Our predictions from 2018, were still valid for 2019, so we skipped a year 
Since the decade has come to a close, sharing predictions for 2020 and beyond seems in order… starting with a strategic view of the trends and emerging business problems affecting CISOs today…
Predictions for 2020
1. Year of the IoT CISO – we did not reach Gartner’s 20 billion connected devices by 2020, but we are almost there… The attack surface is increasing rapidly – from personal wearables to medical devices to connected cars to toasters and more – as the proverb goes “where there’s entropy there is chaos” At least initially…
IoT is becoming an established part of digital companies’ product portfolios – yet many CISOs still don’t have responsibility for product security – and in many cases security is an afterthought of product design … The bottom line is that enterprise security is tied to product security, so the CISO’s remit should include it. To gain context on product security and motivate business units to collaborate, CISO’s can start by understanding the business mission and requirements of product, and then collaborating on – vs. mandating – security measures.
2. Adoption of 5G will introduce a number of problems – 5G – the supposed cure all technology - increases speed and content consumption while promising to improve network coverage and the address space – it’s basically the next best thing since sliced bread; naturally vendors are salivating over its potential for generating income and want to deploy it as soon as possible. Understandable, but where there is haste, there is waste (and misconfigs, vulnerabilities, attack surface).
The attack surface of endpoints and IoT devices will change with the advent of 5G – in addition to the potential for the impact on humans exposed to non-stop radiation. The vendors using 5G will need to up their cyber security game and CISOs with 5G in their technology portfolio will need to come up with a new set of threat models for their products and environments.
3. More attacks on infrastructure – from connected cars, to smart meters to smart cities – more and more infrastructure components are being connected to the Internet, expanding attack surface and the frequency of infrastructure attacks; Ukraine was the test bed for some of the ICS malware and it is only a matter of time that we see new malware in the wild, especially with recent military movements against sophisticated cyber adversaries.
4. Cloud transformation continues –distributed architectures are advancing, cloud transition is continuing… The CISO’s challenge comes from the need to manage legacy infrastructure, while extending coverage to the cloud and understanding what that means; securing cloud vs. on-prem doesn’t materially change the CISO’s responsibilities – while cloud offers the benefit of increased reliability, scale and performance – you still need to design and manage applications securely and appropriately protect the data in them. Remember cloud is not magic, it is just somebody else’s computer; the accountability is still yours.
5. Ransomware is alive and well – while cybersecurity trends come and go, in 2019 we saw a number of ransomware attacks on hospitals, utilities and corporations… Looks like the information security awareness training is not working – phishing attacks remain a highly successful means of compromise for hospitals and other mission critical infrastructure, back-ups can save lives (& dollars). Let’s not forget the value of Business Continuity Planning and Disaster Recovery in your 2020 security plan.
6. Information warfare continues to evolve – the U.S. elections are coming - expect to see sophisticated psy-ops or attempts to “manufacture consent” as Noam Chomsky put it… By the end of this decade we observed the rise of “deep fakes” – even had some open source software for generating “deep fakes” – after some U.S. states and corporations banned political and pornographic deep fakes, activity retreated into the dark corners of the Internet. The challenge of deeps fakes is that too many people believe before checking facts, and by the time the truth comes to light, the damage is done. How do you encourage critical thinking on information in the public sphere?
- Use social media sparingly
![🙂]()
- Trust, but verify
- Check multiple sources
To see some excellent reporting on “deep fakes” – see Samanta Cole’s articles.
7. ML is a double edged sword – ML has taken its place in the arsenal of cyber security toolbox for good guys and the bad. CISOs love the promise of ML to automate repetitive analysis, speed response and save money; the challenge is security analysts need decisions science skill sets – plus field experience – to generate valuable models; junior analysts are often given this task, and thus we unwittingly put important decisions in the hands of people with limited experience. CISOs need to keep this in mind as they plan out their organization – to both acquire the right talent and establish check and balances. The cyber arms race will continue full-speed in 2020 – and we need to be prepared; for example:
a. Malware types keep evolving – malware creators are using ML to identify patterns in systems that can lead to potential weaknesses and incorporating those findings into their payload or creating new class of malware.
b. ML keeps evolving malware detection – as we collect more data more patterns emerge this enables more accurate detection of malware
The only way to stay ahead is to plan for decision science and security engineering skill sets that can contribute effectively to the fight.
8. Privacy issues continue - Consumers will be clueless as ever about data protection; we will continue to give our data for free in hopes of gaining convenience from technical gizmos.People have an “ I have nothing to hide” mindset…
Depending on which side (consumer or corporate) you stand on, this could be a great thing. But it is not all is bleak for the people who live in the European Union and California - legislation like GDPR and the freshly minted California’s CCPA will make things harder for corporations, and states like New York, Washington and Texas are also in line to establish CCPA like legislation.
While there’s some argument that more data is better, more targeted delivers better results; psychographers already have too much data, and too much insight and access to our daily lives – the public needs to change their ways and make this data less accessible for the data-mongers… For some ideas see our article from 2017 “Digital-Fog; Deceptive Personal Defenses and more…”
9. Cybersecurity skills gap is still there and will get bigger – as the digital transformation continues more and more organizations are turning to consulting companies and Managed Security Service Providers (MSSPs) to close the gaps. Large enterprises take the most skilled resources, while the small to medium enterprise tries to make do with what is left or does nothing at all. Cybersecurity continues to feel like an expensive black box, when the reality is that simple changes have great value – and big enterprises should care because SMEs are embedded in their product and service delivery. A holistic way of approaching the problem is needed.
Through a combination of business-driven security hygiene, meaningful automation, and targeted use of third party help, SMEs can greatly improve their security and generate business relevant outcomes. Keep reading in our Reflections on SSH Attacks 2019 report for an example of attack frequency – and how to solve for it.
10. Business and IT alignment will remain a work in progress (from 2018)
When business requirements clash with security mandates this can set the stage for conflict. Balance is required and risk elimination isn’t a practical option. The root cause is often a lack of understanding along the stakeholder chain – from CEO down to security analyst. This fundamental communication gap means that
- Establish a common language – demonstrate that the information security team understands the pain points of the business by connecting, correlating and communicating information security activities according to their business impact
- Leverage the language of money – partner with the business by showing the value created by information security investment in terms of mitigated business impact
- Focus on mutual priorities – leverage business impact and return on investment to agree on the most urgent activities for the information security team; this will allow the team to focus their scare resources on value-add activities
