As we head into 2020, it’s clear that nothing much has changed in the cybersecurity community: threats are still very real, and the hunger for experienced security professionals remains high. Experts suggest that the coming year’s landscape will feel very much like a continuation of 2019, as far as cybersecurity and DevOps roles are concerned.
Let’s break down some of the core issues facing the cybersecurity arena in 2020:
IP Protection Matters
Enterprise IT strategist Brad Snow thinks 2020 will be the year that companies start paying strict attention to what’s being compromised. While stolen user data will always dominate the headlines (especially the biggest hacks), just as big a threat is intellectual property being stolen.
“Although it’s difficult to assign an exact value to the amount of intellectual property that is stolen annually, we can all agree it is astronomical,” Snow said. “In response, worldwide enterprise security spending is forecasted to grow to $124 billion this year. Organizations cannot place the entire burden of security on IT teams. Everyone that has a device connected to the internet needs to be trained on how to keep the organization safe. There are a ton of programs that will enable leadership to engage every employee on the basics of security.”
DevOps Teams: Overworked
Rani Osnat, vice president of strategy for Aqua Security, thinks 2020 may be the year that DevOps teams finally reach critical mass in many organizations. That’s to say, their workloads will finally balloon out of control. As Osnat predicted:
“DevOps teams will find themselves taking on more and more responsibilities, including more security and quality automation. As enterprises adopt DevOps practices at an ever-growing scale, the impact on the business and mission-critical applications cannot be ignored. The processes and methods that traditional IT, security, QA and compliance teams have been using are often incompatible with the agility of DevOps, and cannot cope with the rate of change. The solution lies in automating many of these practices into the DevOps processes and toolchain, enabling a more integrated ‘detect early, fix fast’ environment.”
Part of the issue, as Osnat sees it, is a skills shortage: “The IT skills shortage will continue to plague the market, especially for new technologies such as Kubernetes, and what is by now a chronic shortage in skilled IT security professionals. It will drive organizations to seek solutions that provide a high degree of automation, with ‘zero-configuration’ out of the box capabilities that provide value immediately, and don’t require a lot of integration work or management overhead.”
Managing Credentials Will Get Rough
A core principle for any cybersecurity or DevOps professional is proper management of user credentials. It’s never simple—and in an odd twist, trying to make it easier may come back to haunt you in 2020.
Brendan Diaz, CEO of encrypted enterprise chat service HighSide Inc., told us: “Identity providers themselves will start to become the target of cyber-criminals. If ‘X’ identity provider has the key to access all of company ‘Y’ and ‘Z’’s data, ‘X’ becomes a lucrative target.”
“Cloud services will make managing identities more and more important, and increasingly difficult without appropriate tools,” added Aaron Turner, HighSide’s chief security officer. “Identity will be the last perimeter IT security teams can hope to have, and as has been proven with this year’s Capital One /AWS breach, even the best-resourced teams will have an occasional lapse in operational implementation of identity policies and controls.”
Sean Gallagher, IT and national security editor for Ars Technica, agrees the almighty ‘cloud’ isn’t the answer: “As more businesses rely on cloud resources, they are going to inevitably screw up securing them. We’ve already seen lots of problems with Amazon S3 bucket security because of bad developer security practices.”
Meanwhile, lots of attacks against cloud platforms take advantage of misconfigurations and “bad hygiene” moves, such as a lack of two-factor authentication or reuse of passwords. “‘Credential stuffing’ and harvesting passwords from other breaches to get into cloud email accounts is going to continue to be a threat, as is business email compromise,” Gallagher said.
Changing Roles and Accepting Responsibilities
“The case for why companies should protect consumer data is clear: companies lose less money and consumer information is safe from predators,” said Simon Marchand, chief fraud prevention officer for Nuance Communications. “But in the event of a data breach, what many people don’t consider is that, once their data is stolen, it is often made available for the highest bidder on the dark web. And, in some cases, this personal data is used to fund some of the most heinous of crimes—from terrorist organizations to drug and human trafficking.”
Companies have a responsibility to stop the broader implications of fraud that go beyond their bottom line and their brand perception, Marchand added: “It’s not only about preventing customer information from being stolen, it’s preventing fraudsters from getting in organizations with information stolen elsewhere.”
To that, Munya Kanaventi, senior director of information security at Everbridge, added: “A gap exists in the current Chief Security Officer and Chief Information Security Officer job descriptions, which is the ability to add strategic value to the company. There’s a lot of highly technical people in this role, but when you advance to the C-suite title, there’s a need for business vision alongside technical prowess.”
In other words, cybersecurity professionals who work within a company’s upper echelons need “soft skills” and a broader understanding of the business, in addition to their technical abilities. “Understanding how the company’s threat management strategy ties to the overall business goals and developing an action-orientated plan will be essential for CSOs in 2020,” Kanaventi continued. “As the CSO, it is your job to develop the company’s operational risk and demonstrate how that fits into larger business goals. After outlining the risk, the CSO must be able to establish a program that protects their people and assets from cyber and physical threats.”
2020 should be the year companies take a hard look at their processes and people to decide if those in charge of protecting staffers and users are properly skilled, and have the right tools to do the job they’re assigned to. It’s now clear that breaches and hacks aren’t one-off events meant to snipe user info; the compromised data is being used for much more than opening up a credit card in someone’s name.
The Cybersecurity Growth Balloon Pops
At some point, being ‘cool’ stops being cool. One of the coolest things in tech is inflating growth, and security advocate Johnny Xmas thinks 2020 will see the bubble burst.
“It is nearly impossible to go a single hour in InfoSec career channels without hearing about how projected growth is absolutely insane, and so far above every other industry that new types of math are actively being developed to accurately calculate it,” he told Dice. “This propaganda seems to mainly be spread by university career counselors and the respective current and former students trying to justify the tuition costs, and, like all great statistics-based scams, are suspiciously always presented with percentages.”
He continued: “[The role of information security analyst] is expected to grow by 32% in the next 10 years. That sounds absolutely insane—until we do the math. It turns out that 32 percent is a paltry 35,500 jobs. This is a tiny, tiny industry, and as more and more IT pros come out of university with the security knowledge the graybeards initially lacked, we’re going to see companies slowly shrinking their internal teams and outsourcing way more, where costs and salaries are always significantly lower.”
And Finally, the 2020 Presidential Election
Whatever your political leanings, a United States Presidential election is always a microcosm of our society at the moment. For DevOps and Cybersecurity professionals, this election cycle may represent a significant challenge.
A number of cybersecurity professionals think the 2020 election will again see state actors influencing voters via social media and the like—and we may see some good old-fashioned hacking. As voting machines roll out to garages and libraries across the country, we’ll again be reminded that the hardware is dated and insecure… and so are the systems backing them up.
This sorry state will no doubt illicit hot takes from cybersecurity pros. Based on our conversations, nobody necessarily believes the election can be hacked broadly enough to forcefully and directly influence the election itself, but the attempts to do so will nonetheless prove instructive for cybersecurity and DevOps professionals.
State-sponsored hackers are among the most skilled black hat hackers there are, and the election will shine a bright light on their activities. If you’re in a cybersecurity or DevOps role, keep a close watch on the election. Ignore the campaign rhetoric, but stay for any lessons imparted by some of the best hackers in the world. A lot can be learned from them; politicians, not so much.