The list of cybersecurity challenges will remain unabated in 2020, with both emerging and existing threats and opportunities expected to dominate the CISO agenda in the months ahead.
The list of top concerns is broad. Changes and advances in technology, evolving threats, too few security personnel, emerging essential skills and the increasing number of threats are all top issues, according to the "State of Enterprise Risk Management 2020," from IT governance organization ISACA, the CMMI Institute and Infosecurity Group.
Granted, each organization has its own unique set of projects, risks and cybersecurity challenges, but experts have identified a set of common concerns that will keep enterprise security executives hopping throughout 2020 and beyond.
CISOs, analysts, researchers and executive advisors offered more specifics on what they predict will be key topics for the coming year.
Cloud risks continue
Expect more cloud-related cybersecurity challenges to occupy CISOs' time as organizations continue their march to the cloud by moving more and more sensitive workloads out of their legacy data centers, said John Pescatore, director of emerging security trends at the SANS Institute, a resource for information security training, certifications and research. He's not overstating the work ahead: McAfee's "Cloud Adoption and Risk Report," released in fall 2019, found 21% of data stored in the cloud is sensitive, yet only 1% of misconfiguration incidents in enterprise infrastructure are known. McAfee also found only 26% of businesses are equipped to audit for misconfigurations in IaaS.
Ransomware threats escalate
Security chiefs can expect little relief from one of their biggest headaches of 2019: the threats posed by ransomware. They saw both the number of ransomware attacks and resulting damage increase in 2019, and experts warn of further escalation of such malware in the future. In fact, top U.S. government security officials are raising alarms, saying bad actors could use ransomware to disrupt the 2020 elections, while others are warning of the growing sophistication of attacks, noting that organizations with vulnerabilities will be specifically targeted as ransomware becomes smarter. The "McAfee Labs 2020 Threats Predictions Report" stated that "the targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks," with cybercriminals extorting their targets first to unlock their files and a second time with a threat to disclose any compromised sensitive data.
Physical security becomes an issue
Physical security will gain more prominence in 2020 security plans as more organizations implement internet of things (IoT) devices. True, security teams have long had to think about securing hardware; they had to consider what to do if a laptop is stolen or a data center floods. But IoT adds a new and more complex wrinkle, said Tom Scholtz, chief of research for security and risk management at Gartner. IoT creates vastly more endpoints, often handling increasingly critical or sensitive data that's now spread out across a wider geography. And if they're not properly secured, those endpoints are vulnerable both to physical attacks or mishaps -- for example, a worker accidently knocking an essential sensor offline, or hackers on the other side of the globe.
Politics will impact planning
The upcoming year could have CISOs paying even closer attention to political maneuvering and evolving national policies, as both could impact their decisions, said Allan Boardman, an independent business advisor for CyberAdvisor.London and a former ISACA board director. Politicians have increasingly taken on cybersecurity-related issues, establishing more rules and regulations that shape what organizations can and cannot do.
This goes beyond data privacy laws. Lawmakers are implementing policies that affect where data can be stored and even which vendors can be used. Consider the 2019 U.S. move to ban transactions with Chinese telecom giant Huawei Technologies Co., the 2017 U.S. government's ban on using antivirus vendor Kaspersky and the ripple effect both decisions had throughout the private sector. Moreover, these new rules come at a time of increasing IT infrastructure complexity, particularly for companies with any sort of international footprint, which makes it much more difficult for CISOs and their teams to determine how to make all the moving parts comply with the growing set of rules.
Good luck finding people to work on all this …
All of these issues will create a full docket of work for enterprise security teams, but CISOs can expect another year of staffing challenges as demand for qualified security workers exceeds supply. (ISC)², a security professional training and certification organization, in its 2019 Cybersecurity Workforce Study, calculated the cybersecurity workforce gap at nearly 500,000 in the United States alone, noting that the cybersecurity workforce needs to grow by 62% to meet the talent demands coming from U.S. businesses.
CISOs are equally concerned about their teams having the right skills moving into the future. ISACA surveyed more than 5,000 business technology professionals for its report, "Next Decade of Tech: Envisioning the 2020s," and found that only 18% of respondents expect the cybersecurity skills gap to be mostly or entirely filled in the new decade. Omar Khawaja, CISO of national health and wellness organization Highmark Health, said he sees that challenge and is working to address it by implementing new ways to identify, train and employ talent.
The California Consumer Privacy Act went into effect on Jan. 1, 2020. CCPA and the European Union's General Data Protection Regulation, which went into effect in 2018, are just the start. Experts are advising CISOs to brace for an onslaught of new privacy regulations that require them to implement multiple (and perhaps even contradictory) standards for how they access, store and manage protected personal information -- standards that security departments will have to prove they are meeting to their CEOs, boards and regulators.
Optimization, rationalization will be essential to keeping up
A majority of enterprise security leaders expect to have more money next year. Cybersecurity vendor FireEye interviewed 800-plus CISOs and other senior executives and found that 76% will have a bump in their budgets for 2020. Yet the same survey showed 90% believe the cyberthreat landscape will stay the same or even worsen. "So if my risks are growing at 20% to 30% a year, how do I keep my budget flat or growing only at 4% a year and still have the security we need?" Khawaja said. His answer: optimization -- a step that he and other experts predict will be top of mind for many CISOs.
Similarly, CISOs will be looking at rationalization moving ahead as a result of a burgeoning security tech portfolio that has grown unwieldy in many organizations. "There's just been a spending shotgun sort of approach to cybersecurity tooling," said cybersecurity advisor and veteran CISO Tony Scott. "It's one tool after the other after the other. I see in 2020 a fair amount of consolidation occurring and the realization that yet another tool isn't going to solve the issue." The good news? Simplifying could actually strengthen the security stance at many organizations by making fewer tools greatly more effective and also freeing up staffing and budget to go after higher-value tasks.
Getting business on board to battle cybersecurity challenges
Security and privacy issues are among the top 10 risks for 2020 that business leaders identified, according to the "Executive Perspectives on Top Risks 2020" report that drew from a survey of more than 1,000 board members and C-suite executives. The research was conducted by global consulting firm Protiviti and North Carolina State University Poole College of Management's Enterprise Risk Management Initiative. Yet many business-side executives continue to view security as a cost center. "In most cases, executives view their investment in security with the same level of enthusiasm as the rest of us view renewing our insurance premium. They want to spend as little time and money as possible on it," Gartner's Scholtz said. Khawaja said CISOs need to counter that perspective by positioning security as a business enabler and aligning the security team's objectives with those of the organization as a whole.
Watch for AI to help -- and hurt -- cybersecurity efforts
Another key development for 2020: the rise of artificial intelligence within the enterprise security technology stack. The Capgemini Research Institute's 2019 report "Reinventing Cybersecurity with Artificial Intelligence" found that more than 75% of the 850 IT and security executives surveyed are testing AI in their cybersecurity efforts, with three in five firms saying AI improves the accuracy and efficiency of their cyber analysts. But AI is also becoming a critical tool for bad actors who are eager to use it for their own nefarious purposes. "It's capable of learning with zero human intervention, so you have to be worried about the economy of scale of attacks. An algorithm can work 24/7, and it doesn't tire," said Ramsés Gallego, past ISACA international vice president and now security, risk and governance international director for software company Micro Focus.
Zero trust moves into the mainstream
"Zero trust is the way many CISOs are going to handle this escalation of connecting everything to the network, because the best bet is to not trust anything and to move trust down to the data layer -- or move trust down to the device layer, make each device earn the trust to get on the network," said Gary Hayslip, director of information security at SoftBank. Some experts said they expect zero trust to become more widely used in 2020 and the upcoming years.
Meanwhile, everyone wonders: What's next?
Time and again, hackers have shown themselves to be ingenious. They're also often well-funded and persistent, which makes them not only dangerous foes now but certainly unpredictable sources for future cybersecurity challenges.
That in and of itself has CISOs worried, Gallego said, adding that perhaps one of the biggest questions for security teams in the upcoming year is: What's next? As Gallego said: "It seems cybercriminals are finding a new playground every other day."