If 2019 has taught the cybersecurity industry anything at all, it is that regardless of size or sector, every organization is a target of a possible cyberattack. According to Norton, more than four billion records were breached in 2019. As the number of breached records continues to grow, so does the cost of defending against malicious actors.
It can be downright eerie to think about the global threat landscape, particularly amid undulating geopolitical tensions. Yet we are far beyond the point where we can ignore the reality that cybersecurity is everyone’s job. Evidenced in the RSAC 2020 Trend Report and this year’s Human Element theme, it’s time to break down silos and open the doors of communication.
According to Gartner’s Top Strategic Predictions for 2020 and Beyond, technology will become even more intertwined with all aspects of human behavior. What does that mean for 2020? We again looked to our Advisory Board, who bring rich and diverse experiences to their work, to understand how the relationship between humans and technology will continue to evolve. Recognizing that there is hope in looking ahead, the Advisory Board tried to focus on some forward-thinking and optimistic predictions of what to expect in the year ahead.
As we finalize all the makings of a conference rooted in the Human Element theme, it’s not surprising that many industry leaders are thinking about the ways in which both humans and technology will evolve and move toward a more secure digital world. According to Joyce Brocaglia, CEO of Alta Associates, Board Suited and the Executive Women’s Forum, “2020 will be the year for cybersecurity executives to educate themselves on how boards operate and where they can add value so they are best prepared and positioned to meet this demand. Given the laws and institutional efforts driving board diversity; women in cybersecurity will have an unprecedented opportunity to bring their technology and business acumen to the boardroom.”
Not only will executives advance their understanding of how boards operate, but the board members themselves will hone new skills. “Cybersecurity is a board-level imperative creating more opportunities for those with cyber expertise to serve on boards, but cybersecurity experience alone, however, is not enough, Brocaglia says. “In 2020, the composition of boardroom directors will become more diverse in skills and gender. Digital Directors; those who provide oversight to a company’s digital strategies and help them to mitigate risks will be in high demand in Non-Profit, Advisory and Corporate Boards.”
Who’s Got Skills?
While the industry definitely recognizes the skills and has taken many endeavors to address the problem, it remains true that hiring managers struggle to write information security-related job descriptions while candidates have trouble discerning which positions they should actually apply for and how they should go about the application process, says Caroline Wong, Chief Strategy Officer at Cobalt.io. “We have this pretty severe matching problem. That being said, I think that 2020 is the year when someone is going to come out with some sort of platform or matching technology that helps us to do this thing better. Maybe it’s a platform that helps to hire managers put together job descriptions or get the word out. Maybe there’s some sort of application or wizard that helps a candidate describe their skills and experience in a way that’s easily accessible and useful for a recruiter or hiring manager. A sort of Tinder for cybersecurity jobs,” Wong says.
Scammers Gonna Scam
Advisory board member Todd Inskeep, Principal, Cyber Security Strategy, Booz Allen Hamilton, anticipates that scam artists aren’t going to take a break in 2020. “Con artist-type scams will continue to be successful,” says Inskeep. The problem is that our nature as humans is to be trusting. “Con artists have always preyed on this trust. At Internet-scale, their methods are almost scientific—playing to fears to incite a quick response. This is core to this year’s theme of the “Human Element.” As we see exponential growth in computing power, and across technology, I fear we are creating changes so rapidly that people can’t adapt to these new threats, or even adapt to the pace of changes that we’ll see in the next decade and beyond. The gap between technology and our ability to adapt will leave gaps for con artists to exploit.”
More Conversations about Technology
Recognizing that there is an inherent challenge to AI, Wong believes there will be more conversation about what kinds of cybersecurity problems can be solved by automation and what must be solved by humans. “The data set you have regardless of how large and deep it is, will never actually match a future scenario—it’s called ‘concept drift’—pattern matching on old data, and the predictions can never be exactly right,” Wong says. As a result, she predicts that in 2020, “We are going to move away from this idea that technology is going to come and save us, and have a more nuanced conversation and maybe even see some models emerging with regards to how does a cybersecurity professional determine what problems are good candidates for technology to solve versus which problems are much better for humans to solve.”
Indeed, Wong is not alone in her thinking about the challenges presented with AI. Inskeep says, “We are going to get a lot of new lessons from the usage of AI in cybersecurity this coming year. The recent story about Apple Card offering different credit limits for men and women has pointed out that we don’t readily understand how these algorithms work. We are going to find that we have learned some really powerful things next year. We are going to find some hard lessons in situations where an AI appeared to be doing one thing and we eventually figured out the AI was doing something else, or possibly nothing at all.”
Cyberwar, Election Hacking and “Big Brother.” Who’s Prepared?
“Almost a decade ago,” said Dmitri Alperovitch, Co-Founder and CTO of CrowdStrike, “I coined the phrase that there are two types of companies: those that have been hacked and those that have been hacked and don’t know it yet. In 2020, we are going to see that more and more companies fall into a third category—they are being targeted but able to defend themselves even from the most sophisticated adversaries with the right leadership and strategy,” Alperovitch says.
Despite an anticipated spike in the number of organizations that are able to defend themselves against cyberattacks, companies large and small will continue to be the target of malicious actors, some of which will be successful. Where will cyberattacks be coming from? Even a crystal ball would have trouble channeling that tidbit, but Alperovitch predicts that nation-state adversaries will be upping their efforts next year. “Iran will launch a major cyberattack against the US, aiming to drive kinetic impact. The Chinese government will be even more aggressive in pressuring major Western companies to backdoor their technologies and ban the ones that are not open to it, and we will see at least one destructive attack attempt on critical infrastructure,” Alperovitch says.
Advisory board member Todd Inskeep, Principal, Cyber Security Strategy, Booz Allen Hamilton, also has some thoughts about what to expect from China in 2020. “China is going to become more of a “big brother” when it comes to cybersecurity companies operating in China, requiring more permissions and controls beyond encryption that will impact companies’ security.”
One concerning prediction comes from Ed Skoudis, SANS instructor, who says, “In 2020, government leaders will become increasingly comfortable leveraging and talking publicly about their country’s use of offensive cyber operations to achieve military ends. Military cyber operations will increasingly be leveraged in lieu of kinetic action or to inhibit kinetic engagement in battle (e.g., ‘Aren’t you glad we hacked them and didn’t bomb them?’). As such operations become more common, though, offensive cyber operations will run the risk of actually triggering a kinetic response (e.g., ‘Oops … we overdid it with this hack and now they are bombing us back.’).”
Basics Aren’t Sexy, but They’re Coming Back
Caroline Wong, Chief Strategy Officer at Cobalt.io, agrees that 2020 will see some major breaches, but she says, “75% of all major breaches I expect to see in 2020 are going to happen due to fundamental mistakes, not extremely sophisticated techniques.” Given this prediction, it’s not outlandish to suggest that there’s a strong likelihood that several new standards and regulations will drive a return to—or an implementation of—basic security best practices.
“Some unsolved fundamental problems, such as just-in-time asset discovery, are necessary for enterprise security but haven’t been attracting startups because they’re not “sexy” problems such as catching or deceiving attackers. This will change as VCs realize that there’s a lot of money to be made from this in the traditional deep-pocket sectors (such as banking) and that visibility tied with security, done right, is a game-changer. Besides, the basics are fundamental to implementing zero-trust models, so that trend will fizzle without the right backing,” says Wendy Nather, Head of Advisory CISOs at Duo Security (now Cisco).
Additionally, Inskeep predicts that the government’s rolling out of the CMMC—Cyber Maturity Model Certification—will drive enforcement of requirements that have been contractual for some time. “Now they are getting more serious,” says Inskeep. “Next year we’re going to start seeing organizations miss out on government contracts because companies can’t or haven’t demonstrated a level of maturity. CMMC is going to improve some of the foundational security work that companies should have been doing all along. It’s also going to take some time. People are going to start auditing and getting audited against the CMMC, and that’s going to improve foundational security functions and processes.”
From Regulate to Automate
Related to the CMMC’s impact on enforcing requirements, Inskeep says we should expect to see innovation in the security services space, where companies will begin offering services that help companies meet the core control requirements in CMMC. “While cloud providers are doing some of this, I’m envisioning a new service to deal with legacy controls—automating configuration and patch management with scalability to meet the basics that should be more repeatable and haven’t been so far. We’ve seen lots of automation and services in “Detect” and “Respond;” think of this as “Prevent” becoming a service as well,” says Inskeep.
In her recent Forrester blog post, Predictions 2020: European Consumers, Regulators, and Digital China Seize the Initiative, advisory board member Laura Koetzle, Vice President, Group Director, Forrester Research said, “Europe will lay claim to the title of ‘regulatory superpower,’ bringing big moves in competition, privacy, and financial services rule-making and enforcement. EU Competition Commissioner Margrethe Vestager will pursue aggressive anti-trust enforcement and drive the digital single market forward. Additionally, Koetzle expects to see a “steady drumbeat of General Data Protection Regulation (GDPR) enforcement actions and an avalanche of consumer privacy class actions in 2020; further, the EU will finally adopt the new ePrivacy Regulation. EU regulators will also aim to remedy some of the shortcomings of the second Payment Services Directive (PSD2) and open banking 1.0.”
Clash of the Identity Titans
Given that scammers will likely see continued success, we will see an increased focus on identity and authentication; however, Wendy Nather, Head of Advisory CISOs at Duo Security (now Cisco) says, “We will see divergent attempts to “own” digital identities, between the traditional software players such as Facebook, Microsoft and Google, and the telcos, who are making efforts to build identity services based on their access to a hardware root of trust (namely, the mobile phone SIM card). The software players will try to counterbalance the hardware players’ advantage by using hardware U2F tokens, either self-built or in partnerships.”
Authentication and identity will also come to the forefront of conversations around election hacking, which are sure to be plentiful come 2020. “We will see an enormous number of claims of election tampering through cyber means, including social networking manipulation, voting machine compromise, and other forms of fraud. In the run-up to the US elections in November, both sides will raise increasing warnings of such problems, but little concrete action will be taken,” says Skoudis. “That will lead candidates who lose in November to claim the fundamental unfairness of the situation, resulting in actual reforms occurring in 2021 or beyond (e.g., lots of complaining and moaning with no real action until 2021).”
New Standards for New Development and Operational Models
“Whether you call it DevSecOps or something else, the current free-for-all will need reining in for the sake of security,” says Nather. “With the development and operational silos gone, audit standards that insisted on separation will have to adapt, and today’s “best practices” and checklists for security won’t be enough. The need to reference a reliable, repeatable security process and model will likely result in leading tech companies sharing their experiences in working groups, and those practices will coalesce into firmer standards.”
Will Purple Reign?
Purple was trending throughout the RSAC 2020 Call for Speakers, with a call for red teams and blue teams to work together. Skoudis says that in 2020, “we will see that organizations seeking in-depth security testing will increasingly opt for red team and adversary emulation exercises. Likewise, the phrase ‘penetration testing’ will blend into ‘vulnerability assessment,’ so organizations will need to be careful to ensure they understand the differences between these various offerings (e.g., Be careful to know what you are paying for with vulnerability assessments, penetration tests, red team exercises, and adversary emulation projects).”
Certainly, we should expect to see the blending of many things in the year to come, particularly the coming together of all the different cross-sections of cybersecurity in February when industry leaders will share more insights at RSAC 2020 in San Francisco. Looking forward to seeing you there!