1. Prediction: Organisations will try to measure cybersecurity effectiveness with regular reporting and KPIs.
As organisations allocate more budget to data security, boards of directors will demand that those investments serve a double duty: both improving the security of information assets and driving the business by enhancing user productivity or reducing spending on legal and compliance operations. They will require specific metrics and regular reporting to prove that these goals are being achieved.
Therefore, CIOs and CISOs will be challenged to develop security metrics to track success and provide meaningful reports to the board. To present this information effectively, they will need not just technical knowledge but also strong communication skills and financial fluency.
2. Prediction: Ransomware attacks will become more sophisticated, and public sector and healthcare organisations will be the top targets.
Ransomware attacks will remain on the rise because they work well and are easy to monetise. In 2020, ransomware will become even more sophisticated and targeted. The top sectors on cybercriminals’ radar will be healthcare and government — when availability of IT systems and data is critical for peoples’ very lives, organisations are more likely to pay ransom in order to return to normal operations faster, as proven by recent incidents.
To combat this threat, CIOs will have to establish controls that reduce the risk of ransomware infection, ensure fast detection of attacks in progress and enable prompt recovery. To this end, they will need to expand security training for employees, require multi factor authentication for all remote network access, ensure reliable backup creation and testing, and institute comprehensive patch management. In addition, security pros must improve anomaly detection and alerting so they know immediately when intruders attempt to access the network, move laterally to review what systems and data the organisation holds, or disable backups before activating ransomware.
3. Prediction: Data privacy will become a necessity for all organisations, regardless of industry, which will drive the creation of new business services.
The GDPR has been in effect for more than a year, but less than half of organisations in the U.S. achieved compliance by the deadline, according to Ponemon. In 2020, data privacy will become a priority for even more companies as more U.S. states will adopt privacy regulations similar to the GDPR and the CCPA, ultimately resulting in a federal regulation that will leave no organisation untouched. The first to be affected will be financial institutions, followed by the education, healthcare and public sectors.
Since data privacy laws require consent for data collection and prohibit gathering more data than needed or keeping it longer than required, they will dramatically impact marketing, data collection and retention practices. Therefore, CIOs and CISOs will need to gain deeper insight into the data being collected, where it is being stored and how it is used by employees.
As a result, the U.S. market will see new offerings that combine legal and IT services to help organisations interpret the various compliance mandates and develop actionable plans to achieve, maintain and prove compliance.
4. Prediction: Organisations will struggle to satisfy data access requests, but initially, there will be few consequences for failure.
With the GDPR and CCPA in full effect, in 2020, organisations will be challenged to satisfy data access requests (DARs) within the required time frame, since locating all the data associated with an individual can be quite a labour-intensive task. Organisations that already experience frequent customer complaints will be at particularly high risk of being bombarded with data access requests, since consumers will flock to take advantage of the new legislation.
However, authorities still need to establish processes for checking whether organisations have actually provided or erased all information related to a DAR, so initially, enforcement will be difficult. As privacy regulations are refined, though, organisations will actually face penalties for failing to comply with DARs. Therefore, CIOs and CISOs will have to establish efficient methods for completing data searches in order to minimise the risks of compliance fines, lawsuits and damage to the organisation's reputation.
5. Prediction: Organisations will make security training an integral part of employees’ job responsibilities.
Many organisations plan to increase cybersecurity training and consulting services. To justify the increased budget, CIOs and CISOs will be challenged to prove to the board that this training is both efficient and effective. Accordingly, they are advised to involve top and middle management in ensuring that the training content and methodologies match the needs of various groups of employees.
This means security will no longer be the security team’s problem alone. Indeed, as end-user cybersecurity education matures and proliferates, organisations will measure how different teams perform compared to others in the organisation. While this rivalry will drive some improvements in user behaviour, eventually, line-of-business (LoB) managers will have security metrics for their employees tied to their compensation as a means of reducing the attack surface for the organisation as a whole.
6. Prediction: The IT skill shortage will drive urgency for automation.
To support growing business needs, IT teams will need to improve their efficiency and effectiveness. To help, they will seek out technologies such as robotic process automation (RPA) to streamline routine tasks, including various security and compliance processes.
Of course, businesses have always sought to automate routine tasks. But the acute lack of experienced IT staff to fill security jobs renews the urgency. CIO and CISOs will look more earnestly into automation tools to free up IT resources to focus on the never-ending need to secure the organisation and its data.
7. Prediction: AI-based solutions will become a new target for attacks, and organisations will struggle to defend them.
As organisations implement more solutions based on artificial intelligence (AI) and machine learning (ML), adversaries will target those systems. Organisations will look for ways to protect their systems, especially ones involved in business-critical processes or decision-making.
Unfortunately, they will find few solutions available on the market for the next few years. In 2020, researchers will still be experimenting with ways that AI- and ML-based solutions can be misled or misused — and their results will be used both by vendors to develop cybersecurity solutions and by adversaries to conduct targeted attacks.
Ilia Sotnikov, VP of Product Management, Netwrix