At long last, the World Economic Forum has finally come to recognize cybersecurity as the "second most concerning risk for doing business globally over the next 10 years," signaling a growing recognition within the business community of the importance of their CISOs and the challenges they face.   

In this article, we break down the five greatest challenges facing cybersecurity professionals in 2020 along with expert tips on how to face them.

1. Growing Attack Surface
The number one threat facing organizations today remains external malicious hackers. While these include state actors, hacker groups, and individual attackers, the essential threat remains the same. Unfortunately, organizations across nearly every sector are still struggling to stage a convincing response. In 2019, for example, Silent Breach security consultants found that 92% of web applications tested contained serious or critical security flaws. In particular, we recently reported that 97 of the 100 largest airports are similarly compromised.

A large contributor to this trend lies in the fact that, for most organizations, the attack surface is only growing. CISOs are finding that they must defend against cyberattacks on multiple fronts: web, mobile, social, physical, wireless, cloud, and insider, to name just the most obvious.

Recommendations: It's become increasingly clear that any effective cybersecurity strategy must take a holistic company-wide approach. Accordingly, Silent Breach recommends investing in a continuous monitoring platform that provides a broad perspective across your attack surface as well as helping to guide your efforts to narrow your exposure. Furthermore, regular training workshops are crucial; not only to provide the necessary skills and knowledge, but perhaps more importantly, to instill a culture of security and responsibility throughout the organization.

2. Corporate Buy-In
It has become somewhat cliché to say that cybersecurity is no longer exclusively an IT job, but the reality is that CISOs are both the newest C-level executives and the least understood. According to recent estimates, by 2022, only 5% of CISOs will report security metrics that are useful for senior executives. On the other hand, the majority of CISOs report that their corporate boards are not actively involved in security operations. To combat this silo effect, current CISOs should be using the board meetings as an opportunity to build bridges between their own work and the rest of the board.

Recommendations: Speak their language. The ability of CISOs to translate technical issues into business jargon, such as Risk Appetite Statements, will be the defining security trend of 2020. In crucial ways, it will be cultural adjustments such as these that will provide the sorely needed expenditure increases in cybersecurity.

3. Data Privacy and Protection
With the rapid increase in user data collection and sharing, many international, federal, and local governments have introduced legislation to ensure that personal data is properly handled. While specialized regulations such as HIPAA (for healthcare) and PCI (for payment processing) have been around for years, more comprehensive data protections are only recently being put into place. Notably, the European Parliament adopted GDPR in 2016 and California has introduced CCPA in 2020. With these additional regulations, companies must step up their data privacy and protection standards or risk legal penalties.

Recommendations: The first step is to perform a Privacy Regulations Compliance Audit in order to determine your current gaps. Based on the results of this assessment, you may be advised to hire an independent Data Protection Officer, improve user opt-out procedures, or alter your organization's privacy policies.

4. Cost Reduction/Avoidance
As the tech industry continues to mature, cybersecurity skills shortages are climbing to record highs, and the cost of hiring in-house talent along with it. In addition, the average cost of a data breach has soared to nearly $4 million. It comes as no surprise then that organizations are leaning heavily on their CISOs to help bring those costs down.

Recommendations: As IT departments grow larger and more sophisticated, executives are looking to tap into managed solutions as a way to bring costs down while simultaneously increasing their service quality. The truth is that MSSPs are not simply far cheaper than in-house IT talent, they are also far more skilled and come with competitive SLAs, allowing CISOs to kill two birds with one stone.

5. Rapid Development
Over the last several years, DevOps has dramatically transformed the way in which software is designed, developed, and delivered. Together with innovations such as Agile and Continuous Integration, DevOps has led to an increasingly rapid and inter-disciplinary software development life cycle (SDLC), leading to more robust and responsive applications. But with this push toward speed and flexibility, software has in some ways become even less secure. As companies rush to release, security often remains an afterthought.

Recommendations: DevSecOps begins with DevOps' commitments to continuity and automation and merges them with the principle of security-by-design, creating a single, streamlined SDLC that is both more efficient and more secure. Therefore, rather than consolidating security into one team or department, DevSecOps seeks to distribute responsibility throughout the development lifecycle as well as throughout the organization.