Forecasts for 2016

Heavy demands for research and consultancy have restricted my blog postings this year. It’s a reflection of the unrelenting growth in anything connected with cyber security. My New Year’s resolution however will be to return to regular blogging.

A year ago I forecast that the Internet of Things would the primary focus of this year’s research, but that few applications would emerge. That certainly happened, though I think the IoT hype was pipped by the hype for Bitcoin block chain, which even merited a major feature in the Economist. 

Despite all the hype and investment around block chain applications I remain pessimistic about its use for serious finance applications. In my view, anything that doesn’t scale well, can be taken over, and presents a major threat to tax collection is unlikely to succeed in the long term. 

It was a no-brainer to predict that the treacle of regulatory compliance would become ever deeper, and that Governance, Risk and Compliance (GRC) solutions would remain immature (because of the large scope and complexity of the underlying data). That situation will get even worse as enterprises prepare for the new EU General Data Protection Regulation (GDPR). I know some companies are concerned about the mountain of paper required to demonstrate evidence of GDPR compliance. But that’s mainly because of a lack of visibility and management of information flows. And it’s certainly not a bad thing to correct that situation.  

Prediction has been the new dimension for security this year with increased promotion of artificial intelligence solutions and threat intelligence services. This is double-edged sword for the CISO, who will face an inevitable increase in false-positive reporting, which cannot be ignored because of the possibility of a nugget hidden within. My advice is to maximise the use of simple, rules-based mining before turning on the AI technology, and to generally ramp up the resources devoted to security event and trend analysis.

A longer term trend I drew attention to last year is the progressive commoditisation of many cyber security services, which are relatively easy to execute with scripts and open source tools. As technology becomes more powerful and easier to use, the security skill set will change, and enterprises will need to differentiate between areas that demands deep expertise and experience and those that can be easily carried out by an enthusiastic trainee.

A further trend to watch is the progressive growth of Cloud based services which will demand a different security architecture from traditional enterprise perimeter solutions.  

The main trend in 2016 however will be a step change in the control and visibility of IT assets and information flows, as enterprises begin to exploit more powerful tools for discovery, analysis and management of information transfers. The introduction of the EU GDPR will certainly boost the sales of asset management and managed file transfer services.