Important trends and influences that are shaping management decisions and priorities for 2020.
1. Escalating Nation-state funding
Just a couple of years back, nation states engaging in, or funding offensive cyber operations was something just a few nations were capable of.
Of course, many countries are strengthening their defensive capabilities, but many are at the same time working on offensive strategies in the area of cyber. The reason behind this is often to complement their military capacity, but this can also be utilized as a powerful tool to create economic advantages in a global market. This is something that all CISO's, Risk Managers, CEO's etc. need to consider when developing their cybersecurity plans for the future.
2. Outsourcing to ensure predictive capabilities
Threat landscape, compliance requirements and digital transformation are all adding pressure on an already burdened security organization. It is important for decision makers and managers in IT to keep the holistic perspective on cybersecurity; this should be a matter of ensuring the organizations capabilities.
Ensuring capabilities requires not only state of the art solutions (tools), but it is in fact techniques, people and processes that make the difference.
If you are operating in a market (like in the Nordics) where you have very limited access to talents to come work for you, you are probably one of those who are looking at contracting a partner to provide these capabilities for you. The MSSP (Managed Security Service Provider) market has reached a level of maturity that makes it a fast track to all the capabilities you need. And when we are talking about operative capabilities, what you need is the ability to:
3. Aligning cyber risk with business risk
All areas of IT are involved in the yearly chase for their precious piece of the budget. The development within the cybersecurity area is requiring cybersecurity to get a larger part of the budget. But, to be able to compete for budget, cybersecurity managers are starting to engage with, and speak the same language as the business.
Even though cybersecurity efforts rarely can be attributed to innovate and transform the business itself, it is absolutely providing business benefits in managing risk and enabling business transformation. This needs to be quantified.
I recommend you start with looking at the ISF (Information Security Forum) approach, which consists of four phases:
You can read more about ISF's 4 step approach to relevant KPIs and KRIs here. Research organizations like Information Security Forum has plenty of tools and methods that will help you to fast-track your journey to quantifiable cybersecurity.
4. Networking to your advantage
Engaging in external networks is a great way to get access to knowledge and best-practice. You are rarely the only one experiencing your specific challenges, and usually people are very willing to share their experiences. External networks are also a key ingredient in building successful cybersecurity ecosystems. It’s not possible to fix all problems with a hammer, even if it is your favorite hammer. Sometimes, the best solution is to leverage someone else’s skills or resources. Let's help each other be more secure.
Internal networking is key in spreading security awareness, as well as getting to know the business. Your purpose is to support the business, and respond to its needs. Engaging with the organization will build relationships and improve your understanding of your business, and ultimately enable you to stay relevant. Cybersecurity is hotter than ever, and this is something that many are using to their advantage.
5. Sunshine or storm - What hides in the Cloud?
Show me an organization that is not in, or considering moving to the cloud. As a CISO, this creates a whole range of new possibilities and challenges. Your job will be to find and offer ways to enable this transformation in a safe and secure fashion.
There are many ways to secure the cloud, as well as deliver cloud-based security, and sometimes there might even be security included in the services you buy. However, never assume anything, and to make sure you don't get lost in the house of mirrors of SaaS, IaaS, PaaS etc. you should fall back on the foundational principles of cybersecurity. There are different models to work with here, like NIST Cybersecurity Framework and ISF’s Standard of Good Practice for Information Security 2018.
Runner up - Practice makes perfect
As an organizations cybersecurity matures, they tend to shift their focus away from the protective efforts, and focus more on detecting, responding to, and preventing threats. And just as with fire evacuation as well as firefighting, solid training and regular practices drastically increases the probability of a positive outcome.
In the world of Cyberdefense, most organizations have been performing penetration testing and developed their end-user security awareness programs for many years, so the maturity level there is rather high. However, when it comes to training the security professionals, most organizations are just beginning to create structures. Today, continuous Red team-Blue team exercises, Incident Response training and Resilience Testing is what characterizes a very mature organization. But as organizations improve their cybersecurity posture, this will be an important factor to get the most out of their cybersecurity investments.
New year’s resolution
If I would leave you with just one advice, it would be to make 2020 the year when you align your cybersecurity with your business. If you haven't already. This will make sure you are able to deliver maximum value to your organization, and support your organizations modernization.