CISOs will shift their priorities in 2020
Not too long ago, information security was a human scale issue. Because the number of assets to compromise was contained, and because there were only a few attack vectors in the adversarial arsenal, enterprises were able to train security analysts to identify and mitigate threats and vulnerabilities.
Managed endpoints, internal applications, routers, switches, DNS servers and domain controllers compromised the majority of an enterprise’s network presence. In today’s world, mobile devices, cloud applications, IoT, and third party connections to vendors have dramatically grown the enterprise digital footprint. Additionally, adversaries were not nearly as sophisticated as they are today, leveraging only a small fraction of modern day attack vectors. Today’s threat actors have a much larger arsenal of attack vectors to use, including newly discovered vulnerabilities, misconfigured cloud services, and more services and applications exposed to the internet.
With so many assets to exploit, and so many ways to exploit those assets, CISOs need to reassess their strategies in 2020. By broadening their scope, taking advantage of board-level visibility, and using risk-based strategies to ensure that their teams have maximum impact, security leaders can dramatically transform their organization’s security posture in 2020 and beyond.
All assets that are open to attack will be analyzed for vulnerabilities
The accepted definition of a vulnerability will broaden. Typically associated with flaws in software that must be patched, CISOs will redefine the term to anything that is open to attack or damage. The impact will be systematic processes, similar to those commonly applied to patching, extended to weak or shared passwords, phishing and social engineering, risk of physical theft, third party vendor risk, and more.
Educating the board will help CISOs communicate risk
In recent years, CISOs have gotten much desired access to the board of directors, yet have struggled to speak in a language that resonates. This has limited the value of their exposure to the board, with many struggling to achieve the appropriate backing for their initiatives. In 2020, CISOs will recognize that business leaders will never understand technical security details such as threats and vulnerabilities, and will begin to leverage education and new tools to communicate business risk and economic exposure to the board.
Increasing efficiency will be a priority
In light of the ever growing cybersecurity skills gap, and an exploding attack surface, CISOs will shift their focus from increasing headcount to increasing efficiency. By prioritizing tasks based on risk and solving the most impactful issues first, CISOs can ensure that even a small security team has the maximum possible impact.
Gaurav Banga is the CEO and founder of Balbix and he serves on the board for several other companies. Prior to founding Balbix, Banga was the co-founder and CEO of Bromium and led the business from inception for five years. He has also served in executive roles at Phoenix Technologies and Intellisync Corporation, and he co-founded and was the CEO of PDAapps which was acquired by Intellisync in 2005. Banga has a PhD in computer science from Rice University, and a bachelor of technology degree in computer science from IIT Delhi.