To no one’s surprise, cybersecurity continued to be a key area of concern and struggle among organizations of all sizes in 2015. However, buried amongst the constant news cycle of new attacks and sophisticated breaches is the fact that more business leaders are understanding the importance of cybersecurity and its potential impact on the organization. Whether it’s a small operation within a niche industry or a major global corporation, everyone is at risk. As we prepare to ring in 2016, we have taken time to reflect on lessons learned in the past year and how these trends and major news stories in cybersecurity will affect the year ahead.
Here are five things we’ll be watching for in 2016:
1. Cybersecurity will go mainstream. Organizations are struggling to make sense of the excess of new monitoring, endpoint, and threat technologies, while trying to secure buy-in and funding for new initiatives. We’ve just about hit the tipping point, and in 2016 expect to see simplification of the technologies and terminology used to define cybersecurity. In the mid-1990s, the security community wrestled with firewalls and network traffic, with the complexity of devices and features swamping the ability of users to buy and choose. Firms like Checkpoint, Watchguard, and Sonicwall simplified the discussion to one of “feeds and speeds,” and saw rapid mainstream adoption as a result. Likewise, less-dense terminology and more approachable, user-friendly security software will encourage new investment from non-security IT staff, and will shift the perception of value in the market.
2. Hacktivist and terrorist cyber attackers will grow in impact and visibility. The asymmetry and anonymity of cyber attacks will cause a rapid increase in protest- and politically oriented attacks in 2016. Ongoing conflict in the Middle East, Eastern Europe, and political tension worldwide over immigration, global warming, and socioeconomic inequality will create opportunities and targets for message-driven attacks against both the online presence and infrastructure of organizations and governments. Expect to see a groundswell of inconvenient and embarrassing disclosures, with some concentrated attempts to shut down systems or communication channels.
3. Privacy will dominate election-year cybersecurity discussions. Both sides of the political aisle will continue to debate their positions with respect to the privacy and data-gathering capacity of public and private organizations, but none will advocate for the substantial changes needed to materially improve the security and stability of threatened U.S. infrastructure.
In spite of increasing signs of vulnerability such as the OPM breach, classified information theft, and evidence of nation-state and organized criminal activity, there will continue to be little discussion about the actual protection of critical systems, data, and services by U.S. candidates.
In 2016, the focus will remain on the emotional but amorphous issue of personal data privacy, and this emphasis will obscure the difficult discussions of investment and change needed to create an environment capable of ensuring privacy. Look for continuing finger-pointing in the wake of new attacks and breaches, but little in the way of proactive initiatives to address well-known and long-lived weaknesses in federal information technology systems.
4. A rise in civil liability settlements will drive industries to define reasonable cybersecurity requirements. Prior to 2014, virtually every class action suit filed against companies who lost customer or employee private information was thrown out, citing a lack of provable, proximate damages to the victims. This year we saw more settlements, at large companies (Sony, Target) and smaller organizations (AvMed, New York and Presbyterian Hospital, R.T. Jones). Similarly, suits are moving forward between insurance companies and those insured for cyber protection over what should be covered and whether the policies are being breached. The participation of insurers, large institutions, and the improved understanding of the severity of these breaches will combine to rapidly increase the number of cases brought to court. 2016 will be the year that financial liability will motivate industries to tackle establishing required – not recommended – best practices.
5. Security training and certification will become more widely available. With projected cybersecurity headcount deficits numbering in the millions, expect a new rush of providers offering to generate security-capable analysts and implementers at reasonable costs. There will be a continuing refinement of coursework from existing specialized vendors like SANS and CyberAces, increasing college-level courses offered by both online and on-campus providers, and the likely creation of some new certifications that decrease the depth of skill necessary to achieve existing high bars for security practitioners.
Organizations will continue to supplement their existing IT staff with security-trained personnel, but will look to do so at a much lower cost than that required by today’s CISSPs (Certified Information Systems Security Professionals) and established security analysts.
From its presence in the board room to political campaigns, cybersecurity will continue to dominate tech news and trends in 2016. Organization leaders and the IT teams they oversee should continue to dedicate time to better understanding cybersecurity risks and solutions in the year ahead.