Everyone wants to know what should keep CSOs and CISOs up at night as they begin to plan for the future. But there isn't just one. Instead, it's a combination of issues that will create a complex, multi-faceted problem set that has no clear-cut solution.
To get a picture of what is likely to await all of us, let’s look at the numbers! The cyberattack surface area will dramatically increase over the next few years. A 2015 report by management consultants at EY projected that by 2020, the number of connected devices would exceed 50 billion. Think about the dramatic growth in the Internet of Things segment – connected vehicles, wearable computing, IoT sensors embedded systems, and so much more. We must not forget that as it stands now, many of those IoT devices are not likely to have cybersecurity protection built-in, or much less added on.
Now take into consideration that Cybersecurity Ventures projected the global cybersecurity global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the next five years. And factor in another number: the cybercrime estimate by Cybersecurity Ventures that is expected to hit $6 trillion annually by 2021.
Ultimately, you have to conclude we will spend $1 trillion and end up with annual cyber losses of $6 trillion. Some might say we are fighting a losing battle and question if it is worth it. But how big would it be if we did not spend the trillion on our efforts to protect and defend? That is the threatscape in which CSOs and CISOs will find themselves. With that as the context, what are likely to be some of the troubling aspects that CSOs or CISOs will face in the next few years? Here are my top five picks:
1. The public disclosure that a successful cyberattack resulted in the death or deaths of individuals.
2. Civil or criminal action being brought against a CSO, CISO, or organization due to the death or deaths of individuals resulting from a cyberattack.
3. Legal action against a business that was an unwilling participant in a disruptive cyberattack against critical infrastructure that resulted in the disruption of service to their customers.
4. Product liability issues arising from system vulnerabilities that were exploited and resulted in a successful cyberattack that resulted in monetary losses.
5. Continued growth in the frequency and severity of cyberattacks will result in some country instituting a cyber draft to defend its digital boarders.
With each and every day that cyber risks increase in the frequency that they occur, the complexity of the risks and the severity of their implications also increase. It is deeply concerning that one or more of the five issues above will further dissuade individuals perusing a career in cyber or information security, making the shortage even more severe. After all, current projects suggest that based on current analysis there will be a shortage of approximately 1.5 million cybersecurity practitioners by 2019. As a CSO or CISO, how do you plan on protecting the devices, computers and systems when there are not properly skilled resources for you to hire?
How do you plan to protect your organization's computer assets, intellectual property and data when your budget will clearly not grow anywhere near as fast at the cost of cybercrime?
The best advice is to get company executives knowledgeable and aware of these and other strategic challenges. Make this someone else’s problem as well as yours. Create a realistic budget based on a recent and accurate cyber risk assessment. It is the CSO's and CISO's professional duty to put realistic estimates that will properly protect the information assets of the organization and comply with regulations in their plans, even if they are not likely to be approved.