What Does The Future Of Cyber Security Look Like?
I know, cringey right? Yet another blog purporting to be able predict the future, as a thinly veiled sales pitch – I might say some empty cliches, like “the future is always changing” and “the only constant is change” if I’m feeling really desperate for authorship. But that’s not what I’m doing here, I’m simply going to offer my opinion, and showcase trends I’m starting to see across Softcat’s customer base, and where I think that information could lead us in the future.
Cyber’s been on quite the journey in the last 5 years or so, tickling legal with GDPR regulatory compliance, hitting the insurance market as a way to limit losses in a cyber incident, and everything pivoting in time with the geopolitical landscape from Brexit to cyber essentials. So whilst I can’t predict the future, the pace of change remains rapid in cyber, both in developments surrounding cyber security, as well as the market itself.
A fair few things haven’t changed though. Businesses still understand the importance of cyber, and still invest in cyber security to hopefully prevent, detect, and or protect from a looming cyber attacker. It remains a challenging business area to properly measure, budget for and track investment in, and there is still a shortage of cyber security expertise making for a very active recruitment market. Most importantly, unless you’re a cyber security company, cyber is not the why.
So how could this progress? How can businesses get smarter surrounding cyber and focus in on driving their business forward, confident that cyber is under control?
Well to keep you interested, I’ll tell you one area I don’t think it’ll come from – Cyber Insurance. I recently read a great article detailing the opinions of a chief of Zurich coining that cyber attacks will soon be ‘uninsurable’, and how insurers are changing policy wording and conditions to return the insurance risk back to the policy holder. This shouldn’t be a surprise to many, the nature of insurance is a game of probability and risk, and cyber security is a nightmare to properly quantify. Whilst I’m not saying organisations should reverse out of insurance policies they currently hold, I’d certainly be paying close attention to the situations where insurers will, and will not support my organisation, and whether the balance of both still warrants the investment.
I believe the role of CIO’s and infrastructure operations functions will fundamentally shift in the coming years too – so much more of IT is becoming ‘as a service’ and service contracts are making up so much more of an organisation’s digital footprint. Whilst currently the balance of in house expertise vs outsource contract management is heavily weighted in favour of the former, we’ve already begun to see this dial shift, and I suspect we’ll see the majority move in coming years – the role of CIO’s and contract managers will increase in seniority, with focus more deeply on SLA’s, financial penalties for non-compliance and quality of service, both inside of cyber security and beyond.
The good news to businesses is that with the increase of ‘as a service’ consumption within your IT estate, your agility and ability to innovate increases – I’ve been fortunate to work with a number of successful start-up businesses who have had good success, and a trend I’ve noticed is that they’ve adopted the mindset of ‘if I don’t have to, I won’t.” When it comes to cyber, and indeed IT operations. It is far easier to purchase a security monitoring service, than to find cyber expertise, acquire a solution, manage alerts, correlations and renewals, than it is to simply expect it of a service provider, and in the event of the service not performing, far easier to reverse out of a contract, than to hire new roles and refresh technology.
Another fundamental shift I believe we’ll see is cyber security becoming a business enabler – businesses, consumers, and markets are becoming much more cyber aware and even in some places, literate. Whilst previously it was reasonable to out scope cyber security as out of scope for businesses, it provides value over your competitors if you offer a solution to someone’s problem and makes them more secure as well. This will no doubt take time to build, and more complex solutions will have more complex terms for provision, and whilst cyber is definitely not the why, its one big plus to help flesh out your offering.
Lastly, and one I really hope starts to progress soon; we’ll begin to see cyber security become more pragmatic in the media. Whilst an organisation being compromised still currently passes for sensationalist media, and I doubt that’ll ever fully go away, I’d like to hope in time that discerning readers value more depth and context before leaping to conclusions – the complexity of the attack, the particular threat actor, and the scope of what was compromised can make the difference between an embarrassing, very preventable breach, and an extremely bespoke, nearly impossible to detect, nation state attack.
Most importantly, (and perhaps I’m dreaming here!) I’d love to see the quality of response taken into account, from how the attack was detected, how quickly good information was available to the public and the quality of decisions made, and the return to business as usual with lessons learned.
I can’t predict the future, but I can notice trends, and hopefully this article has given you some food for thought around how close, or far from these trends you are. Here at Softcat we work strategically with our customers around cyber security, helping them understand where they currently are in terms of cyber, where the focus on cyber ends, and how quickly they can bridge the gap between those two postures.
If this article has piqued your interest, and you’d like to have a conversation about how we can support your organisation, please contact your account manager. If you’re new to softcat, get in touch here.