will also come under
greater scrutiny than in the past, with any investments made coming with
significant pressure to produce tangible results.

Incident response will overtake and drive traditional disaster recovery
A robust Disaster Recovery (DR) strategy has long been seen as the
cornerstone of good security practice. Some larger organisations even have
entire departments dedicated to effective DR. However, a recent shift has
seen many DR activities start to become subsumed under a larger process
known as Cyber Incident Response (CIR). As cyber-attacks become more
sophisticated in nature and more frequent in regularity, CIR provides a
more comprehensive overview of potential risk, impact and loss in the event
of an attack. While effective DR remains critical to recovery, the
completeness of visibility, applied value of analytics and
speed/repeatability of response will be the new measures of security

Security programmes will increasingly be used to drive sales
With the importance of robust data protection being felt by nearly every
organisation around the world, robust internal security programmes are
starting to emerge from the corporate shadows to become sales tools in
their own rights. Not only can effective communication about strong
security policy help to attract new clients and customers, they also become
a key weapon in retaining existing ones. Wise security leaders are
realising the importance of correctly marketing security to prospects and
are starting to use specialist communications staff to support the sales
team in this matter. Furthermore, the use of third party risk evaluations
will continue to rise as CISOs look to give greater validity to existing
security practices and leverage them effectively through sales.

Growing acknowledgement of the importance of robust cyber-security at all
levels of business is good news for everyone. Security is now firmly on the
boardroom agenda and the security industry has been forced to take a good
look in the mirror as it strives to become a more integral part of business
operations. The shift towards industry maturity is already underway and
will continue to manifest itself in 2018 and no doubt beyond. The world of
cyber-security is full of surprises, so who knows what other factors may
dramatically re-shape the landscape over the coming days, weeks and months!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180112/29b50cd2/attachment.html>

More information about the BreachExchange mailing list