4 ways security leaders will redefine their strategies in 2020
Ponemon’s 2019 Cost of a Data Breach Study found that the average cost of a data breach is nearly $4 million, yet the immediate financial reparations are just the beginning of the consequences.
In reality, the brand damage from security incidents can be crippling to an organization’s business, possibly even terminal, as was the case with the American Medical Collection Agency earlier this year.
A recent survey from PwC found that 87% of consumers will take their business elsewhere if they don’t trust that a company is handling their data properly. In the face of this grim reality, successful CISOs will drive a comprehensive 2020 agenda of risk-aware cybersecurity posture transformation.
Here are some trends to expect in 2020:
Increasing efficiency will be prioritized
In light of the ever growing cybersecurity skills gap, and an exploding attack surface, infosec leaders will shift their focus from increasing headcount to increasing efficiency. By prioritizing tasks based on risk, solving the most impactful issues first, CISOs can ensure that even a small team can have maximum possible impact.
CISOs will use new approaches to communicate with the board
In recent years, CISOs have gotten much desired access to the board of directors, yet have struggled to speak in a language that resonates. This has limited the value of their exposure to the board, with many struggling to achieve the appropriate backing for their initiatives.
In 2020, CISOs will recognize that business leaders will never understand technical security details such as threats and vulnerabilities, and will begin to leverage education and new tools to communicate business risk and economic exposure to the board.
Security leaders will redefine what a vulnerability is to increase security
The accepted definition of a vulnerability will broaden. Typically associated with flaws in software that must be patched, infosec leaders will redefine the term to anything that is open to attack or damage. The impact will be systematic processes, similar to those commonly applied to patching, extended to weak or shared passwords, phishing and social engineering, risk of physical theft, third party vendor risk, and more.
Companies that fail to adapt will suffer
Poor understanding of the massive enterprise attack surface will continue to be the root cause of much cybersecurity-related frustration and anxiety. Discussions with BoD members and C-suite execs on security posture will still be based on gut instinct and incomplete data.
CFOs will once again approve record security spend, with no idea whether that money was well spent, or if the organization is protected from the next Wannacry. Alert fatigue, thousands of unpatched assets, successful phishing of unwitting executives, and new initiatives that bypass infosec approval will drive the headlines once again in 2020.
In the end, despite tremendous use of resources, most organizations will still be one bad click, a single reused password, or one unpatched system away from a major cybersecurity incident. The others will use risk-based tools to transform their cybersecurity posture.