What can we expect to see within the UK Cyber Security sector in 2020?
Cybersecurity has been climbing the corporate agenda, year by year – and this is perhaps no surprise given the enormous financial and reputational damage that businesses have suffered as a result of large-scale breaches. To put it short, security really is more important than ever.
So, what does the future hold for cybersecurity? “In 2020, we'll no doubt continue to see a rise in attacks against big vendor technology such as Office 365, AWS, Azure and Google Cloud as business and personal adoption of the technologies continues at pace,” says James Packer, Head of Cybersecurity at EF Education First. “Vendors providing these types of technologies are continuing to improve the 'secure-by-design' aspect of their solutions, however, many easy-target security layers remain [with] the customer; layers such as authentication and identity controls.” A key vulnerability for cloud computing is the simple misconfiguring of security layers – something that is all too often the case.
Security required by law
Bharat Thakrar, Chief Technology Officer, CISO at Learning People Global, meanwhile points to shifting ground in the industry. “We're seeing a huge proliferation of IoT devices with minimal levels of security,” he says. “Meanwhile, the strengthening of privacy legislation and control over Big Tech corporates will also impact the wider tech environment. Regulatory bodies are also starting to make examples of bad practice with much heavier penalties and fines; and the US is starting to follow Europe’s example with GDPR.”
James also cites the significance of these change. “The regulatory landscape is continuing to evolve; with key regulations such as the California Consumer Privacy Act (CCPA) and the New York Shield Security Act coming into force in the first quarter of next year. Businesses will have some tough questions to field as a result and, no doubt, expanded regulations in many regions will emerge.”
Building defensive walls
The field is also changing for those tasked with countering the efforts of cyber-criminals.
“Security technologies continue to evolve, with the market seeing many acquisitions and consolidations of offerings that result in vendors providing a more 'all-inclusive' portfolio,” says James. “This provides businesses with the benefit of technologies more closely aligning to business risks and processes, as opposed to focusing on elements of the security discipline. With that said, this 'one-stop-shop' approach does not necessarily meet the needs of all businesses, so I would convey caution in the belief that one solution can fix all problems.”
James also highlights the availability of free resources from local and regional authorities that can help under-resourced businesses better protect themselves. This is particularly important for SMEs, which represent low-hanging fruit for cyber-criminals; they have plenty to steal, but often have insufficient resources to securely protect their assets and infrastructure.
Of course, weak security in the hands of third-party organisations – such as clients, partners and vendors – can also pose a threat to your business, as Bharat points out. “Hackers now go three to five levels deep into a supply chain network to find SMEs that are still poorly defended, so present an entry point,” he observes. “They then work up towards the high value assets in the enterprises at the end of the chain.”
This is a point that James echoes. “Careful consideration of the risks impacting the key services that the business needs to survive is paramount to an effective protection,” he says. “But also, be engaged and stringent with your vendors downstream in the supply chain. An 'out-of-sight, out-of-mind' perspective is no longer acceptable to either customers or regulators when it comes to outsourced business operations or, saying that, when it comes to any business operations. Hold those parties to account in their protection of what you value and be bold enough to take action where you see unacceptable practise.”
Jobs and investment
Perhaps the hottest potato in the sector, though, is whether businesses are investing enough resources into tackle the wide range of threats that they now face. “The 2019 (ISC)2 workforce study concluded that the current size of the cybersecurity skills gap globally sits at 4.07m, with supply needing to rise by 145% to meet current demand,” says James. “EMEA specifically needs to find over a quarter of a million additional professionals to fill the demand. This will result in 2020 continuing to be a challenging period for cybersecurity services and professionals, with many businesses either severely understaffed or entirely unstaffed in the discipline. As such, businesses need to be smart about how to fill this gap. Careful consideration is needed as to whether to staff internally to meet the needs of the business versus leveraging third-party services.”
“Those opting to go down the internal staffing route will need to be prepared to hire staff that require training and investment to fulfil their roles as seasoned professionals are scarce or expensive, or both,” James continues. “If a business chooses to use third-party services, a proper due diligence and tendering process will be key as the market for these kinds of services is fairly saturated. Businesses need to ensure they know what they are buying and that they are getting a good price for those services.”
“The combination of cybersecurity and data analytics job skills will become a critical pinch point,” says Bharat. “Security leaders should start incorporating RPA (Robotic Process Automation) and Big Data Analytics into the training schedules of their staff to keep them business relevant and engaged. Retaining good security and talented employees is strongly dependent on the culture and tone set by the senior leadership team.”
And modern security processes must engage with constant change. “Keep improving and enhancing security posture and security maturity,” advises Bharat. “Legacy methods of updating risk assessment on an annual basis are woefully slow... Improved levels of employee education and awareness [are critical and] on a regular basis instead of as a one-off or annually.”
It's also important to take the well-being of staff into account. “Improved understanding of stress and the mental health of cybersecurity teams, who are often short-staffed and under pressure, is key,” says Bharat. It's important to provide a balanced working environment, he says, and for managers to be able to recognise early warning signs of burnout.
For digital security to be truly effective, though, it must become a fundamental part of the corporate strategy – from instilling a DevSecOps mindset to simply mapping out the full spectrum of hardware in use. James comments, “The key is for businesses to have a firm understanding of what assets, in terms of both technology and data, they have in order to manage them effectively. I live by the saying 'you cannot manage what you cannot see'. Further to this, businesses need to focus on understanding the threats associated with the specific types of assets and how they can be mitigated. It is better to be 10% secure in 100% of your assets than 100% secure in 10% of your assets.”
The big picture is beginning to look more broadly positive, though. Businesses are now prioritising security in a way that they didn't before – and investment is pouring into the sector. Nevertheless, industry faces the more fundamental problem that there are a limited number of experienced cybersecurity professionals in the world. The core challenge for the field will hence be to raise a new generation of experts – who are able to tackle the challenge head-on.
Browse Our Latest Tech RolesCurrent Vacancies
Empiric is a multi-award winning business and one of the fastest growing technology and transformation recruitment agency's specialising in data, digital, cloud and security. We supply technology and change recruitment services to businesses looking for both contract and permanent professionals.
Read more (pdf download)
Empiric are committed to changing the gender and diversity imbalance within the technology sector. In addition to Next Tech Girls we proactively target skilled professionals from minority groups which in turn can help you meet your own diversity commitments. Our active investment within the tech community allows us to engage with specific talent pools and deliver a short list of relevant and diverse candidates.
For more information contact
02036757777To view our latest job opportunities click here.