On December 12th, I moderated the #securityinsiderchat on Twitter, where more than twenty cybersecurity experts gathered to discuss their predictions for 2018. It’s always a pleasure and a privilege to learn from a diverse gathering of people and to read their ideas over the course of nearly 300 tweets. Plus, it’s an excellent opportunity to post animated cat gifs in the context of work.

Three major themes emerged during the hour-long chat:

We’re going to see more end-user cybersecurity training.

A common theme across numerous Twitter chats I’ve participated in and moderated during 2017 was the need to train end users to reduce the number of unintentional cybersecurity mistakes in the workplace. The frequency and variety of this training will vary as the training content providers work to differentiate their products in an increasingly crowded marketplace. However, buying training alone will continue to be insufficient. Users from the boardroom to the mailroom need to have a sense of shared ownership and responsibilities in securing their organization’s assets. Organizations that get this right will suffer fewer unintentional breaches, such as disclosures of privileged credentials, business email compromise fraud, and ransomware attacks.

Consider the 2014 breach of JP Morgan Chase. A privileged administrator fell for a phishing campaign and gave out their password for a vulnerable machine on the network. That machine did not have Multi-Factor Authentication (MFA) enabled. With a single password and a single configuration error, the attackers were able to steal information related to 76 million households and 7 million small businesses.

Administrators who don’t move to short-lived systems will spend most of their time patching.

Sumo Logic's Vice President, George Gerchow, dropped a bomb when he said organizations should “[q]uit patching, move to immutable images as fast as possible while getting rid of legacy dependencies.” George’s point was that cloud-based organizations can deploy short-lived virtual machines or containers that have a lifetime of a day or less and are deployed based on a continuously updated master image. This removes the requirement for organizations to patch multiple systems, as there’s only a small set of images that need to be maintained. This is a future-looking architecture, and newer organizations should be able to adopt this mentality.

Unfortunately, organizations with even a small amount of history are inevitably going to have legacy systems. Given the current cadence of patches provided by vendors, legacy systems may soon be defined as any system that’s existed for more than a month. Administrators of these systems will need to choose from one of three unpalatable choices: long, tiresome, and repetitive tasks of deploying software updates on a nearly continuous basis; choosing to implement patches on a less frequent basis and thereby risk pulling an Equifax; or purchasing and implementing automated software to handle the constant stream of updates. On a positive note, the frequency of patches should help validate disaster recovery plans, as systems will need to be rebooted on a far more regular basis.

Organizations whose core competency is not security will need to turn to experts.

Companies are currently struggling with a lack of qualified personnel for cybersecurity roles. Part of this is because while certifications are good for getting jobs, they’re not so useful for doing the actual work. There’s also an unfortunate lack of diversity in cybersecurity, both in terms of gender and in terms of desirable college degrees, whether by unconscious bias or by deliberate hiring requirements. Companies that continue to try to hire from this small field will see market economics at work firsthand, as too many companies try to recruit too few ideal candidates.

Consequently, there will be an increase in the number of expert firms and managed services to address the underlying knowledge gap at organizations that can’t afford the going market rate. These providers may include consulting firms, managed service companies, outsourced security operations centers, training companies, and red teams. These third parties will help companies to identify risks earlier and develop mitigation strategies for organizations whose business differentiator is not cybersecurity. This will be no different from the use of specialized marketing firms or accounting firms to supplement an organization’s internal resources.

The underpinning for these three predictions is the fact that cybercriminals will continue to invest in developing new cyberweapons and attack infrastructure to make illicit profits in 2018. We’ll continue to see the threat worsen until organizations remove the profit incentive for criminals, or at least make it prohibitively expensive for them to operate.