Cyber security has become an important priority for enterprises and service providers alike. New ways of working and new technologies that bring agility, speed, additional functionality, and cost savings also bring vulnerabilities that need to be addressed. Here we are setting out our predictions for what will drive investment (and non-investment) in cyber security services during 2018.
The key findings of this study are:
- Cyber security is becoming a business concern rather than purely a technical issue.
- Many enterprises have insufficient budget and resources to adequately assess and improve their security posture. Moreover, enterprises often fail to implement a known fix, be it a software patch or a recommended procedure, leading to increased threat exposure.
- Enterprises will continue to invest in cyber security initiatives throughout 2018. The main areas of focus include:
- Cloud security as enterprises increase their use of cloud computing
- Threat preparation, detection, and management
- Clear, widely communicated, and speedy incident-response procedures
- The General Data Protection Regulation (GDPR)
- Implementing security and privacy by design in all initiatives
- Considering security aspects of new technologies, such as IoT and blockchain
- Cloud security as enterprises increase their use of cloud computing
Cyber Security Services: Growing Awareness but Still a Long Way to Go
- Security in the business context: Security is evolving from being a technical concern, largely owned by the IT departments, to one that needs to be considered in the context of the whole business, which entails cooperation between IT and business. In some enterprises, there is a specific security function, often led by a chief information security officer (CISO). Despite this, many enterprises still fail to treat security as a business concern. IT and business managers need to work more closely to understand the importance of security. For example, an important patch should be prioritized over the estimated business downtime for a particular business application.
- Security budgets are increasing but are still insufficient: Mature enterprises allocate handsome budgets to cyber security efforts. However, the recent EY report, EY Global Information Security Survey (GISS), Cybersecurity regained: preparing to face cyber attack, highlights that enterprises still don’t understand the nature and risk of threats; moreover, they lack adequate resources to address issues. Security budgets are often increased if the enterprise faces a direct threat, but if there is a threat in their industry, it is unlikely to affect current budget levels. Our research shows that additional budget after a direct threat to the enterprise is often to recover lost data rather than to strengthen security processes in general.
- Enterprises are not doing the basics: Many threats attack known vulnerabilities. In other words, they are successful because of the enterprise’s failure to perform a known and recommended procedure, such as such as using weak passwords. This highlights the need for solid procedures that are clearly understood and monitored. As FBI security expert Frank Abignale points out, “Every single breach happens because someone in the company did something they weren’t supposed to. Or someone in the company failed to do something.”
- Finance leads the way: Generally, the understanding of and investment in cyber security services is as much to do with the maturity of the individual enterprise as its industry sector. That said, the financial services industry is the biggest spender on cyber security services, which is unsurprising given the level of risk associated with its core business. Service providers also report increasing spending in the insurance and healthcare industries. Deloitte is a good example of a service provider that has developed services for the public sector.
- Lack of awareness: Global threats raise awareness although they tend to just increase fear, uncertainty, and doubt. Service providers like Accenture provide education services to increase cyber security awareness for enterprises.
- Lack of resources: Many cyber security skills are rare in the market, especially for the business-critical areas such as incident response services. In addition, resources tend to have siloed skills (for a specific business application, for example) rather than more holistic capabilities.
Cyber Security Services: 2018 Predictions
Cloud Security
Prediction: Enterprises will focus on the data security aspect of using cloud solutions. This is particularly true of mature enterprises that adopt the OneOffice approach and endeavour to create a digital customer experience with an intelligent, single office to enable and support it.
Trend: After some initial hesitation, enterprises are now more open to cloud technologies. We are witnessing strong growth in SaaS services, including Workday, SuccessFactors, Microsoft Dynamics, and Salesforce. Some enterprises have a cloud-first policy, where they consider cloud options for all new deployments before on-premise options. We’re also seeing a growth of cloud ERP solutions, including finance. Most enterprises have focused on fast implementations with insufficient regard to overall business strategies and implications. Those now initiating phase 2 implementations and those who generally have a more strategic approach are considering business issues upfront. Cyber security is becoming one of the biggest concerns for enterprises in these strategic discussions.
Threat Management
Prediction: Enterprises will prioritize threat management in 2018. Enterprises will realize the importance of proactive monitoring of internal and external threats and their impact to the business.
Trend: Global attacks are likely to continue. Malware and ransomware like Wannacry and Petya that stole headlines in 2017 threaten an enterprise’s reputation as a trusted partner for customers and suppliers. This reputation is critical as emerging business models involve complex ecosystems of partners, suppliers, and customers. Moreover, each member of the ecosystem has a responsibility to be secure as any vulnerabilities can affect other organizations in the ecosystem. Unfortunately, many enterprises fail to implement basic controls, such as deploying available patches and implementing routine security testing. Maintaining a high standard of internal security is also paramount to preserving brand and building trust with customers. Exploiting user behavior analytics services, for example, helps enterprises to monitor patterns of user behavior and detect anomalies in order to ultimately detect threats. Enterprises have made some investments in their threat management efforts, but this is still insufficient and awareness of its impact on the business is still weak, or worse, ignored. Moreover, some enterprises have an incomplete identity warehouse which should capture all data and access rights. Until this is rectified, the usefulness of a threat management policy is limited. The Information Commissioner’s Office (ICO) recently fined Carphone Warehouse £400,000 because of its failure to implement basic security measures, which led to customer data being compromised in a cyber attack in 2015. This included a lack of routine security testing, out of date software and a failure to identify and purge historical data.
Incident Response
Prediction: Enterprises will build or strengthen their incident response procedures to quickly and effectively respond to threats.
Trend: While enterprises have invested in some level of threat management techniques, they have not paid enough attention to documenting detailed procedures following an attack. The old maxim that “you are never completely secure” is still true today, especially given the nature and proliferation of global cyber security threats. Solid incident response processes are somewhat lacking in many enterprises today. CxO reaction to threats in the market, especially in their industry sector, is typically to require reassurance from their security teams that they are secure. However, additional budget or resource support are not often forthcoming, which leaves security teams in vulnerable positions. Enterprises are increasingly focusing on establishing fast and effective response to the threat, albeit largely with the encouragement of service providers.
General Data Protection Regulation (GDPR)
Prediction: Enterprises will prioritize compliance to GDPR to meet the compliance deadline on 25 May 2018. This will prove to be too difficult for some enterprises. A publicly announced failure and penalty will increase the urgency for others to understand and comply with the policy.
Trend: GDPR is an enhanced privacy regulation that manages data relating to European citizens, partners, patients, customers, and employees. Industry and government regulations remain important reasons for security investment, but for affected enterprises the GDPR is the single biggest regulation driving cyber security and privacy investment. Given the urgency, enterprises are taking a proactive view of their security posture and doing privacy assessments. We expect this to continue into 2018. Many enterprises are still trying to understand the requirements and implications of non-compliance. There is a distinct possibility of a case of non-compliance, leading to hefty fines, that encourages other enterprises to increase compliance efforts. Again, identifying the location of all relevant data is a massive challenge for most enterprises before they can even start to comply with the regulation.
Security and Privacy by Design
Prediction: The concepts of security by design and privacy by design will start to become important, with steady uptake among enterprises.
Trend:In most cases, security requirements and implications are afterthoughts to IT projects. We don’t expect this to change too much into 2018, as enterprises forge ahead with rapid deployments to remain competitive. However, service providers will encourage enterprises to consider security and privacy by design, and implement these in the development stage of projects to facilitate security issues later. For example, security should be built into project methodologies, such as DevOps, and security testing should be included in product quality testing cycles. The GDPR regulation, and cloud deployments that connect enterprises to clients will promote the use of privacy by design at least, but enterprises will need assistance and guidance from service providers to do this effectively.
New Technologies
Prediction: Service providers will expand the use of new technologies in their security services offerings. Enterprises will begin to question the security issues of new technologies they are using.
Trend: New technologies can be used to enhance security services, such as automation and artificial intelligence for threat detection and even basic levels of incident response. We expect service providers to continue to invest in these to enhance their services to drive differentiation. In addition, enterprises that are using new technologies, such as blockchain and IoT, will start to enquire about the security aspects of these technologies. Clearly there is a disparity between enterprises that are new to these technologies and those who have used them for many years, such as IoT usage by the oil and gas industry. However, all enterprises need to be informed of current threats in the market and understand the necessary precautions they must undertake. This is true for all new technologies that enter the market throughout 2018 and beyond.
Cyber Security Services
The cyber security services market includes strategy and technical consulting, security solution and process implementation, and ongoing monitoring and management services of infrastructure and applications. Security service providers can therefore provide guidance across the security services lifecycle to enable enterprises to understand the issues, implement the necessary technologies and processes, and have a continuous monitoring program.
Service providers, such as EY and Wipro are exploring the use of machine learning and AI to provide threat intelligence, detection, and response, because people alone cannot keep up with the speed and nature of attacks. Threat readiness, preparation, detection, and management services are all growth areas. Other security services examples include EY’s cyber security dashboards for board rooms so that they understand security issues and are more engaged. Deloitte adopts a business approach, and delivers business outcomes. For example, the Deloitte Cyber Strategy Framework (CSF) is a cyber resilience assessment based on an enterprise's specific business context. Accenture encourages clients to include security in DevOps processes and it has also developed a security testing-as-a service offering. Infosys has a strong focus on detection and response services and intends to strengthen its forensics services in 2018.
HfS will track the cyber security services market throughout 2018. We will publish a Cyber Security Services Blueprint report in late 2018, in which we will explore the latest trends, buying behavior and service provider capabilities in this market.
Bottom Line: Cyber Security Is an Ongoing Initiative
Most enterprises need assistance to prepare for, identify, and respond to cyber security threats. We expect enterprises to continue to invest in cyber security initiatives throughout 2018 and beyond as they struggle to manage internal and external threats, strive to comply with regulations, and work to keep abreast of vulnerabilities of new technologies and working methods. New regulation, particularly GDPR in Europe, will start to drive all organizations that store data, particularly any sensitive personal information, toward higher standards, especially when we see high profile fines for non-compliance.
The dynamic nature of business environments means that enterprises never have perfect security. Achieving a single view of the security posture can be challenging, but maintaining this can be even more difficult. For example, many enterprises are initiating digital transformation projects. These require multiple integrations including technologies, standards, and protocols, which result in a fundamental change of the enterprise and its security posture. Cyber security is an ongoing initiative that enterprises need to monitor continuously.