What can we expect to see within the UK Cyber Security sector in 2020?

Building defensive walls

The field is also changing for those tasked with countering the efforts of cyber-criminals.
“Security technologies continue to evolve, with the market seeing many acquisitions and consolidations of offerings that result in vendors providing a more 'all-inclusive' portfolio,” says James. “This provides businesses with the benefit of technologies more closely aligning to business risks and processes, as opposed to focusing on elements of the security discipline. With that said, this 'one-stop-shop' approach does not necessarily meet the needs of all businesses, so I would convey caution in the belief that one solution can fix all problems.”

James also highlights the availability of free resources from local and regional authorities that can help under-resourced businesses better protect themselves. This is particularly important for SMEs, which represent low-hanging fruit for cyber-criminals; they have plenty to steal, but often have insufficient resources to securely protect their assets and infrastructure.

Of course, weak security in the hands of third-party organisations – such as clients, partners and vendors – can also pose a threat to your business, as Bharat points out. “Hackers now go three to five levels deep into a supply chain network to find SMEs that are still poorly defended, so present an entry point,” he observes. “They then work up towards the high value assets in the enterprises at the end of the chain.”

This is a point that James echoes. “Careful consideration of the risks impacting the key services that the business needs to survive is paramount to an effective protection,” he says. “But also, be engaged and stringent with your vendors downstream in the supply chain. An 'out-of-sight, out-of-mind' perspective is no longer acceptable to either customers or regulators when it comes to outsourced business operations or, saying that, when it comes to any business operations. Hold those parties to account in their protection of what you value and be bold enough to take action where you see unacceptable practise.”

Jobs and investment

Perhaps the hottest potato in the sector, though, is whether businesses are investing enough resources into tackle the wide range of threats that they now face. “The 2019 (ISC)2 workforce study concluded that the current size of the cybersecurity skills gap globally sits at 4.07m, with supply needing to rise by 145% to meet current demand,” says James. “EMEA specifically needs to find over a quarter of a million additional professionals to fill the demand. This will result in 2020 continuing to be a challenging period for cybersecurity services and professionals, with many businesses either severely understaffed or entirely unstaffed in the discipline. As such, businesses need to be smart about how to fill this gap. Careful consideration is needed as to whether to staff internally to meet the needs of the business versus leveraging third-party services.”

“Those opting to go down the internal staffing route will need to be prepared to hire staff that require training and investment to fulfil their roles as seasoned professionals are scarce or expensive, or both,” James continues. “If a business chooses to use third-party services, a proper due diligence and tendering process will be key as the market for these kinds of services is fairly saturated. Businesses need to ensure they know what they are buying and that they are getting a good price for those services.”

 

Skills

 

 

“The combination of cybersecurity and data analytics job skills will become a critical pinch point,” says Bharat. “Security leaders should start incorporating RPA (Robotic Process Automation) and Big Data Analytics into the training schedules of their staff to keep them business relevant and engaged. Retaining good security and talented employees is strongly dependent on the culture and tone set by the senior leadership team.”

And modern security processes must engage with constant change. “Keep improving and enhancing security posture and security maturity,” advises Bharat. “Legacy methods of updating risk assessment on an annual basis are woefully slow... Improved levels of employee education and awareness [are critical and] on a regular basis instead of as a one-off or annually.”

It's also important to take the well-being of staff into account. “Improved understanding of stress and the mental health of cybersecurity teams, who are often short-staffed and under pressure, is key,” says Bharat. It's important to provide a balanced working environment, he says, and for managers to be able to recognise early warning signs of burnout.

 

 

360° visibility

 

For digital security to be truly effective, though, it must become a fundamental part of the corporate strategy – from instilling a DevSecOps mindset to simply mapping out the full spectrum of hardware in use. James comments, “The key is for businesses to have a firm understanding of what assets, in terms of both technology and data, they have in order to manage them effectively. I live by the saying 'you cannot manage what you cannot see'. Further to this, businesses need to focus on understanding the threats associated with the specific types of assets and how they can be mitigated. It is better to be 10% secure in 100% of your assets than 100% secure in 10% of your assets.”

The big picture is beginning to look more broadly positive, though. Businesses are now prioritising security in a way that they didn't before – and investment is pouring into the sector. Nevertheless, industry faces the more fundamental problem that there are a limited number of experienced cybersecurity professionals in the world. The core challenge for the field will hence be to raise a new generation of experts – who are able to tackle the challenge head-on.