What is the state of the cybersecurity industry and practice today? Recent surveys and analysis provide fresh insights, from senior management and boards of directors not taking cyber threats seriously enough, IoT and mobile security deficiencies, the perennial cybersecurity skills shortage, new types of attacks on consumers and businesses, and the increasing threat of a global cyber war.
These old and new cybersecurity challenges make 2018 yet another year of “more of everything.” But it will also be the year in which the fact that security and privacy are two sides of the same coin will be reinforced, driving significant changes in cybersecurity practices. In “60 cybersecurity predictions for 2018” I wrote, “Like death and taxes, there are only two safe predictions about cybersecurity in 2018: There will be more spectacular data breaches and the EU General Data Protection Regulation (GDPR) will go into effect on May 25.” ESG’s Jon Oltsik wrote: “Data privacy officers and CISOs should re-investigate whether they are truly ready for GDPR. If your organization doesn’t have automated and auditable processes to find, delete, and verify data erasure at scale, the answer is definitely, ‘no.’”
Here are the sad numbers about the vulnerabilities of our digital lives:
36: percent of senior IT professionals that say their senior leadership sees cybersecurity as a strategic priority (Raytheon and Ponemon Institute).
68: percent of cybersecurity professionals that say their CEO demands DevOps and security teams not do anything that slows the business down (ThreatStack).
68: percent of senior IT professionals that say their boards of directors are not being briefed on what their organizations are doing to prevent or mitigate the consequences of a cyber attack (Raytheon and Ponemon Institute).
44: percent of senior executives say that they feel “very” or “extremely” vulnerable to data threats (Thales and 451 Research).
66: percent of senior IT professionals that believe their organization will experience a data breach or cybersecurity exploit that will seriously diminish its shareholder value (Raytheon and Ponemon Institute).
35: percent of security professionals that rated their organizations’ ability to detect and remediate security incidents as “average” (ThreatStack).
60: percent of senior IT professionals that predict attacks by nation-state actors against government and commercial companies will worsen and could lead to a cyber war (Raytheon and Ponemon Institute).
49: percent of global technology security decision makers say they expect their firm to increase IoT security spending this year (Forrester).
$21.5 billion: the size of the market for IoT Identity and Management in 2022, including cryptography, digital certificate management and data exchange services (ABI Research).
28: percent of organizations considering security strategies specific to IoT as “very important” (IoT Cybersecurity Readiness Report).
47: percent of global technology enterprise security decision makers that say they have sufficient tools to enforce security policies for managing IoT devices (and 10% don’t even have the tools to enforce these policies at all) (Forrester).
82: percent of senior IT professionals that predict unsecured IoT devices will likely cause a data breach in their organization (80% say such a breach could be catastrophic) (Raytheon and Ponemon Institute).
100: percent of all businesses that had experienced a mobile malware attack (Check Point).
53: the average number of phishing attacks per month per 100 mobile devices used by employees at asset management and investment firms (Wandera).
57: percent of senior executives that report they are spending the most on endpoint and mobile security technologies (Thales and 451 Research).
35.5 to 106 million: the range of the number of users malware has reached in 2017, most of whom downloaded the malware directly from 300+ apps on Google Play (Check Point).
93: percent increase in ransomware attacks against consumers from 2016 to 2017 (and ransomware against businesses was up 90%) (Malwarebytes).
$14.5 billion: the number of emails laced with malware that were sent in 2017 (AppRiver).
132: percent increase in the volume of adware (automatically displaying or downloading advertisements and redirecting searches to advertising websites to collect marketing data) from 2016 to 2017, accounting for 40% of consumer threat detections, up from less than 20% in 2016 (Malwarebytes).
20.5: percent of organizations that crypto-miners have “borrowed” their computing resources in December 2017 (Check Point).
428,643: the number of healthcare records compromised in January 2018, the third consecutive month where the number of breached records increased month over month (January 2018 Healthcare Data Breach Report).
$380: the cost per leaked record in the healthcare sector in 2017, up from $369 in 2016 (Ponemon Institute).
77: percent of U.S. multinational companies planning to spend $1 million or more on Europe’s General Data Protection Regulation (GDPR), which will go into effect on May 25, 2018 (PwC).
44: percent of organizations that are “somewhat” prepared for GDPR (i.e., the organization has identified all the steps to meet the GDPR deadline but are early in the process of completing all tasks) (ESG).
32: percent of cybersecurity and IT professionals that believe their organization’s biggest GDPR challenge is “understanding all the requirements associated with GDPR” (ESG).
35: percent of US organizations that don’t believe they will be fully prepared for GDPR in time for the May 2018 deadline (Censuswide).
10 (or less): percent of all digital authentications will be accounted for by passwords in 2022, made unnecessary by security technology combining machine learning, biometrics and user behavior (Gartner).
84: percent of cybersecurity professionals in the U.S. and Canada who are either open to new opportunities or already planning a job search in 2018 (ISC)²
70: percent of U.S. cybersecurity professionals who believe that the cybersecurity skills shortage has had an impact on their organization (ISSA).
58: percent of senior IT professionals that believe staffing problems will worsen (and 46% predict artificial intelligence will not reduce the need for experts in cybersecurity) (Raytheon and Ponemon Institute).
$18.5 billion: spending on security outsourcing services in 2018, up 11% from 2017 (Gartner).
44: percent of developers that are not trained in secure coding (and 42% of operations staff are not trained in basic security practices) (ThreatStack).
19: percent of organizations that have already deployed technologies for security automation and orchestration extensively (and 39% have done so on a limited basis, while 26% are engaged in a project to automate/orchestrate security operations) (ESG).
$96.3 billion: worldwide enterprise security spending in 2018, up 8% from 2017 (Gartner).
$7.66 billion: the amount of funding raised worldwide by cybersecurity startups in 2017, a record year (CBI).
To quote again the very quotable ESG (this time from the keyboard of founder Steve Duplessie):
“Cybersecurity is a magnificent market because the problem can never be solved entirely. Fix one hole, the bad guys find another. It’s a ping-pong match for hackers.”