Another data breach, a new virulent variant of ransomware, burnt out employees, too little money, and too many threats — the world of cybersecurity can seem grim. While there is no denying the prevalence of these challenges, there is reason to be hopeful.
“When I think about optimism in cybersecurity, I really focus on people, process, and technology,” says Meg Anderson, CISO of Principal Financial Group. People are putting in the work to push cybersecurity forward. Processes are evolving to combat threats. With new technology comes the possibility of better defenses.
Anderson and five other cybersecurity leaders share what fuels their belief in a bright future for their field.
1. Leadership buy-in
Cybersecurity hasn’t always been recognized as an important business investment. It has a history of being sidelined and siloed as an IT-only issue. Leadership has become increasingly aware that cybersecurity needs to be integral to their organizations’ strategies. Buy-in across the entire leadership team means more awareness of and resources for cybersecurity.
“C-suites and boards across industries are asking the right questions and acknowledging cybersecurity as a critical component of their business,” says Phil Venables, CISO of Google Cloud.
2. Individual awareness
Executives and boards are more aware of cybersecurity, and so are individual employees and consumers. “We’ve definitely shifted the thinking that somebody else is going to fix this for us to knowing that we all play a part in keeping our information and our money safe,” Anderson observes.
Human error remains a leading cause of breaches, making individual awareness and education an important part of basic cyber hygiene.
Neil Jones, director of cybersecurity evangelism at Egnyte, has seen companies finding ways to incentivize employee participation in cybersecurity, such as gift card promotions for spotting phishing emails. “This has rapidly diminished the ‘us versus them’ mentality that many users previously experienced with IT security teams,” he says.
3. Cybersecurity education
Cybersecurity awareness has grown in part due to the available paths in education. “When I first earned my designation in 2008, almost no one outside of the cybersecurity industry knew what my certification was, but today broad awareness of cybersecurity certifications is commonplace,” Jones shares.
Anderson has also seen higher education introduce more options for cybersecurity degrees and training during the 15 years she has been in her current role. This continued trend gives hope that more people will be prepared to fill the much-needed jobs in cybersecurity.
“Our industry will need to continue to invest in training programs, certifications, and educational initiatives to develop a skilled workforce capable of tackling evolving cyber threats,” says Steve Tcherchian, CISO and chief product officer at XYPRO.
4. Public-private collaboration
The new National Cybersecurity Strategy announced by the Biden Administration this year emphasizes the importance public-private collaboration. Google Cloud’s Venables anticipates that knowledge sharing between the public and private sectors will help enhance transparency around cyber threats and improve protection.
“As public and private sector collaboration grows, in the next few years we’ll see deeper coordination between agencies and big tech organizations in how they implement cyber protections,” he says.
The public and private sectors also have the opportunity to join forces on cybersecurity regulation. “One of the things that I am optimistic about is specific regulators hearing the message around regulatory harmonization,” says Anderson. Regulatory harmonization could reduce complexity by creating more standardization while still achieving the goal of compliance.
5. Information sharing
Venables has long-term optimism about cybersecurity because more and more threats are being identified. “While on paper it may appear that the number of security incidents are increasing, that’s also because we’re identifying more threats across a larger attack surface than ever before,” he says.
Dissolution of some walls in cybersecurity is a good thing. The more defenders share with one another the stronger they can make their defenses against threat actors. The cybersecurity industry has demonstrated a willingness to participate in information sharing. “We band together in groups. We have industry frameworks. We create best practices,” Anderson points out.
“I’ve seen changes in the way practitioners approach cyber risk. Net, they are more pragmatic than before, sharing information more freely and willing to learn from previous missteps,” says Kris Lovejoy, global practice leader, security, and resiliency at Kyndryl.
The amount of free cybersecurity resources available also buoys the industry. Small and mid-sized organizations don’t always have the budgets to invest in cybersecurity talent and resources, but they can turn to government agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and initiatives like the Cyber Readiness Institute to bolster their cybersecurity knowledge and preparedness.
6. Secure products
Stakeholders want to see software manufacturers develop and offer products that address security from the beginning, not as an afterthought. CISA joined forces with the Federal Bureau of Investigation, the National Security Agency, and the cybersecurity authorities of six countries to release guidance on secure-by-design and -default products.
“Security products need to mature and facilitate business goals while ensuring that data and privacy are preserved,” says Purandar Das, CEO, and cofounder of Sotero.
Secure-by-design and -default principles play a role in strengthening cybersecurity for the myriad organizations that use software products.
7. Solution consolidation
As the cybersecurity product market matures it will not only embrace secure-by-design and -default principles. XYPRO’s Tcherchian is also optimistic about the consolidation of cybersecurity solutions.
“Cybersecurity consolidation integrates multiple cybersecurity tools and solutions into a unified platform, addressing the crowded and complex nature of the cybersecurity market,” he explains. “This integration streamlines security operations, reduces costs, and enhances security visibility by aggregating and analyzing data in a single location.”
Egnyte’s Jones expects that there will be fewer vendors dedicated to a single type of security solution. “The most successful IT security providers will accept what their customers have already come to expect: that cybersecurity needs to be viewed comprehensively,” he says.
8. AI and machine learning
Artificial intelligence (AI) and machine learning (ML) are at the forefront of technology reshaping the cybersecurity industry. While cybersecurity stakeholders recognize that threat actors will also be leveraging these technologies, they will be able use AI and ML to fuel cyber defenses.
For example, AI and ML have the potential to automate essential cybersecurity activities. “AI/ML will play a big part in data collection, analysis and actions, alleviating skills and resource challenges,” says Das.
9. Quantum and edge computing
Quantum computing is able to solve problems that go beyond the capabilities of conventional computers, which has plenty of potential benefits for cybersecurity.
“To ensure robust data security, researchers are actively developing quantum-resistant cryptographic methods, also known as post-quantum cryptography,” Tcherchian offers as an example. “By simulating complex systems to identify vulnerabilities, this development bolsters cybersecurity measures and encourages proactive approaches.”
Tcherchian is also optimistic about the potential of edge computing in cybersecurity. Edge computing is all about processing data as close as its original source. “By processing and managing data at the network’s edge, close to its source, sensitive data and systems are better protected against unauthorized access,” he says.
Cybersecurity leaders will face both challenges and opportunities as new technologies like this continue to advance. “To get ahead, businesses must ‘lean in’ and evaluate technologies for both risk and possible reward,” says Kyndryl’s Lovejoy.
A shift in attitude fuels big picture optimism in cybersecurity. Instead of clinging to the idea that all cybersecurity incidents can be prevented, organizations are adopting a blend of prevention and incident response. Lovejoy describes this balance as cyber resiliency. “Cyber resiliency … goes beyond what we think of as only traditional cybersecurity and includes the ability to anticipate, protect against, withstand and recover from any and all cyber-related events,” she explains.
Optimism doesn’t come without hard work and recognizing the realities of the threat landscape.
“Optimism doesn’t mean that you’re naïve. Cybercrime will continue to happen, but if we’re better able to recover from incidents, we’ll be more resilient to any of the impacts,” says Principal Financial Group’s Anderson.
The big picture is bright, but it can be easy to get lost in the trenches of the day-to-day work. How can the people remain optimistic despite the noise and challenges in cybersecurity?
For Venables, it is about remembering the mission that comes with security roles. “It’s not a stretch to think that our roles are quite simply about defending people’s lives and livelihoods, defending the free flow of capital and ideas that are essential for human progress,” he says. “If you buy into this mission, then all else is worthwhile.”
What to Read Next:
Report: Behind the Budget Dollars Allocated to Cybersecurity
How Will the New National Cybersecurity Strategy Be Implemented?
Quick Study: Security and the Cloud