It’s that time of the year again where people start asking me what industry trends to watch out for during the next 12 months. Well, I think it’s better to leave the trends to the security vendors – they’re much better at that kind of thing. At NTT Security, our value comes through consulting and managed security services delivered across the entire security life-cycle. That is why I’d rather take a step back and share my broader predictions on what might actually impact industry practitioners next year.
Here are my top three for 2018:
DevSecOps in the age of the cloud
Most of you will have heard of DevOps, an increasingly popular development practice allowing organisations to increase the speed at which they produce apps and services. An unfortunate side effect of this process is that you might also be accelerating the production of insecure code and bugs with the potential to cause a serious financial and reputational hit if not managed correctly.
In an increasingly cloud- and mobile-first world it will become essential to also bake in security to this process: thus, DevOps becomes DevSecOps. Embracing an application life-cycle approach in this way will end up saving organisations time and money – because problems are always easier to solve when security is addressed as far “left” in the life-cycle as possible. It won’t be an easy shift for many security professionals, but third party expertise can help overcome cultural resistance and arm organisations with the right processes and automated toolsets to drive success.
Machine learning and managed security
This is set to be a big one. Machine learning, AI and automation have the potential to plug chronic security skills shortages and transform threat defence by spotting sophisticated advanced attacks and zero-day threats. Whatever the industry marketing hype might have you believe, machine learning is actually far from new – in fact, NTT Security has been using it for 15 years. It’s this kind of expertise that we think gives us the edge.
Machine learning is not a silver bullet and should instead be used as part of a layered approach to threat prevention. But it can spot patterns which human eyes might miss. That said, it shouldn’t be seen as a replacement for human expertise. Part of the value we offer is in arming our Security Operations Center experts with machine learning tools. As I described in a previous blog post, the automated tools find the needle in the haystack, but then it’s vital to get human eyes on that needle to analyse it further.
These kinds of capabilities are set to drive a surge in Managed Security Services (MSS) next year and beyond. In fact, according to our new Risk:Value 2017 report, 44% of organisations globally are using or planning to use an MSSP, with 28% claiming this is because of lack of internal skills and 29% because they want access to better tech. Just make sure to conduct thorough due diligence before choosing a third party.
From tech- to business-driven security
Security professionals love to talk bits and bytes, sometimes even “out-geeking” the rest of the IT department. But we’re already seeing a change take place, and it’s a necessary change: in fact, it’s a question of digital survival. Put simply, security strategy must be aligned to business strategy or vital digital transformation projects will fail and the business will become irrelevant. Some 85% of business leaders believe they only have two years to make progress in their digital transformation programmes before they fall behind their competitors.
Do you want to be the next Blockbuster, Kodak or British Home Stores?
Of course, it can be difficult for the security department to change its way of thinking overnight. That’s where third party expertise can help with the transition.
Finally, let’s not forget that 2018 will be the year the GDPR (25 May) and NIS Directive (9 May) come into force. I won’t add to the thousands of opinions already circulating about this but, suffice to say, it’s vital to get your compliance house in order ASAP. If you’re having trouble getting the board’s attention, just remind them of the maximum fines for non-compliance: £17m or 4% of global annual turnover, whichever is higher.