A version of this post originally appeared on the CMSWire blog.
Probably no field in information technology has been hotter than information security. The increased attention to InfoSec, has been driven mainly by high profile breaches at Target, Home Depot, Anthem, the Department of Defense, the National Security Agency, Equifax and others.
Add to that the weaponization of cyber attacks by nation states (think Stuxnet or Russia’s attacks on Estonia and elsewhere), and it’s no surprise that InfoSec is the priority for governments as well as public and private sector organizations of all sizes and in all industries.
With that in mind, I wanted to turn to four InfoSec trends I see as key for understanding the industry in 2018. These are not emerging trends by any means. All of them have been important features of the InfoSec landscape for the past 18 to 24 months, if not longer.
But in 2018, these four trends—greater prioritization, more budget dollars for InfoSec, more demand for trained InfoSec skills, and the need to better manage data that’s behind the firewall—will continue to drive the marketplace and increase in importance.
InfoSec has been important since the advent of digital business. In the latest Gartner CIO survey, security ranks as the second highest priority for CIOs. (Artificial Intelligence ranked first; the Internet of Things, third). Compare this to the reported priorities for 2017: digital ecosystems, interoperability and bimodal IT and priorities for 2016, where security ranked seventh.
Given the rising importance of InfoSec (over 3,000 CIOs responded to the survey), we can expect to see InfoSec’s cachet in the organization increase, with a corresponding rise in capabilities and maturity heading into 2019.
Given the rising priority of InfoSec, it follows that Gartner predicts InfoSec spending will hit $93 billion globally in 2018, up 7 percent from 2017. This is big money … and good news for folks in the security industry.
Budget is not the problem for organizations looking to tackle InfoSec. The problem is figuring out how best to address threats and risk as well as finding the staff to perform the work.
That brings us to the next key InfoSec trend for 2018: the skills gap. In 2017 we saw double-digit growth in positions year over year, 200,000 open positions and zero unemployment. Combined with the rapid growth in InfoSec spending, this creates a significant problem for the majority of organizations: where will they find the bodies to help execute on the dollars the have to spend?
Unfortunately, the jobs InfoSec requires demand specialized skills and extensive training. And even though the robust and lucrative job market will eventually attract a flood of entrants, it will take time for supply to catch up to demand. In the meantime, organizations will find themselves in stiff competition for the candidates available to help them spend the increased InfoSec dollars they have (and open to extreme risk until they do).
Attend any InfoSec conference in the last few years, from national shows like RSA or the ISACs to regional shows, and you’ll hear a universal truism: when it comes to a breach it isn’t a matter of if, it’s when. Today, given the large, heavily funded organizations that have been breached, breaches are no longer anomalies … they’ve become the cost of doing business.
So given the fact that no amount of prevention can stop internal or external bad actors, organizations are facing the reality that they have to address the state of the information behind their firewall to meaningfully reduce the impact of the eventual breach. Most firms have terabytes of sensitive data that don’t need to be kept for legal or operational reasons that could be deleted immediately.
However, the organizational hurdles to do so are significant and have prevented data cleanup for a decade or more. The foremost among these is the inability to align policies, procedures, stakeholder expectations and technology capabilities to just get off the dime and push the delete button.
And while the difficulty of doing this is as great as it has always been, the combination of CIO priorities, funding and the heightened risk of a breach will make addressing information risk a key priority not only for 2018, but for the foreseeable future.
Predictions are notoriously suspect, and as a talking head for the last 15 years, I know the game of making predictions that no one will ever fact check and that don’t come true. Given the rising importance of InfoSec to organizations these days and the increasing risks of breaches, I think that these four trends will be key in shaping how firms address InfoSec risk and how they evolve into 2019 and beyond.