1. DevSecOps in the age of the cloud
DevOps is an increasingly popular development practice allowing organisations to increase the speed at which they produce apps and services. An unfortunate side effect of this process is that you might also be accelerating the production of insecure code and bugs, with the potential to cause a serious financial and reputational hit if not managed correctly.
In an increasingly cloud- and mobile-first world, it will become essential to also bake in security to this process: thus, DevOps becomes DevSecOps. Embracing an application lifecycle approach in this way will end up saving organisations time and money – because problems are always easier to solve when security is addressed as far “left” in the lifecycle as possible. It will not be an easy shift for many security professionals, but third-party expertise will help overcome cultural resistance and arm organisations with the right processes and automated toolsets to drive success.
2. Machine learning and managed security
Machine learning, AI and automation have the potential to plug chronic security skills shortages and transform threat defence by spotting sophisticated advanced attacks and zero-day threats. Whatever the industry marketing hype might have you believe, machine learning is actually far from new – in fact, NTT Security has been using it for 15 years.
Machine learning is not a silver bullet and should instead be used as part of a layered approach to threat prevention. But it can spot patterns, which human eyes might miss. That said, it shouldn’t be seen as a replacement for human expertise. Part of the value we offer is in arming Security Operations Centre experts with machine learning tools. The automated tools find the needle in the haystack, but then it’s vital to get human eyes on that needle to analyse it further.
These kinds of capabilities are set to drive a surge in managed security services (MSS) next year and beyond. According to our Risk:Value 2017 report 30% of UK organisations are using or planning to use an MSSP, with 31% claiming this is because of lack of internal skills and 27% because they want access to better technology.
3. From tech- to business-driven security
Security professionals love to talk bits and bytes, sometimes even “out-geeking” the rest of the IT department. But we are already seeing a change take place, and it is a necessary change: in fact, it’s a question of digital survival. Put simply, security strategy must be aligned to business strategy or vital digital transformation projects will fail and the business will become irrelevant. Some 85% of business leaders believe they only have two years to make progress in their digital transformation programmes before they fall behind their competitors.
PS: Honourable GDPR mention
Finally, 2018 will be the year when the GDPR (25 May) and NIS Directive (9 May) come into force. I won’t add to the thousands of opinions already circulating about this, but suffice to say, it’s vital to get your compliance house in order asap. If organisations are having trouble getting the Board’s attention, remind them of the maximum fines for non-compliance: £17m or 4% of global annual turnover, whichever is higher.