2020 Cybersecurity Predictions: Compliance, Authentication and CISO Evolution

Written by

Every year, the cybersecurity vendor community emails us in the media with predictions of what trends will impact the sector in the upcoming year. Sometimes they can be correct, whilst sometimes it can feel like we are seeing the same things over and over again.

Over the last few working weeks of 2019, Infosecurity received some 70 emails regarding predictions, and after some data crunching, we determined 33 total overall unique trends. Rather than run through each of these, we picked the six most prominent and popular trends, and featured these in our first webinar of 2020 this week.

In this webinar we looked at those six trends, as well invited speakers Brian Honan from BH Consulting and Paul McKay, senior analyst at Forrester, who gave us their thoughts on our trends, and those determined by Forrester for 2020.

Of the six trends that appeared to be most prominent for 2020 from the vendors, the first related to the upcoming end of support for both Windows 7 and Windows 2008, and the potential for more cases of unsupported operating systems being left vulnerable, and more vulnerabilities and exploits being made available.

According to Fujitsu: “Both end-user devices and data center servers will be equally vulnerable to the same exploits” because of the end of support. Meanwhile, Bitdefender said that because of the increased fragmentation of hardware and software, and the adoption of large-scale open source and “tweaked” hardware design, “we can likely expect a cascade effect when a vulnerability is found in a component and used en masse.”

Also according to Fortinet, a combination of the expanding attack surface and an increase in the ease of discovery will result in the volume of potentially exploitable zero-day vulnerabilities increasing.

A Major Breach
The next trend was on the theme of data breaches, and the prediction that in 2020 we will see a major leak from a cloud provider. “While at the same time the cloud providers are providing many useful built-in tools, it's not clear that they are using their own tools to secure themselves,” said ExtraHop. This may follow-on from the various breaches associated with AWS, where in the case of Equifax and Capital One there were issues with patching.

Also set for bad news are those companies who “have stitched together a fragile network of legacy systems via API connections,” according to RSA Security. It predicted that the “patchwork of connections” will be disrupted, and serve as a call-to-action for security and risk teams to evaluate how their IT teams are patching systems together.

The Internet of Things has long been predicted to have issues, and whilst the Mirai botnet has been the strongest example of connected devices being utilized for nefarious actions, we have not seen any other major incidents to that level. However, ExtraHop also said that “sooner or later the big IoT breach is coming” as IoT devices are fertile hunting grounds for attackers, and taking down every connected device – from telemetry sensors to infusion pumps to mobile points-of-sale – could easily grind operations to a halt.

Continued Challenges on Authentication
The death of passwords and moves to biometric capabilities is heavily predicted, and in 2020 Fujitsu said that “federated authentication, Single Sign-On and adaptive multi-factor will become standard,” while Jumio said that this will be the year that “SMS-based 2FA and knowledge-based authentication are abandoned and more advanced, biometric-based authentication methods used as a secure alternative.”

It added that this is because these authentication methods are deemed to be outdated and “easily susceptible to fraud.” As for passwords, Fujitsu predicted that we will see an increasing adoption of end-to-end password-less access, “especially in scenarios where Privileged Access Management is required.”

Evolution of Roles in Cybersecurity
On a more human level, the roles and duties of the CISO and security practitioner are predicted to evolve. Nominet said that the role of the CISO will be redesigned in 2020 to become “more of a strategic resource for the business on mitigating risk and facilitating business transformation safely,” while Code42 said that “progressive CISOs will focus on enabling collaboration.”

According to Coalfire, CISOs are becoming more involved in generating new revenue streams, and spending more time in customer-facing activities than ever before, as organizations realize that security is a differentiator.

If this all seems like extra work, then another trend that we determined was around better counter-intelligence and integration with law enforcement. RSA Security said that accountability for cyber and risk incidents will move up the organizational hierarchy, and become a central issue for the CISO, C-Suite and board of directors, while Fortinet said that law enforcement, as well as public and private sector relationships, will help in terms of identifying and responding to cyber-criminals.

Also the load may be lightened with the introduction of a ransomware attack specialist, which Quest KACE said would be “charged with leading teams to remediate the problem.” They will be specifically delegated to work with teams to identify security issues, determine how to solve them and ensure that appropriate measures are approved in order to protect against these increasingly sophisticated attacks.

More Focus on Consumer and Personal Privacy/Compliance
Last but not least, the issue of compliance persists as more regulatory frameworks are introduced. Notable is the California Consumer Privacy Act (CCPA), which Data Theorem said would result in “added pressure on companies to be proactive about protecting the data privacy of their customers,” and Baffle said that this could eventually influence a national data privacy law in the US.

In May 2020, we will mark the second anniversary of the deadline for GDPR compliance, and after a year in which we saw both monetary fines and intentions to fine, this will evolve to greater fines. Forcepoint said that 2020 is set to be a case of ‘you ain’t seen nothing yet’ in regards to the size and quantity of fines authorities are prepared to leverage. “As a result, we’ll see more organizations move from a breach prevention approach to a more holistic principles-based approach.”

However, this could cause businesses to be more proactive, as Baffle said that similar to the GDPR’s “right to be forgotten,” data revocation will become standard with companies beginning to offer the ability to destroy or shred personal data.

“Facebook, for example, already offers a ‘kill switch’ data revocation method,” it said. “This will become ubiquitous among companies that collect and store consumer data.”
As ever, predictions are only theoretical and after years of reading and reviewing them, it will be interesting to see if any of these come true in the years to come. These six have been popular for a number of years and remain at the core of cybersecurity’s most common trends, so feel like an evolution of what we know, and an evolution of these common trends seems most likely rather than a complete cybersecurity revolution.

What’s hot on Infosecurity Magazine?