Chenxi Wang polishes her 2019 crystal ball

Dr. Chenxi Wang, founder of Rain Capital, shares some of her 2019 cyber security predictions about the cloud, GDPR, blockchain, DevSecOps, privacy, and ICS.

A person holds a crystal ball in front of holiday lights

AWS Builder Community Hub

’Tis the season for crystal balls—lots of crystal balls. There may still be a month to go in 2018, but in the IT industry, we’re already living in 2019, with an avalanche of predictions from experts eager to tell you what’s going to happen.

And most of those predictions are for more of the same: The next big data breach is very likely to happen, followed by more very big data breaches. Cryptocurrency will be volatile. Blockchain will not be bulletproof. The skills shortage will continue. Nation-state cyber espionage—economic and otherwise—will ramp up. Attacks on critical infrastructure will get more sophisticated and more damaging.


Not that predictions are a bad thing—planning ahead is a good thing. But some forecasters are more expert than others. One of them is Dr. Chenxi Wang, founder and managing general partner at Rain Capital, a San Francisco firm focused on investing in cyber security startups.

Wang began her career as a member of the computer security faculty at Carnegie Mellon University. Following that, she has a decade of experience working at firms like Forrester Research, Intel Security, CipherCloud, and Twistlock.

RELATED: Gary McGraw interviews Chenxi Wang on the Silver Bullet Security Podcast

She is also founder of the Jane Bond Project, a strategy and research consulting firm that combines technology research, product strategy, and advocating for bringing more women into technology.

She holds a Ph.D. in computer science from the University of Virginia.

And she offered a half-dozen predictions for 2019 that point to continued and growing opportunities in cyber security.

1. Increasing cloudiness—which is a good thing


The cloud is increasingly the place to be. Many organizations in the smaller-to-midsize range are nimble enough to move easily to the public cloud, while larger ones with legacy infrastructure take more time. That means opportunity for the security industry.

“We’re seeing more pervasive demand and use of cloud security controls,” Wang said. “That is, controls that can work in multi- and hybrid cloud environments. They will not only deliver compliance in the cloud when you move your workload there, but deliver visibility as well with real-time controls, done in a way that is a lot more automated, which means less manual work.

“Today it is still manual-intensive, but I believe there will be more innovation in auto security control.”

RELATED: 10 critical cloud security threats in 2018 and beyond

2. GDPR’s worldwide reach brings reach for security too

EU flag

Yes, the General Data Protection Regulation is specific to the European Union. However, all but the smallest, most local companies want to do business there. Which means the effect of the law is global. And so is the demand for better cloud security.

“With GDPR six months along, we’re seeing increased demand for enterprise data security mechanisms,” Wang said. “That includes data discovery, classification, and tagging. It requires closed-loop control—once I discover a category of data, I want to apply a set of policies: who can create, move, or store it, and how it goes to expiration.”

RELATED: The 7 elements of GDPR software security compliance

3. Blockchain blowback

A glass chain with one link shattering

Cryptocurrency is already taking a beating. Bitcoin, which some forecasts claimed would top $25,000 in 2018, instead crashed from a high of $13,860 to less than $4,000 at the end of November.

Wang predicts a reality check for blockchain as well. “I think we will see a bit of blowback on all the blockchain initiatives versus the hype—a reduction in interest,” she said, adding that this might not be such a bad thing. “There is the potential consolidation of blockchain efforts, which means the remaining initiatives will be for meaningful use and enterprise cases.”

RELATED: How can blockchain applications adapt and adopt software security best practices?

4. DevSecOps rising

People working on computers together in an office

“I think we will see continued interest in DevOps security, and that will impact how app security is consumed and used by organizations,” Wang said. “That is both in-house software development and platform-as-a-service (PaaS) development in the cloud environment. We see new AppSec solutions being developed for the cloud-native environment rather than having all the tools in-house.”

RELATED: 5 essentials for getting your bearings in a DevSecOps world

5. Privacy a priority—really?

Someone looks at another person's phone over their shoulder

Yes, the ongoing irony about privacy is that people get outraged at things like the Facebook/Cambridge Analytica scandal, but then Facebook still keeps adding users.

“People do want their app more than privacy,” Wang said.

But she believes there will be enough critical mass in consumer demand for privacy that “it will lead to privacy preserving technologies being built into applications and services.” These technologies include “homomorphic encryption (which allows computation on ciphertexts, generating an encrypted result that, when decrypted, yields the same result as if it had been performed in plaintext) and multiparty computation,” Wang said. She added that while this prediction is obviously related to her prediction on GDPR, it is large and important enough to be on its own.

“Those technologies have been around for a while, but in very academic settings—not in commercial or field operational use,” she said. “But I think the demand for privacy is urgent enough that we’ll see them built into real applications and service.

“The trick will be to see if there is a way for homomorphic encryption and multiparty computation to enrich those apps without impacting user experience.”

RELATED: Don’t expect jailed CEOs, but Wyden at least puts consumer privacy on the table

6. Smart—and disconnected

A nuclear power plant

This, Wang admits, is “a little aspirational,” but she believes that another “wave of attacks on smart devices in industrial control systems [ICS] in 2019 will drive further investment and innovation in this area.”

And what will that innovation include? She said she believes a major component of it will be to “stop making connected devices for the sake of being connected.”

Which would probably increase ICS security by orders of magnitude, at least until the next generation of equipment, given that the legacy infrastructure was designed to operate safely but not to be connected.

RELATED: Air gaps in ICS going, going … and so is security

*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Taylor Armerding. Read the original post at: