Anthony Young and Scott Nicholson, Co-CEOs, Bridewell, discuss the evolution of cybersecurity over the past 10 years, considering some interesting trends that have developed as well as a look at what’s to come.
For some industries, not a lot changes in the space of 10 years. In cybersecurity, however, the last decade has seen its status elevated to become one of the most business-critical functions across industries and regions. At the same time, technologies have evolved, with systems and devices becoming increasingly connected. But as we all know, greater connectivity creates greater risk for organisations. A single cybersecurity incident can unleash wide-ranging consequences that impact a broad swathe of business operations.
Since Bridewell’s inception in 2013, the repercussions of a cyberattack have evolved from reputational damage and regulatory fines to life-threatening consequences. Malicious actors continue to set their sights on the interconnected systems that people depend on daily – from energy and water to communications, government and defence. With our critical national infrastructure (CNI) increasingly becoming a viable target for cyberattacks, maintaining a proactive and robust security posture is more important – and challenging – than ever. There’s a lot to unpack in just 10 years of cybersecurity.
The early years: Evolution of cyber threats (2013-2019)
In the early/mid 2010s, many organisations were starting to break their dependence on paper-based processes and take the first steps towards Digital Transformation. Many were commencing cloud migration in search of greater cost-effectiveness, efficiency, scalability and flexibility. As they did so, they introduced new vulnerabilities into their IT architectures. For example, cloud workloads were often producing high volumes of actionable data and detailed information that could lead to compromise if misconfigured – and many organisations lacked the skills and technology needed to maintain visibility and security of their new cloud environments. Misconfigurations and poor access controls were also expanding the attack surface, giving criminals much bigger targets to hit and the promise of financial gain. Consequently, ransomware became a dominant form of cyberattack, with ‘CryptoLocker’ infecting more than 250,000 systems between September and December 2013.
The rise of ransomware increased awareness of cybersecurity among businesses, catalysing its emergence as a boardroom governance concern. But while organisations were recognising the need for more sophisticated security infrastructure, a key challenge in the early years for Bridewell was gaining trust, largely due to a lack of name recognition. Through developing close customer relationships, strengthening strategic partnerships and gaining a series of industry-leading accreditations and certifications, Bridewell was able to build trust and credibility among the UK’s CNI. Moreover, Bridewell was showing it could deliver on complex security operations where other providers had previously failed, moving away from time and materials consulting and ensuring all projects were delivering specific and measurable outcomes for clients.
As cyberthreats evolved and became more sophisticated, security companies like Bridewell had to diversify their portfolio to include services such as data privacy, penetration testing and managed security services.
Furthermore, monitoring and reacting to threats within the confines of a 9-5 work schedule wasn’t enough to defend against the increasingly complex cybersecurity challenges organisations faced at the time. Companies had a demand to monitor for potential threats round the clock, evolving their security measures and capabilities to keep pace with the threat landscape. To meet this demand, Bridewell opened its 24/7 Security Operations Centre (SOC) in 2019, to manage constant threat monitoring, prevention, detection and response.
COVID and connectivity (2020-2022)
Like many industries around the world, cybersecurity changed in March 2020. The pandemic and the subsequent rise of remote or hybrid working led to the increased digitalisation and connectedness of our society. CNI was no exception – in fact, the rapid change of pace has caused critical systems and assets to become more IoT-driven, interconnected and interdependent than ever before.
The convergence of IT and OT was a particularly significant development, improving efficiency and supporting remote working – but also introducing new security risks. It was a crucial point in time for CNI organisations as society relied on them more than ever – increasing the appetite for hackers. The last thing these organisations needed was to have operations impacted by a breach, so at Bridewell, it was imperative to respond to these challenges by developing several free cybersecurity offerings to health sector organisations and charities. Against the backdrop of the pandemic, Bridewell invested further in its people, processes and technology, opening five new UK regional offices in 2021, steadily doubling its headcount and expanding its client base.
The lessons of the past three years should have taught everyone that Digital Transformation and security transformation go hand in hand. A series of high-profile CNI hacks made global headlines – such as the Colonial Pipeline attack. As increased interconnectivity continues to drive greater frequency and severity of cyberattacks, these incidents lay bare the need for a more integrated, threat-led approach to cybersecurity. Accordingly, organisations must shift from a reactive to a proactive security stance to build cyber-resilience as threats continue to evolve.
Geopolitical and economic pressures (2022-now)
The rising threat of cyber warfare has had a profound effect on almost all organisations in the CNI sector. Bridewell research found that 72% of organisations had experienced an increase in cyberattacks in the months following Russia’s invasion of Ukraine.
With both IT and OT teams under heightened pressure to strengthen their cyber defences, the need to protect critical CNI business functions is an issue that transcends physical borders. Cyberthreats have not only grown in volume and sophistication but are also increasingly globalised and interconnected.
Recognising these challenges, in 2022, Bridewell expanded into the US market and opened its first office in Houston’s Energy Corridor. This move reflects the growing international need for strengthened cyber defences as attack methods continue to outpace regulations, policies and strategies. Economic hardship is also leading to increased cyber-risk, with high inflation and the ongoing cost-of-living crisis potentially fuelling a rise in insider threats. As some organisations reconsider their cybersecurity spend in light of spiralling costs, it’s vital that they continue to invest wisely in the right tools, technologies and services to support cyber-resilience.
Looking towards the next 10 years
While security and technology will invariably evolve over the next decade, it’s more important than ever to take a people-first approach to cybersecurity. After all, cybersecurity is not just underpinned by technological architecture – it is fundamentally shaped by human behaviour and decision-making. With recent geopolitical upheaval and economic uncertainty shaping people’s outlooks, hopes and fears, the ‘human factor’ is set to take centre stage in creating and maintaining safe, secure digital environments in years to come. As such, a human-first approach will need to encompass security education and training, the development of internal cyber talent – and much more.
The next generation of cyber talent
Organisations focusing on the future of cybersecurity must also be aware of the much-publicised shortage of cybersecurity talent. Currently, the demand for individuals with specialist insight and practical skills is growing so rapidly that it far outstrips supply. This throws into sharp relief the importance of developing a diverse range of talents and skillsets.
The cyber skills gap continues to widen across many industries, but the cybersecurity sector has been slow to diversify the pool of abilities from it which it draws talent. Encouragingly, more women are now entering the industry, along with more individuals from LGBTQIA+ and neurodiverse backgrounds. A career in cybersecurity is set to become a much more attractive option to people from a broader spectrum of socioeconomic and educational settings. This will catalyse the emergence of better-developed higher and further education partnerships, apprenticeship schemes and the continuing evolution of the NCSC CyberFirst Schools / Colleges scheme. For Bridewell, the recent opening of a state-of-the-art SOC in Wales is very much at the forefront of this necessary trend.
It is important not just to tick boxes but to create genuine diversity of thought and experience within a cybersecurity company. With a healthy pipeline of talent to come, Bridewell will continue to meet tomorrow’s cybersecurity challenges and opportunities head-on.
Click below to share this article