The security threats and breaches of 2017 have set astounding new records for personal data invasion. From WannaCry to Petya, the list of sophisticated and far-reaching breaches grows almost daily. In 2017, breaches impacted hundreds of millions of people globally.
The security mission to protect, detect, and respond, has remained the same for everything from IT networks and data storage to payment systems and IoT devices. In the past ten years, a tremendous wave of technology innovation has been developed to help protect and detect. Yet, the most neglected area of security is the part that can be controlled – the response. With the increased trend of security issues, the top management of organizations is looking into the need for intelligence and resilience to security and finding ways to tackle it.
As per a recent report, India’s IT spending is expected to grow to $ 1.7 billion in 2018 from the current $1.5 billion in 2017 including IT outsourcing, implementation and consulting services. India has embarked on a journey of digital transformation with initiatives such as cashless economy and mandatory authentication linkage through a common biometric data platform. While it is impossible to stop innovation in a country where ‘Digital India’ is getting a push, there are concerns about incorporating security right at the beginning. With the deployment of IT security solutions, enterprises need to protect their data, manage the resources and networks.
Presenting his outlook for 2018; Edgar Dias, Managing Director, ServiceNow India said, “We live in a world where security is about giving the access of right content to the right user. There is a growing need for every organization to adopt serious measures to combat security threats and maintain a balance between protect and response measures more proactively rather than reactive. Improvement in technology will come only through increased awareness amongst businesses and organizations. ”
As 2017 draws to a close, ServiceNow looks at a few top security trends to watch in 2018:
Prediction 1: Security “Haves” and “Have-nots” emerge.
Security teams struggle to quickly determine whether incidents are worth a response. Many organizations use dozens of security tools that create and funnel massive volumes of signal onto the desk of the security professional. Analysts use spreadsheets and email to manage reacting to this signal, and the sheer volume of alerts results in analysts spending too much time researching incidents.
In 2018, we will see security Haves and Have-nots emerge between those that begin to automate this research portion of security response and those that don’t. Companies with the tools and culture to embrace automation, and put technology to work for real business enablement, will perform better than those that don’t.
The Haves will be expected to report on security operations as a key part of their day-to-day business. They will have scalable processes in place and will be in a position to measure progress. Automation will help them better determine which systems to patch and when. They will respond to phishing attacks in minutes rather than days. For the Haves, this will be a point of pride.
The beauty for the Haves is that their security people will be freed from mundane and time-consuming manual research. They will have more time to focus on strategic projects that fortify the organization. This new approach extends beyond security. Automation is so effective it becomes a rising tide that lifts all ships, operating in virtually all areas of business.
Prediction 2: Security gains a seat in the boardroom.
Security programs are about tradeoffs and minimizing risk. To achieve greater success, security teams need to better articulate those tradeoffs by putting the risk and material consequences into business terms, fundamentally bringing security into their business strategy. CISOs need to help executives and board members understand the ROI, cost-benefit analysis, and security program tradeoffs by articulating the business risk versus business value.
In the coming year, we will see CISOs do more to present their security concepts and programs in business terms. Talking about securing data is one thing, but demonstrating the value that security offers the business is something else. This will eventually apply to every aspect of the business, but most immediately applies to regulatory compliance, potential lost revenue, customer relationships, legal liability, competition, intellectual property, stockholder loyalty and brand protection.
The boardroom needs to take a step toward security, and security operations needs to take two steps toward the boardroom. Bridging the knowledge gap between security leadership and the board provides the framework to ensure effective security by helping all parties assess the risks and decide how to mitigate them.
Prediction 3: A breach enters our physical lives.
There is a difference between information and physical security. The breaches that plague organizations today are primarily information security violations. While painful, having credit card information, a social security number, or personal digital information stolen does not result in physical harm to the victim. In 2018, we will see a breach impact our physical, personal lives. It might be a medical device or wearable that is hacked and remotely controlled. Perhaps it will be an industrial IoT device or self-driving car that gets compromised. Or something closer to home – literally. Devices from the garage door to the refrigerator are becoming smarter and more connected. The impact of such an attack will force government, business and individuals to take a closer look at the security of our infrastructure.
Prediction 4: Framework for data protection in India.
There are discussions around a co-regulatory approach that will involve the government and industry experts for governance of data protection in India.
A recent paper released on ‘data protection framework for India’ by a government-appointed committee of experts will draft a law based on seven principles — technology agnosticism, holistic application, informed consent, data minimization, controller accountability, structured enforcement and deterrent penalties. One critical element in the paper is that it stated the definition of personal data which ascertains the zone of informational privacy guaranteed by a data protection legislation.
This law will help data-driven innovations and lead citizens into a digital future.