Cybercrime caused no shortage of sleepless nights in 2018. And in 2019, freelance hackers and sophisticated nation-states alike will be more determined and capable than ever — to put your organization in the cross hairs.
Yet despite projections by Cybersecurity Ventures of a $6 trillion cybercrime toll by 2021, too many business and technology leaders remain ill prepared for the technical, organizational, and cultural changes that cybersecurity demands.
To gain a clearer picture of the threat landscape of 2019 — and some of the key steps that leaders need to take — we spoke with some high-level experts in the field:
- John N. Stewart, Cisco’s Chief Security and Trust Officer
- Steve Durbin, CEO, Information Security Forum
- Robert M. Lee, founder and CEO, Dragos, Inc
Here are some top-of-mind security concerns for 2019, based on their collective insights:
Expand the Dialogue
That remains true within the enterprise and beyond, as John Stewart believes. “Governments and companies have to work better and closer together,” he said. “C-Suite members and leaders from marketing to engineering to sales to finance to legal to operations all have to work together because cyber crosses them all.”C-suite members — from marketing to engineering to sales to finance to CEOs and CIOs — all have to work together because cyber crosses them all.“I think we are still too entrenched,” Steve Durbin argued. “I think that perhaps there’s also an element of fear in that. ‘I’m not going to talk to the technical guy, because I’m going to get lost.’ The technical guy thinks, ‘Well, how am I going to get this [point] across to the board? I’d really rather not go there.’ ”
That remains true within the enterprise and beyond, as John Stewart believes. “Governments and companies have to work better and closer together,” he said. “C-suite members and leaders from marketing to engineering to sales to finance to legal to operations all have to work together because cyber crosses them all.”
Don’t Get SpearedClick caution applies to any year. And companies need to ensure that all employees know their role in preventing attacks. But expect more intrusions in 2019, especially for carefully targeted spear phishing and other social-engineering attacks.
“The piece that we’re going to see much more around the C-Suite,” said Durbin, “is spear phishing, particularly targeting the CEOs, the CFOs, financial controllers. You know, the people who’ve really got the keys to the kingdom within an organization.”
Organizational awareness, at every level, is essential, Rob Lee added. “It’s an aspect of defense in-depth, where you should have security awareness for training all your folks. To try to make sure they’re not falling for these kinds of attacks.”
John Stewart sees data as the key to driving these more sophisticated attacks — as well as defending against them. “Data plays an incredibly critical role over this year, next year, and I suspect many more years to come,” he said. “How are you protecting your data? How are you using data to protect your own organization? And how is data being used against you — which is essentially the social-engineering attacks and how sophisticated they have become, and the privacy concerns we face.”
Also read AI and Security: the Arms Race.
End Points and Open DoorsComplexity already reigns supreme. Expect it to only increase in 2019, with more mobile devices, more Internet of Things endpoints, and torrents of data to monitor, process, and protect.
And with complexity comes new opportunities for hackers.
“Smart devices present a challenge to data integrity,” said Durbin. “I’m not just talking about tablets and smartphones, I’m talking about IoT. The great unknown, effectively, from a security management standpoint.”
One particular vulnerability he stressed is the supply chain. “This is all about us needing to find a better way of dealing with security across the multiple levels of the supply chain. Because if you look at the number of breaches that have taken place just this last year, a lot of them have come about through third-parties.”
As more and more manufacturing assets gain IoT connectivity, Rob Lee argues, companies will need to shore up vulnerabilities. “Most of the risk of those companies is on the industrial or the manufacturing or the operations side of the house,” he said. “Although most of their security investments, tools, technology, process, people, training, et cetera, have been on the enterprise side of the house.”
Know Your NetworkThe antidote to complexity is visibility. Yet too many companies simply lack the insight into their networks to identify when threats have been planted — or even when they’re already doing damage.
“Prevention will fail eventually,” Rob Lee said. “You should still invest heavily in it. But it will always fail. The most important thing is detection. Can I detect it, and can I have multiple opportunities to detect it? But maybe, once the phishing e-mail gets in, and they have a series in my environment, can I look inside my networks to identify the emissary moving around in my environment?”
Investing in the vendor support and automated network technologies to detect threats and respond to them quickly, John Stewart added, isn’t just a technology conversation. It’s a board-level, business-risk discussion — and one that should be prioritized in 2019.
“If you speak with any executive leader,” he said, “and say, okay, we’re trying to protect this franchise, it’s a billion dollar business, and I’m telling you right now that I only see 50 percent of the systems on the network of this company right now. I have no idea what the other 50 percent are, so we have a one-out-of-two chance that something’s going to go wrong.
"That is information that any executive will want to be keenly aware of, and a conversation that needs to be had."
Close the Talent GapTalent shortages in security will continue to be glaring in 2019. Along with gaps in technology and data skills, many security teams can’t speak the language of business, or frame security strategies in the context of business outcomes.
Expect more companies to rotate workers from different teams, to forge a common language bridging business and technology.
“I’m a very strong advocate for trying to bring people in from other parts of the business,” said Durbin. “Bring some marketing folks in, some HR people to get some of these different perspectives on how security can really enable the way that the business moves forward.”
Given the fierce competition for cutting-edge security skills — whether technical or business related — Stewart expects industry and academia alike to get proactive about developing new talent in 2019.
“The talent shortage is where demand outstrips supply,” he said. “And I would observe that in a variety of ways, in natural industry motions, we are seeing a response. There are more degree programs than ever for training. More certifications. More education. More scholarship money.”
At the same time, Rob Lee argued, companies must ensure that budgets and compensation reflect the critical importance of developing that talent. “You need to invest in the people,” he emphasized.
“We’re very quick, as a community, to add new technologies, but not to add staff, and not to really train that staff. It’s good to use new technologies, and you can find a lot of visions and technologies, but you have to remember, it’s also people and process.”
Strength in DiversityThe best cybercriminals are creative, out-of-the-box thinkers from all kinds of places, cultures and continents. To stay ahead of them your security team can’t rely on tried-and-true formulas. That’s why diverse perspectives are so important on a security team.
“I get really nervous when you have essentially one sort of way of thinking,” warned Stewart. “That usually means you're going to get out-thought by the hacking community, which is very diverse — internationally, socially, culturally, and every other version of diversity.”
“Women in cyber security,” he continued, “African-American, Latino, all of these are underrepresented communities of talent that we should be just absolutely leaning into because we need more people, and more diverse thought and perspectives.”
Beyond ComplianceRegulations certainly serve a purpose, and can spur important steps toward cyber resilience. But they can also create a false sense of security, as Durbin pointed out. “You can be completely compliant with a regulation,” he said, “or a piece of legislation, and it doesn't mean your security is where it needs to be.”
In 2019, he warned, the regulatory climate will only grow in complexity, especially for multinationals operating across borders. “If you’re operating across multiple jurisdictions,” he said, “you need to understand what the different landscape looks like in each of those different areas.
Stewart added, “We’re intersecting a global situation where the governments around the globe have inserted themselves into changing how companies will operate with regards to cyber. There are also regulatory bodies that are issuing fines against companies. So it's instrumental to find out how we, as companies, have to be more diligent on cyber itself as well as cyber operations.”
From Emerging to EmergedNew technologies like artificial intelligence and quantum computing promise to transform cyber in the coming years. For 2019, expect AI’s more prosaic subset, machine learning, to have a continuing impact.
“Data is increasing, in terms of volume, at an exponential rate,” said Durbin. “It isn’t just the volume, it’s the velocity. And from a security standpoint, I firmly believe it’s going to present us with some challenges. Machine learning, and eventually AI, will help, because the machine is going be much quicker than the human, in terms of interpreting some of the things that are going on in that particular space.”
“Machine learning is being used on both sides,” added Stewart. “Attackers are starting to use it just as much as defenders are. So, it’ll have its own impact.”
Cisco’s Talos threat intelligence, for example, uses automated technologies to analyze 1.5 million malware instances per day. And it blocks 7.2 trillion attacks annually. Expect it to be even more effective in the coming year.
Don’t Accept the Status QuoStewart summed up his advice for 2019 with three key strategies:
Integrate — “Build cybersecurity into the business practice of your organization, and don't treat it like it's an IT issue, or like it's a security teams issue. It's actually foundational in the very fabric of the way you operate the company.”
Prepare — “Run the drills like you’re going to get hit. It’s really just a matter of time or interest, and you don’t want to be trying to figure out how to handle it when you’re in the middle of a crisis.”
Measure — “Put math to it. Are we making progress? Are we going recalcitrant? Are we doing better than we were the last time? You know, this is structured. You get what you measure, so measure it properly.”
Above all, he advised, think outside the box, be innovative, and challenge the status quo.
And if (or when) you get hit, rely on the preparations you (hopefully) made to recover fast, and reassure customers and partners.
And learn, don’t blame.
As Rob Lee said, culture starts at the top. That means the CEO must set a tone in which security strategy is flexible, creative, and pervasive, not punitive.
“Some CEOs are embracing the security aspect of the culture they have to set,” he concluded — but cautioned that “some aren’t, and that has a ripple effect throughout the company.”