Results of 2024 in information security: what the past year was memorable for
While some of us continue to smoothly enter the working rhythm after the holidays, and others are making significant and momentous decisions, usually postponed until the new year, we decided to share with you our version of the main results of the year for the Russian information security market.
No matter which of these two groups you belong to, we are sure that everyone will find it useful to take a look at 2024 from the already coming 2025. So let’s remember together what trends we remembered from the past year so that we can take them into account in the coming year.
So, let’s go!
The staffing shortage has intensified
. We wrote extensively about this topic in our tg-channel back in 2023. The trend continued in 2024, and experts are predicting a further intensification of staffing shortages in the field in the future.
Regulatory requirements are becoming tougher, import substitution is developing, and business needs for new personnel are growing, not only in familiar positions, but also in new, previously unclaimed roles. All this leads to a strong growth in demand for qualified personnel. And these personnel, in turn, are increasingly moving to related industries, for example, to secure development, so-called DevSecOps, which further reduces the size of the market.
For the coming years, IT outsourcing, or Security as a Service, will traditionally remain the only solution. This set of services helps businesses to close their needs, reducing costs and time-to-market, but there is no magic here: companies providing such services are experiencing the same problems, which forces them to offer more favorable conditions to specialists, and, as a result, to raise prices for services. But at least their processes are well-established, and IS is the core business, which, more often than not, looks more interesting from the specialist’s point of view, as such employers can offer not only competitive conditions, but also more interesting, technological projects and tasks, i.e. better professional growth.
In 2025, we forecast an increase in demand for services of this type along with a growing shortage of personnel. Therefore, we again recommend businesses to look towards outsourcing, which will not only help to improve the quality of protection, but also significantly minimize the costs associated with the solution of personnel tasks.
Supply chain attacks are trending
. Colleagues note a significant increase in such attacks in 2024. And both quantitative – there are more attacks, and qualitative – the success rate of such attacks is increasing.
While just a few years ago such incidents could rather be called the exception, in 2024 this has already become our new reality.
We attribute this to the fact that large Russian businesses, in general, have already reached a sufficiently high level of security that outstrips the capabilities of the overwhelming number of attackers. At the same time, attackers are not as interested in attacking small businesses, as there is often no financial sense in doing so.
These factors motivate them to turn their gaze to third-party contractors who, due to the specifics of their business, may have access to sensitive data of large players, but at the same time do not have the appropriate level of protection. Many such attacks succeed, as evidenced by the growing number of attacks in absolute terms.
We forecast further growth in the number of such attacks, legislative changes aimed at improving the security of chains on the part of businesses, and the development of the software market aimed at ensuring security in interaction with contractors.
We also recommend that you take a particularly responsible approach to security issues when working with third parties – the threat of leaks from this side is particularly high now.
Import Substitution Successes
At the end of the year, we also talked about this topic in our tg channel.
According to experts, by the end of 2024 the level of import substitution has reached about 80% of the total number of tools used by commercial organizations.
One can call this fact a success. However, many people involved note that the quality of Russian solutions is still inferior to foreign analogs. But this, we believe, is an issue that can be resolved over time.
We predict that now the budgets for IS will be partially redirected to other equally important things, in particular, to building full-fledged and working processes to ensure IS, which we see as the main point of growth of the industry in the coming years.
GosSOPKA connection has become easier
. In September 2024, the National Computer Incident Coordination Center (NCICC) simplified the procedure for joining the State System for the Detection, Prevention, and Elimination of Consequences of Computer Attacks (GOSOPCA). Interaction regulations can now be concluded by the method of accession. The process has become more convenient and understandable for businesses, which is why we are seeing growing interest in this tool.
This solution will definitely have a positive impact on the overall maturity of IS, making continuous monitoring more accessible. Another, less obvious plus – the growing popularity of commercial SOCs (certainly those with all licenses and accreditations) will allow providers of this service to allocate more resources for its development, which, accordingly, will have an additional positive impact on the quality of work.
What is interesting is that any business can connect to GOSSOPKA. While for CII subjects it is a mandatory requirement, for other companies it is currently a recommendation. But the general trend in Russian digital legislation is such that in the foreseeable future this may become stricter, and the list of companies that must connect to the system may expand.
We recommend making the appropriate decisions, as this will raise the real level of IS not only in a particular company, but also in general: the more sources of information about incidents, infrastructure and processes – the more effective are the decisions made at all levels.
The trend “I don’t want to be a subject of KII”
continues. Despite the simplification of CII protection mechanisms according to the previous point, we note another negative trend: many companies that fall under the definition of CII subjects are more often seeking to underestimate certain parameters in order to avoid categorization and, as a result, do not comply with the relevant requirements.
The motivation of businesses is quite understandable – no one wants to take on additional risks and expenses. But such a vicious practice can lead to serious problems in the future, even those that seem completely unobvious.
The market offers a solution for such situations as well – service providers and vendors have limited fixed tariffs and cheaper products based on OpenSource solutions that cost less. Yes, you then have to sacrifice convenience or functionality in exchange for budget savings. But it is much better than sacrificing security. Especially in light of the adoption of the sensational law on negotiable fines for personal data leaks, which will be discussed further on.
We predict that next year the regulator may make a number of decisions excluding this possibility, so it will become more difficult to avoid liability with all the consequences.
Adoption of landmark changes in legislation
At the end of the year, Russian President Vladimir Putin signed the law on negotiable fines, significantly toughening the penalties for allowing personal data leaks for both legal entities and individuals. In addition, criminal liability for their illegal use was introduced. More about the innovations we covered in our tg-channel.
This is the result of years of discussion in the industry, which was predicted by various experts a few years ago. The main purpose of the innovations is to motivate businesses to actually invest in data protection and avoid curiosities when one line of compromised data costs a company a few pennies in fines.
In 2025, the law will come into force, which means that the value of quality information security will increase manifold. Undoubtedly, this will increase the demand for IS services and products, and the additional costs, as always, will fall on the shoulders of the end user. But we believe that this is a reasonable price for security.
Prediction for 2025
. Summarizing all of the above, in 2025 we forecast further development and improvement of regulatory requirements for business, elimination of remaining “holes” in the legislation and special attention to the protection of third parties – contractors. We will continue to simplify the interaction between the regulator and business to make the process of improving the IS level even more convenient, cheaper and faster.
The staff shortage will remain and even increase, as the demand for qualified personnel will grow. In this regard, we forecast the development of domestic training programs for specialists, attracting interest in the industry among newcomers, and the emergence of the first systemic professional standards to replace those that have left Russia – both private and public.
Special attention will be paid to work with cyber hygiene both among “ordinary” citizens and at the corporate level. Active work will be done on centralized platforms for training and certification of officials.
The year 2025 will be the year when the value of real, impactful IS will increase manifold, and nominal or “paper” security will begin to become a thing of the past. This year, cyber security issues will become a real problem for all businesses, resulting in an increased demand for solutions and services. Following this, the market for domestic solutions will continue to develop, and the import substitution process will be almost 100% complete.
Therefore, do not put off making and implementing decisions for the development of your corporate IS in a long box, because it will not be possible to avoid it. And the earlier you start dealing with these tasks, the easier and faster you will be able to achieve the result.