Mid-Year Check-In: 2019 Cybersecurity Predictions

Back in early January, I teamed up with my colleague, Jordan Mauriello, to write five cybersecurity predictions for 2019. Now that the year is half over, I thought that it would be good to take a look back at the predictions and check-in to see how they are holding up. Did the market play out as we expected, or did things change?

Here is a quick review of each prediction with some mid-year thoughts:

Prediction #1:

GDPR Non-Compliance – In 2019, several organizations will choose not to be GDPR compliant, deciding that paying a fine or dealing with a lawsuit is easier than trying to comply with an ambiguous and undefined standard.

Where we are today:

It looks like this is starting to play out as expected. In the last month alone, significant fines have been levied against British Airways ($230 Million) and Marriott ($123 Million) for GDPR violations. Any appeals or litigation related to these fines will probably drag out for some time, and other companies facing similar large fines will likely also move to litigation due to the ambiguity of the regulation.

Prediction #2:

Cryptojacking Moves to #1 – Cryptojacking will pass ransomware in 2019 as the premier malware threat as hackers look for ways to get closer to the money with minimum effort to monetize attacks.

Where we are today:

According to the Webroot Threat Report published on April 22, Cryptojacking is the number one IT security threat today and has surpassed ransomware to take the top spot. This prediction is holding strong, and I’m not surprised by this. Cryptojacking also presents a threat to cloud service providers, as hackers look to leverage their infrastructure for mining. As a result, look for Cryptojacking to accelerate and maintain its spot as the top threat this year.

Prediction #3:

Organizational Shift – CISOs and security departments will move from reporting into IT to finance or legal, reflecting the shift from a technology focus to risk. This is a result of executive teams and Board members realizing the importance of cybersecurity to the entire organization (e.g., operations, financials/stock, brand, etc.).

Where we are today:

This is definitely happening, but we are likely in the early stages and there is not as much public evidence of it happening – yet. Anecdotally, I’ve talked with a number of CISOs and Directors that are working through the organizational shift of transitioning their reporting from the CIO to the CEO or General Counsel.

A story in Security Boulevard saw similar organizational shifts starting to happen, “While the largest of enterprises, such as the Fortune 500, have mostly maintained that organizational structure, it’s changed considerably among the mid-market and smaller (but not small) enterprises. (A recruiter) noted at one time his firm was recruiting for eight different CISOpositions, each with a different reporting structure. Some of these positions reported to the CEO, CFO and COO, among other structures, but interestingly, only one reported to the CIO.”

Prediction #4:

Platform Consolidation – We will see a consolidated platform from a single vendor actually work in cybersecurity in 2019.

Where we are today:

We are definitely seeing movement in this direction. A May 2019 story in Channel Futures stated: “consolidation and integration emerged as two of the major themes at this year’s RSA Conference 2019, perhaps the result of the high enterprise demand for fewer tools and vendors, as well as a shortage of talent.” It added that “Ovum has seen in surveys, research and customer discussions that customers are demanding fewer security tools and have been suffering tool fatigue over the past few years.”

Also, we are seeing an uptick in strategic acquisitions to expand portfolio companies into other verticals. Palo Alto Networks acquired Twistlock and Puresec to move into container and serverless security. Microsoft has also expanded development and investment in security, and with the release of Sentinel, it looks to consolidate its products into a single platform.

Prediction #5:

AI and ML Finally Get Real – Artificial Intelligence (AI) and Machine Learning (ML) will finally find a truly useful purpose in cybersecurity this year and will move past the “marketing hype” phase. You will see real-world, practical applications and use cases of AI and ML, beyond PowerPoint slides.

Where we are today:

This continues to be a challenge to validate as more and more vendors drown the market in marketing hype about AI and ML. A May 2019 report from Global Market Research states that AI in the Security Market is expected to grow at a CAGR of +35% during the forecast period 2018–2025. While the number of solutions trying to leverage true AI/ML is growing, the buzzwords are quickly drawing a negative connotation, regardless of the potential benefits of the solution. As you will see in this June 2019 story in Geekwire, some startup CEOs think that AI is over-hyped.

Overall, these predictions seem to be on target – but as always, the future is uncertain, and things can change quickly in the cybersecurity world. We’ll plan to do another update at the end of the year and issue some fresh predictions for 2020.

In the meantime, let us know if you have any thoughts on our current set of predictions, or if you have cybersecurity predictions of your own for the next six months.

by Randy Watkins | CTO, CRITICALSTART
July 31, 2019