2017 has been quite a year for cybersecurity twists and turns overall. As every year, the number of incidents multiplied, regulations were reinforced and technologies evolved considerably. In this surge of news, what’ll be the key trends in 2018?
Find out more about cybersecurity trends with Wavestone’s CISO radar.
C for Cyber-resilience
Wannacry and NotPetya have demonstrated a malware’s ability to destroy whole sections of information systems in a few hours, with hundreds of millions of dollars of damage for the companies caught out. Until then, this destructive threat was usually considered theoretical. 2018’s going to have to be the year for large companies to define their cyber-resilience strategies. Two main types of action are expected. The first aims to limit the occurrence of this type of attack with, for the most advanced, a focus on securing suppliers. It’s important to note that NotPetya was initially spread by duping a third-party software provider (MeDoc) which became a Trojan horse that easily entered the information system. This is an attack technique to be considered today when assessing the threat. The second type of action aims at managing a cyber-crisis and particularly how to prepare to rebuild the information system at speed in case of a successful attack.
C for Compliance
This cannot not have eluded anyone working in the field: 25th May, 2018 will be D-day for compliance with EU personal data regulations. Are we going to see a surge of investigation or the first data leakage notifications straight away? Might we have to wait a few months? Either way, 2018 will be strongly marked by compliance projects. Beyond GDPR and sector-specific texts such as PSD2, it’s the arrival of the NIS directive, its transposition into each countries law and the upcoming identification of the concerned companies that will take on the regulatory focus. This subject, essentially European but transposed nationally, may also have significant impacts on the location of certain digital services. In fact, since the security rules and requirements could vary between European countries, it’ll be necessary to watch out in case “cybersecurity dumping” starts to appear.
C for Cognitive
Artificial intelligence has certainly been the buzzword of 2017. But in the field, machine learning technologies have already proven themselves and brought tangible results. This is especially true for combatting fraud via digital channels. Given the volumes and responsiveness requirements, these technologies provide solutions where conventional methods have reached their limit. Authentication management is another domain that could benefit from these advances with the implementation of a system that’s biometric and/or that dynamically adapts the level of requirements according to the user’s actions. However, these technologies are not yet fully mature on cybersecurity surveillance topics but 2018 should see some major advances in this area. And without waiting for end-to-end automated solutions to arrive straight off, carrying out some early tests on artificial intelligence’s contribution to incident management and resolution could help open up the subject.
C for C-Level
2017 has marked a real change of dimension in the relationship between cybersecurity and the C‑suite. In almost 25% of French CAC 40 firms, massive security programmes are in place with investments above €50m. These programmes are followed directly by the top management. It’s a real change of posture for the information security, which will have to show the actions carried out with these budgets in 2018 have been effective. And the task isn’t simple in the security context where talented staff are hard to come by then retain, but also where one flaw replaces another and strategy can be challenged by a major incident. Plenty educational work and a demonstration of risk control will be expected. For those who have not yet crossed the C-suite threshold, the current context has never been so conducive for highlighting this subject. Certainly incidents, with more and more media attention and ever greater financial impacts, can help. But it is mainly benchmarking investments made by other large groups that can be a catalyst. 2018 will be an opportunity for many to obtain the funding needed to set up a serious programme to transform cybersecurity.
C for Confidence
Trust in digital has become a key asset for many brands. This trust is increasingly expected by customers who are growing more sensitive to such issues. This confidence is built through transparency and the ability to manage one’s own data. New solutions are appearing, particularly in customer identity management (CIAM). But this trust is also a way stand out in digital and get ahead of the game. Some major brands have understood this and use this argument to differentiate themselves not only from close competitors but also from the Net giants against whom they regularly have to defend their traditional territory. Today we’re still lacking simple symbols of this trust, such as a certification or a label, but perhaps 2018 will see work underway in France and the rest of Europe move in that direction.
C for Customer
For a few years, cyber strategies have focused on securing data. But with the advent of digital transformation, CISOs need to change their posture and put customers at the heart of their thinking. Adopting a “client-centric” strategy will help to shed light on the real contributions that the cyber-security sector brings in providing of new services and protecting customers’ interests.
Without a doubt, 2018’s going to be a key year for cybersecurity and digital trust. A year when we’ll have to reinvent the ways we work in order to win high-level support whilst getting some return on security investments, especially the client-related ones. Society as a whole is increasingly aware and attentive to cyber security issues. Let’s take advantage, to turn this context into an opportunity!