The fact that Chubb, a casualty insurance company, published a top cyber threats report for 2019 is, in itself, a cybersecurity trend to watch for 2019. It reveals that insurers understand the risk and threat landscape better than they did in 2016, when SANS published its first cyber insurance survey report. Today, the efforts of these insurers are resulting in cyber risk frameworks that touch on many other areas trending around cybersecurity in 2019.
Cyber risk management frameworks were heavily peddled at BlackHat and RSA conferences in 2018 - mostly by security vendors (rather than by insurers). Nowadays, Chubb, like many insurers, has its own Cyber Enterprise Risk Management framework. Other insurance-focused providers, such as Advisen, even hold conferences around cyber risk. Meanwhile, companies that support insurers, including Kovrr, have also developed cyber risk metrics to be used in measuring and valuating cyber risks.
Cyber risk metrics touch on asset and vulnerability assessment, user behavior analysis, threat detection, response and beyond. Metrics also apply to all platforms and apps organizations and their authorized workers use, including those on premises, in the cloud and on mobile devices.
Metrics-driven risk management also applies to today's IoT systems, which Chubb specifically calls out as a 2019 trend in its report. And metrics are important for meeting regulatory requirements, which the Chubb report labels the topmost trend affecting companies in 2019. GDPR will be another particularly vexing requirement trending in 2019, according to a report in Gigabit.
The Gigabit report also calls out cloud security and a shift toward cyber hygien - or defeat by design, as my long-term associate, Tony Zirnoon (formerly with TrapX and VSS, now in security VC), likes to call it.
The concept of "secure by design" is perhaps the biggest improvement we'll see in 2019. While we can't keep out all attackers, we can at least raise the bar by practicing basic good hygiene. The short list includes locating and assessing all digital assets and their users, cleaning out user accounts and apps no longer in use, strengthening access rules, hardening systems, educating users, and always monitoring for unauthorized changes or suspicious (abnormal) behavior.
