The last two years have been pretty rough on organizations when it comes to information security. As a result of last year’s very large, visible breaches—and the year-long focus on GDPR—chief information security officers must continue to relentlessly improve information security in their organizations in 2019.
We predict six information security trends in 2019:
- More government involvement
- More challenges as cloud computing becomes mainstream
- A focus on eDiscovery rules as a result of GDPR and privacy concerns
- More attention to reputational risk
- Increasing governance challenges from the growth of big data
- Use of artificial intelligence as an information security tool
Trend 1: The government will become more involved in information security issues.
There was no let up in news about significant breaches revealed in 2018. These ranged from Orbitz to Quora to Facebook and Cambridge Analytica. The Marriott breach affected 500 million customers.
As we look to 2019, we believe that there are more significant breaches to come. As a result, expect:
- Government agencies—the SEC comes to mind for financial services—will start to press businesses when it comes to compliance and security.
- The government will start to ask whether companies are doing proper risk assessments.
- Agencies will want to know more about the kind of access controls that organizations employ.
- Look for the government to begin to fine companies involved with a breach.
Companies that have paid a great deal of attention to security should be OK. But those organizations that are doing just enough (or not enough, at all) will start to see government fines and traditional audit findings impact their bottom line.
Also, with California and New York leading the pack with state level GDPR-like regulations, it’s entirely possible that Congress will start to make noises for a standard, all U.S. version of consumer privacy guarantees.
Growing government involvement in information security means organizations must start to view information governance and security in a proactive—rather than a reactive—sense to avoid unnecessary fines and headaches.
Trend 2: Increased cloud usage complicates the information security picture.
In 2019 organizations will continue to move infrastructure and applications to the cloud. The good news is that the large cloud providers such as Amazon, Microsoft, and Google create a kind of homogeneity on the security side. No longer are you managing the security of your systems and assets.
If AWS or Azure gets breached, the whole business model for Amazon or Microsoft collapses. That’s just not that likely to happen. Even looking at Office 365, if it’s within the Microsoft perimeter, security looks pretty solid.
That means that information security is about managing the relationship with your cloud provider. But it’s still your responsibility to control your data-loss prevention (DLP) rules, dictionaries, and most aspects of user access.
The cloud providers may have the resources to secure your processes and assets, but it’s your responsibility to create the right governance for users, customers, and third-party partners. User awareness, user training, and user access management—all controlled at the enterprise level—remain key.
Trend 3. Privacy agreements and international eDiscovery rules will become better defined in 2019.
Look for further development of eDiscovery rules between the European Union and the United States. With GDPR, the California Consumer Privacy Act, and regulations being developed in other US states, you’ll see firms that operate internationally starting to standardize how they provide data to a government or a U.S. or international court.
There will be further development of the EU-US Privacy Shield Agreement, the unilateral agreement instigated by the EU that obliges the US to protect personal data belonging to EU citizens. How you provide data and the manner you do so in the case of international litigation will affect several groups within your organization: records, legal, IT, security, and governance.
Note that if Brexit does occur, there also will need to be a US-UK privacy agreement.
Trend 4: Companies will use information governance to manage reputational risk as a part of information security.
If you go back in time and list the major brands that had to reveal large breaches—Target, Home Depot, Equifax, Anthem, and Marriott—you begin to realize that there’s (probably) not a single person in this country who has not been breached. Is ID theft for the individual as devastating as it once was?
The public may be becoming desensitized, but there’s still reputational risk to consider. This is especially true if companies begin to be crushed by government fines, sanctions, or even suspension of business.
There are so many sources of data, including departing employees, data generated by IoT devices, and information managed by third parties. Again, this is where good data governance comes in. It’s important to manage—and sometimes, with the right set of rules, purge—that information. The smaller the attack surface, the greater your ability to manage reputational risk.
Trend 5: Big data will challenge organizations to implement good information governance.
There’s a lot of attention being paid today to big data and data analytics. Many organizations are reluctant to get rid of information because they don’t know what information they’ll need down the line.
The problem is that maintaining huge data lakes means you’re maintaining a treasure trove for hackers. This leads to an interesting philosophical clash: What’s more valuable? Protecting information that might be useful later, or reducing a risk surface that otherwise would grow exponentially?
The amount of information we create is insane and only growing. You have to use good information governance to balance the desire to keep everything versus the need to reduce risk.
Trend 6. Organizations will employ artificial intelligence as an information security tool.
In 2019, we’ll see more organizations using artificial intelligence (AI) to look for bad actors. AI will be a tool to do some of the repetitive work in this area; a bot could look for unusual activity.
But companies will still need human intervention to do high-value work. AI will become a time-saver and a tool; but when it comes to information security, automated processes will need to be backstopped by a human being.
Information governance can help deal with the challenges presented by these trends.
How will information governance fit into your information security needs in light of these trends? You can review some of our key recommendations in the white paper Transforming Information Security With Information Management.