In 2015, buried beneath the seemingly constant news about major data breaches (see Ashley Madison, the U.S. Office of Personnel Management, Anthem, etc.) was the fact that business leaders are getting a better handle on the significance of cybersecurity. While cybersecurity remains a pain point for most organisations, the C-suite and general IT pros are gradually becoming more security-savvy, and that should be viewed as a positive. A lot of work is yet to be done in the world of cybersecurity — reflecting on what we’ve learned this past year, here are five things we expect to see in 2016:
1) Election-year debates will be inundated with talk about privacy
Regardless of party affiliations, candidates will continue to share their positions about privacy and the data-gathering of public and private organisations. The unfortunate reality is that none will likely advocate for the considerable changes needed to substantially upgrade the security and stability of threatened US infrastructure.
Regardless of the increasing vulnerabilities (think: OPM breach), classified information theft, and evidence of nation-state and organised criminal activity, there won’t be enough of a focus on the actual protection of critical systems, data and services by US candidates.
In the year ahead, personal data privacy will remain the top focus, and the weight given to this issue will muddle the difficult discussions of investment and change needed to create an environment that can ensure privacy. Expect more finger-pointing in the wake of new attacks and breaches, but little proactive plans to address familiar and long-standing weaknesses in federal information technology systems.
2) Cybersecurity goes mainstream
Overwhelmed by a sea of new monitoring, endpoint and threat solutions, organisations are still struggling to make sense of the technologies while trying to secure executive buy-in and funding for new initiatives. In 2016, we expect to hit a tipping point and ultimately see the technologies and jargon used to define security become simplified. Less-dense terminology and more accessible, user-friendly security software will encourage new investment from non-security IT staff, and will shift the perception of value in the market.
3) Terrorist sponsored cyber attackers will increase impact and visibility
The irregularity and secrecy of cyber-attacks will cause an increase in political and protest-oriented attacks next year. Worldwide political tension over immigration, global warming and socioeconomic inequality, and ongoing conflict in the Middle East and Eastern Europe will create opportunities and targets for message-driven attacks against both the online presence and infrastructure of organisations and governments. Expect to see a groundswell of inconvenient and embarrassing disclosures, with some concentrated attempts to shut down systems or communication channels.
4) Training and certification programs will be more widely available
With projected cybersecurity headcount deficits hitting the millions, assume an influx of providers offering to educate security-capable analysts and implementers at reasonable costs. Coursework from existing specialized vendors like SANS and CyberAces will be refined, while online and on-campus institutions will provide college-level courses, and potentially the development of new certifications that decrease the depth of skill necessary to achieve existing high bars for security practitioners.
Organisations will continue enhancing their IT staff with security-trained personnel, but will aim to do so at a lower cost than that required by today’s CISSP’s and established security analysts.
5) A rise in civil liability settlements will force industries to classify practical cybersecurity requirements
Prior to 2014, almost every class action suit filed against companies who lost customer or employee private information was dismissed, citing a lack of provable, proximate damages to the victims. In 2015, we saw more settlements from large companies (Sony, Target) and smaller organisations (AvMed, New York and Presbyterian Hospital, R.T. Jones). Suits are also moving forward between insurance companies and those insured for cyber protection over what should be covered and whether policies are being breached.
The participation of insurers, large institutions and the improved understanding of the gravity of these breaches will combine to quickly increase the number of cases brought to court. Financial liability will encourage industries to establish required – not recommended – best practices.
Anticipate cybersecurity dominating tech news and trends throughout 2016. As the C-suite and IT teams continue learning more, they will need to commit time (and dollars) to better understand cybersecurity risks and identify new solutions in the year ahead.
Jack Danahy, co-founder and CTO of Barkly