Back at the beginning of 2020, the five-year outlook for cybersecurity already looked incredibly challenging. The need to ensure the safe implementation of ambitious and wide-ranging digital transformation agendas was running into a skills shortage amid a rise in ransomware as a service and a growth in state-sponsored cybercrime.
And then along came a global pandemic that forced security teams around the world to mutate their information systems at a scale and pace not envisioned by even the most ambitious of digital transformation strategies. For many organizations, the need to shift computer-based work from the office to the homes of employees triggered the rapid installation of new or expanded remote access facilities. Online engagement and transaction capabilities also had to be stood up or beefed up across all sectors of business and government.
In the process, cybersecurity professionals were not only tasked with making sure that this unprecedented scale and rate of change to systems did not undermine their organization's security posture, but many were also called upon to help IT departments implement these dramatic changes and then provide support to the managers and employees on the receiving end of them. All of these challenges had to be met while responding to threats on a scale never seen before, many of them pandemic-themed or -enabled.
Major study foresees serious cybersecurity challenges ahead
Unfortunately, even as 2020 gets written off as an exceptionally tough year for cybersecurity and vaccines start to reduce the impact of the pandemic in 2021, it would be overoptimistic to think that the cybersecurity challenges will diminish.
Even when you tune out the litany of emerging threat reports from companies selling products and services that promise to address those threats, you can hear a growing chorus of warnings from cybersecurity experts that drastic changes need to be made. Consider this:
… the increased complexity, pace, scale and interdependence shown by our forward look at technological trends will overwhelm many current defenses. Without interventions now, it will be difficult to maintain the integrity of and trust in the emerging technology on which future global growth depends.
That is the professional opinion of more than 100 leading security experts from businesses, government, academia and civil society, as gathered and condensed by the World Economic Forum (WEF) in its November 2020 report, "Future Series: Cybersecurity, emerging technology and systemic risk."
While it is doubtful that every CEO, CIO, CTO and CISO can be persuaded to read this 59-page report, every cybersecurity professional should be encouraging them to do so. The report considers the general hypothesis that the "global digital landscape" will be transformed in the next five to 10 years, specifically by these four technologies:
- ubiquitous connectivity
- artificial intelligence (AI) and machine learning
- quantum computing
- next-generation approaches to identity management
The report documents in some detail what it calls a "hidden cyber-resilience deficit." This deficit, which threatens to undermine the best efforts of organizations to maintain cybersecurity, consists of four factors:
- increased and evolving threat
- widening attack surface
- structural weaknesses
- growth in harm
Bear in mind that this report is not a vendor-sponsored exercise in market building for cybersecurity products and services. This is a refreshingly honest and direct assessment of where cybersecurity is headed "without interventions now." Thankfully, WEF laid out 15 interventions that must be addressed by three different audiences: security and technology community; industry and government leadership; and international community.
Few of these interventions involve actions to be taken by cybersecurity practitioners in day-to-day operations. However, these cybersecurity trends can, and should, inform your organization's cybersecurity strategy moving forward, as well as all future technology and network security planning. Furthermore, if any of the report's recommendations gain traction -- with governments, industry groups and policymakers -- there should be many opportunities for cybersecurity professionals to inform and advance the necessary interventions.
2021 cybersecurity challenges and how to address them
The good news for the future of cybersecurity is that, on a day-to-day basis, organizations that take cybersecurity seriously will still, on average, fare better than those that don't. That might sound like a weak pitch if you're trying to get management to take cybersecurity more seriously than it has done so far. If you do need to argue for an increase in cybersecurity resources, be prepared for the counterargument that the successful data breach and compromise of FireEye disclosed in December 2020 proves "even the best security can be breached, so why waste more money on trying to do better?"
Fortunately, management can be immunized against this specious argument if you explain that risk profiles vary and your organization's business model, unlike FireEye's, does not involve curating a world-class collection of attack tools on its servers.
Obviously, the technical means by which you do this are going to vary considerably depending on what your organization does, but here are some of the technologies you should consider using to meet 2021's cybersecurity challenges if you are not already doing so: zero trust; virtualization; tokenization; multifactor authentication; comprehensive endpoint management, protection, detection and response; data loss prevention; and user behavior monitoring.
If this sounds expensive, that's because it is, but you need to be blunt with management: Planning a future for your organization without fully resourcing its cybersecurity capabilities is not just a risk; it's an existential risk -- one that imperils jobs, careers, customers and investors.
New resolve needed to combat root causes of cybersecurity challenges
Sadly, 2020 taught us that there are no ethical boundaries when it comes to cybercrime. If vaccine delivery systems are now considered fair game for cyber attacks, then nothing may be out of bounds, and as IoT continues to connect more devices to the internet, everything comes in bounds and accessible to hackers. The world has watched with growing alarm as sensitive data and digital systems of schools, community agencies, nonprofits, hospitals and medical researchers have been targeted by thieves, scammers, extortionists, vandals and spies.
The future of cybersecurity will be bleak indeed if the world does not address the root causes of this activity. As long as the governments of the world would rather fine domestic organizations for below-average data security and weak privacy protections than confront countries that refuse to take cybercriminals out of circulation, the future of cybersecurity will grow ever more challenging.