If you’re a security and risk leader, it’s either the best of times or the worst of times. Today, it feels as if not a week goes by without yet another revelation of a large scale cyberattack targeting a trusted corporate brand. Suddenly, business executives who used to avoid you want to be your best friend and are looking at security as an integral piece of the business technology agenda. Why the sudden corporate conviviality? Well, now when there is a major customer breach, it’s not just your job that’s on the line, it’s their job on the line as well – and potentially up to a $1 billion in corporate profits. This means that protecting customers’ data and preserving their privacy can no longer be limited to the CISO or chief privacy officer. In fact, if your company execs are smart, they’ll make it one of their top business and corporate social responsibilities in 2015 – and if they’re not, look for a new job, because you don’t want to be working there.
This is why we predict that in 2015 there will be:
  • Large increases in security budgets, with double-digit growth in some sectors. Outside of banking and the defense industrial base, many sectors are still woefully immature when it comes to investment in security fundamentals and a balanced investment across breach prevention, detection, and response. For business executives, the non-stop breach news of 2014, particularly in the retail sector, was like being awakened from a blissful sleep by a sinister clown with a cold bucket of water and crashing cymbals. Retail, and other industries like healthcare, have a short window of time to get their security house in order before cybercriminals turn their sights on them like a lion stalking the weakest gazelle in the herd.

The downside to all this publicity, executive handwringing, and increased budgets is that it comes with an enormous amount of scrutiny and much higher expectations – not just from business leaders and counterparts in technology management, but also from customers, government agencies, and privacy watchdog groups. In fact, in 2014, we found that most breaches were accompanied by multi-million dollar class action lawsuits and government investigations. Plus, more security budget doesn’t guarantee better security or even increased security maturity.

In fact, in 2015 we predict that:

  • A large majority of companies will discover a breach but botch the response. Typically, it’s not the company that has suffered the breach that actually discovers it. It’s usually a third party like a government agency, security blogger, or a customer who alerts the company to a breach. Last year, only 45% of enterprises reported suffering at least one breach of sensitive data. Anyone who has been in the security industry for more than a few months knows there are only two types of companies: those that have had a breach and those that just don’t know it yet. With new investments in breach detection, we predict that 60% of enterprises will discover a breach. Unfortunately, given that only 21% of enterprises report that improving incident response is a critical priority, we can also confidently predict that most enterprises will lack the ability to respond to the breach in such a way that doesn’t undermine their customers’ trust or drag their corporate reputation through the deep, dirty mud one finds at a monster truck show.

We’ll also be making some predictions as it relates to cyberinsurance, regulatory activity, and law enforcement crackdowns. Forrester clients can download the full report here and see our full list of 2015 Predictions reports. What do you think? Will business leaders finally give customer security and privacy the respect and attention it deserves? Will business leaders finally view their CISO as an enabler of competitive advantage or will they continue to think of him as a helicopter parent with a generalized anxiety disorder?