Search for skills, the gap between C-suite and IT security, and flaws in critical infrastructure top 2019 CISO predictions

Search for skills, the gap between C-suite and IT security, and flaws in critical infrastructure top 2019 CISO predictions

By Infosecurity Group

It’s that time of the year when we dust off our crystal ball and look at the year ahead. Given the pace at which technology is changing and the challenge for infosecurity to keep up, we’ve challenged our community of senior security professionals to predict the trends and challenges that will shape the industry in 2019. You can read these further below.

According to Gartner[1], the information security market is forecast to grow by 8.7 per cent to $124 billion in 2019. But it’s clear that many of the same challenges we saw this year are likely to keep security professionals awake at night, with cloud, identity and access management, and insider threats still seen among the top concerns for the year ahead.

But it’s not just about the technology. The growing skills gap in the market and urgent need for talented individuals is high on CISOs’ agendas. In its report in July, the Parliamentary Joint Committee on the National Security Strategy said that the gap between the demand and supply of suitably skilled cyber security workers in critical infrastructure sectors was a “cause for alarm”. The report concluded that the shortage in specialist skills and deep technical expertise is one of the greatest challenges faced by the UK in relation to cyber security.

The changing role of the CISO is also top of mind and 2019 is predicted to be the year when cyber resilience finally takes its rightful place at board level. But, according to our community, more still needs to be done to bridge the gap between the C-suite and the IT security function.

We cannot leave 2018 without mentioning GDPR! The fallout from the new regulation will be very interesting as regulators seek to enforce compliance and the industry waits to see what happens.

Top 2019 cybersecurity trends:

1.) One of the most targeted sectors when it comes to cybersecurity threats, the financial services industry saw an 80% increase in attacks in 2017, according to reports by the Financial Conduct Authority (FCA). But while the industry is one of the more resilient sectors, George Luchita, Head of Cyber Security and IT Infrastructure, FM Capital Partners Ltd, voices his concerns over the growing information security skills gaps and the impact post-GDPR:

“My personal view is that 2019 will be a dynamic year, just like 2018. We are going to see the effects of GDPR, as regulators will start enforcing it. Information security will penetrate deeper into boardrooms, with CISO roles created to effectively manage cybersecurity risks and gain market and reputational advantages. Cyber resilience will be present on boardroom agendas. The information security skills gap will increase, driven by increase in demand and lack of specialists. Companies will find it difficult to recruit and retain experienced and talented people. As a response to absence of sufficient infosec skills, we will see a rise in the number of small cybersecurity firms looking to fill the void. Regarding IoT, in 2019 we’ll see an increase in the number of internet-connected devices, and we’ll face more issues regarding their security. There are predictions of massive attacks using IoT devices, but I doubt it will happen next year. IoT has not yet reached a critical mass or wide adoption to enable such attacks.”

2.) Justin Campbell, Director, Technology Consulting Services at Willis Towers Watson highlights the importance of security by design and the role of DevSecOps in IT operations security to ensure faster and more secure software delivery:

“DevSecOps, security by design – built-in security. The time to market and the risk of finding major structural vulnerabilities at the late stages of product development or architectural deployment are too high. Rather than novel exploits for 2019, I see the biggest challenge is providing security value at the point of development or system design. Many security professionals come from an audit and compliance perspective. There will always be a place for these professionals in certification and reviews. However, when we find the faults at the end of the process, whether through checklists or pen tests, it is often too late. At this late stage, a product is often missing its deadline to go to market or a business case requires a quick go-live. This puts a business owner into an impossible predicament. He or she needs to accept the risk or lose their business position. This makes it too tempting to accept an inappropriate level of risk or rationalise away the situation with shaky mitigations.”

3.) While 2018 saw no repeat of 2017’s WannaCry attack that affected hospitals across the UK, Nigel Stanley, Chief Technology Officer – Global OT and Industrial Cyber Security CoE at TÜV Rheinland Group, believes critical infrastructure will again be under the spotlight in 2019.

“I believe that in 2019 further significant cybersecurity flaws will be uncovered in key critical infrastructure resulting in manufacturers and operators trying to update ancient control systems with mixed results. I hope I am wrong, but I also believe that in 2019 we will see a safety critical incident that arises from a cyber attack on an industrial control system resulting in physical harm and damage. It is likely to be a sophisticated attack arising from a hybrid, geopolitical conflict. This will lead to further demands in 2019 for industrial cybersecurity and safety regulations to be tightened up and penalties for non-compliance increased. These future legal requirements will insist that industrial operators and systems’ manufacturers address cybersecurity risk to the same degree they do with safety risks.”

4.) Nick Carus, Business Development Director at LINQIT and Interim COO and Business Development Director at Caveris, predicts that executives will finally start to talk and collaborate with the IT security function to help close the threat gap

“Good news GRC is leading from the front. I predict that the focus on ‘Bridging the Gap’ between the C-suite and the IT/technology organisations, and getting the executives more interactively communicating and collaborating with IT security and all infosecurity disciplines, simply has to happen over the short term. It’s the only way that organisations are going to be able to make effective strides in closing the ‘Threat Gap’.”



Leave a Comment

Your e-mail address will not be published. Required fields are marked *