Security 2019 Predictions (Part 8)
Quantum computing renders encryption worthless.
Join the DZone community and get the full member experience.Join For Free
Given the speed with which technology is changing, we thought it would be interestng to ask IT executives to share their preditions for 2019. Here's more of what they see for security in the year ahead:
In 2019, as ransomware attacks get bigger and more dangerous, it’s crucial that businesses don’t become overwhelmed by them but continue to do everything they can to prepare. In order to stay protected and competitive, organizations need to focus on remaining "always on" – weathering the disruption and getting back online within seconds. With this sort of reliable data availability, businesses can finally rest and let concerns about ransomware take a back seat to a more positive focus on digital transformation.
The rise of SDS. More data collection and processing was conducted through software-defined storage solutions than ever before in 2018, and this is only going to increase in 2019. The importance of and reliance on hardware-centric solutions will decline, and customers will continue the trend towards encryption-enabled software adoption as most SDS solutions are hardware agnostic and allow for ultimate flexibility and security.
Downtime and data loss continues. 2018 was a record year for downtime and data loss. In an effort to not exceed these numbers in 2019, IT operations will focus even more on deploying highly available systems with encryption throughout their organizations. This is critical at the edge, where there is less IT staff and typically no physical security present.
U.S. sets groundwork for similar initiative to GDPR. GDPR was implemented in Europe due to the overwhelming need to protect consumers’ identity and personal information. This is just as essential in the U.S., yet, in 2018, strides were not been made towards a similar policy. We see the tides changing in 2019 as more U.S. consumers push for this initiative.
Ransomware attackers will focus on targets that cannot afford disruption including healthcare, government, supply chain, and critical infrastructure. These organizations have clear economic justification for paying fines.
The cyber skills gap will get worse. Hiring and retaining cyber professionals is already a huge problem. Growth in demand for people and the high employment rates will only make the problem worse. Ultimately, AI and digital robots may come to the rescue, but in the short-term, AI is a driving demand for more people – the rarest of candidates being a data scientist that understands cybersecurity.
Before 2019 ends, a major breach will be in the news, and it’ll be caused by a vulnerability in unmanaged software in the endpoint. It continues to be a reality that most organizations focus on patching the noise-makers, the squeaky wheels (Microsoft, Adobe, and Java), but disregard other non-managed software in endpoints that still have vulnerabilities with active exploits in the wild. The lack of resources and visibility is a problem, and the time spent patching has to be limited to the perceived major applications, which, more often than not, are misaligned with what the real threats are for each organization. In 2019, we’ll likely find out an endpoint with rogue software is breached, affecting the whole organization.
Edge devices not permanently connected to the Internet will finally get attention. Software and device manufacturers working with customers running devices not Internet-connected will provide better, and more professional, options to keep those devices up to date, reducing the attack surface.
Security within DevOps will remain an afterthought for most businesses. The practices of Agile and DevOps are being adopted widely among mainstream businesses. Applications are being updated in production on a weekly and even daily basis where in the past it would happen only a few times annually. The most innovative companies have started to integrate security into their DevOps practices. However, the traditions of most IT security teams remain at odds with successful DevOps teams. As a result, we will have to wait before DevSecOps, i.e. security integrated into DevOps, is a common practice.
Enterprises will start exploring how to support customers by collecting and storing less data. Data breaches will not be an outliner, but a “it happens” type of thing. Instead of pouring endless dollars on preventing breaches, organizations will start to explore how to minimize the impact when a data breach occurs.
Public pressure will continue to rise, possibly giving the CSO a seat on the earnings call. Similar to how CFOs talk about the financial health of a company, the CSO may be asked to join the call to discuss the security health of the company.
Artificial Intelligence (AI) software won’t have a clear use case in IT security. Despite the promise of AI, we will have to wait a bit longer before there is a distinct use case in IT security where AI software is the clear winner. ML with human assistance has been augmenting a variety of processes in DevOps and IT security, but a self-learning, AI system has yet to take hold of any use case in IT security. Many experts believe self-learning AI software for security is on the horizon, but we aren’t likely to see it in 2019.
Quantum Computing – the underestimated tech that’s about to see explosive growth. In 2019, we’re going to see advancements in quantum computing in the cybersecurity industry.
Firms need to start preparing now, as this technology can, and will, destroy current security mechanisms, particularly encryption.
While quantum computers of today are not nearly as powerful as they will eventually become, they are already capable of rendering encryption security meaningless. Bad actors can build them, too. We could see a sharp increase in attacks leveraging quantum computing as early as later next year. If enterprises aren’t prepared, this could lead to breaches with the potential to damage numerous businesses and lives.
Businesses will need to start preparing for how they will leverage 5G to gain a competitive edge. Across almost every vertical, increasing network bandwidth, and speed while lowering latency, we can improve efficiencies at nearly every department level. But while businesses can be near certain about how they can effectively apply 5G to improve operations, predicting what security threats will come is going to present a significant challenge for IT. With IoT growth posing huge unknown risks to enterprises with the introduction of 5G, businesses will increasingly need to invest in both technology and employee training in order to prepare for the next generation threat landscape. What’s more, 5G will not only give rise to new threats, but it will also provide cyber criminals with new opportunities to carry out attacks that we have seen grow in popularity over the years with greater force and impact. With this in mind, even an organization that “does everything right” to combat threats posed by 5G could still be impacted just as easily as those that are less security savvy.
Increased use of AI by security vendors and corporations in predicting attacks. In addition to the current use of AI to detect anomalous behavior indicating a cyberattack, organizations will increasingly use AI advancements to predict cybersecurity issues based on their organizations’ past cybersecurity events plus contextual and environmental information. In 2019, AI solutions will truly ‘learn’ networks, including endpoints, cloud logs, and behavioral characteristics of users in the network to know what belongs to the network and what does not. To identify an anomaly, the AI software looks for attributes such as suspicious behavior, known or unknown patterns and the behavior of machines that act like humans.
An uptick in GDPR complaints and enforcement actions will provide insight into how regulators understand and interpret GDPR as applies to programmatic. Additionally, companies will scramble to interpret and come into compliance with CCPA (new California data protection law) before it comes into effect in January 2020. The law will serve as a de facto US privacy law for many companies in our space
Adtech is a subset of the larger technology sector that has a unique set of interests, and as regulation policy continues to take shape in the next year, this space will be disrupted. Our business and industry are disproportionately dependent on access to the open Internet and the data that is transmitted over it through digital devices from laptops to smartphones to smart TVs.
In the years to come, the adtech industry will need to work with policymakers to construct a privacy law that gives consumers greater control over their information, penalizes predatory, or harmful practices, and it ensures that consumers are involved in an informed, fair-value exchange for access to their data, time, and attention. Beyond that, the industry will work policymakers to ensure that the internet remains a tool for the small democratization of discourse and commerce. Lastly, the industry will make the digital dividends we are reaping more accessible and inclusive of more of America.
SaaS, IaaS, and PaaS markets will experience strong growth. Companies will begin to let go of their cybersecurity fears of storing data in the cloud, and will begin to trust their providers, who have invested lots of time and money in securing data of their customers.
Over the next 12 months, I'm hoping we're going to see a de-insularization of security within the business and a move to automated processes. As everyone comes to terms with the growing customer expectation of speed to market and requirement for near instantaneous innovation in services, expecting security to perform a “sign-off” and function before any product or service goes live has become completely unsustainable.
The “G” in GDPR Will Soon Stand for “Global:” Data privacy regulations are going to become more widespread. For example, California, Japan, and China are already working on their own regulations to adopt rules similar to the EU’s GDPR. Additionally, companies like Facebook, Google, and Twitter have all severely mishandled consumer data, showing the need for increased and widespread data privacy regulations -- even prompting Apple CEO Tim Cook to call for global privacy regulations. With consumers now viewing data privacy as a human right, increased data governance policies are sure to follow.
As privacy regulations spread, organizations will mistake data governance for data harassment: Based on what consumers do online, companies are able to determine, through their data, their demographics, interests and even what’s going on in their personal lives. This results in marketing so hyper-targeted, it could feel like harassment. While organizations struggle to comply with privacy regulations and create more well-rounded and informed views of each of their consumers, the lines between governance and harassment will blur, and there will be rocky roads as best practices are formed.
Social media is officially too big to fail: Social media companies have become the biggest publishing media brands and they finally came under scrutiny this year. However, there were no real repercussions for advertising fiascos and data privacy controversies despite Congress’s involvement, and the reality is that social media brands have become too big to fail. While there will still be fights to remedy it -- and there should be work done on this end -- 2019 will solidify how social media companies are now too big to fail (or become regulated).
Security teams will need to prove their worth with data. The security operations teams of today are focused on combating threats, but the team of the future is going to have to prove it with data. In the coming year, we’re going to see more CEOs and boards asking their CISO and security teams to demonstrate the value that they are providing. This means that it will be essential for the CISO to have a way to measure the success of the security team. Think about it like the HR or Finance department: reporting, dashboarding, data storage, aggregation and analysis, and the ability to answer executives’ questions on KPIs quickly are all requirements. In the past, this hasn’t been a practice for the cybersecurity side of business, but in the year ahead it will become more prevalent for security teams to be expected to have reporting at their fingertips.
Technology plays a key role in closing the cybersecurity skills gap. We see it now and will continue to see it in the coming year—security teams need to do more with the limited people they have. Threats are increasing, but the size of teams is often not. Even companies with budgets to hire still have open slots due to the limited supply of trained staff available worldwide. Technology that can perform certain processes without the need for human intervention will be critical to helping teams be more efficient, but it’s not a silver bullet solution. When data collection and analytics are a part of this process, the decision makers must have the intelligence needed to make informed decisions. In the coming year, CISOs will be looking to implement more solutions, particularly ones that can be automated and integrate seamlessly with other solutions, to help ease the pain felt by the growing cybersecurity skills gap.
Opinions expressed by DZone contributors are their own.