Top Cybersecurity and DevOps Trends for 2020

Cybersecurity, DevOps

7 min. (1486 words)

top-cybersecurity-and-devops-trends-for-2020

As we head into 2020, it’s clear that nothing much has changed in the cybersecurity community: threats are still very real, and the hunger for experienced security professionals remains high. Experts suggest that the coming year’s landscape will feel very much like a continuation of 2019, as far as cybersecurity and DevOps roles are concerned.

Let’s break down some of the core issues facing the cybersecurity arena in 2020:

IP Protection Matters

Enterprise IT strategist Brad Snow
thinks 2020 will be the year that companies start paying strict attention to
what’s being compromised. While stolen user data will always dominate the
headlines (especially the biggest hacks), just as big a threat is intellectual
property being stolen.

“Although it’s
difficult to assign an exact value to the amount of intellectual property that
is stolen annually, we can all agree it is astronomical,” Snow said. “In response,
worldwide enterprise security spending is forecasted
to grow to $124 billion this year. Organizations cannot place the entire burden
of security on IT teams. Everyone that has a device connected to the internet
needs to be trained on how to keep the organization safe. There are a ton of
programs that will enable leadership to engage every employee on the basics of
security.”

DevOps Teams: Overworked

Rani Osnat, vice president of strategy for Aqua Security,
thinks 2020 may be the year that DevOps teams finally reach critical mass in
many organizations. That’s to
say, their workloads will finally balloon out of control. As Osnat predicted:

“DevOps
teams will find themselves taking on more and more responsibilities, including
more security and quality automation. As enterprises adopt DevOps practices at
an ever-growing scale, the impact on the business and mission-critical
applications cannot be ignored. The processes and methods that traditional IT,
security, QA and compliance teams have been using are often incompatible with
the agility of DevOps, and cannot cope with the rate of change. The solution
lies in automating many of these practices into the DevOps processes and
toolchain, enabling a more integrated ‘detect early, fix fast’ environment.”

Part of the issue, as Osnat sees it, is a skills shortage: “The IT skills shortage will continue to plague the market, especially for new technologies such as Kubernetes, and what is by now a chronic shortage in skilled IT security professionals. It will drive organizations to seek solutions that provide a high degree of automation, with ‘zero-configuration’ out of the box capabilities that provide value immediately, and don’t require a lot of integration work or management overhead.”

Managing Credentials Will
Get Rough

A core principle for any cybersecurity or DevOps professional is
proper management of user credentials. It’s never simple—and in an odd twist,
trying to make it easier may come back to haunt you in 2020.

Brendan Diaz, CEO of encrypted enterprise chat service HighSide Inc., told us:
“Identity providers themselves will start to become the target of
cyber-criminals. If ‘X’ identity provider has the key to access all of company
‘Y’ and ‘Z’’s data, ‘X’ becomes a lucrative target.”

Cloud services will make managing identities more and more
important, and increasingly difficult without appropriate tools,” added Aaron
Turner, HighSide’s chief security officer. “Identity will be the last perimeter
IT security teams can hope to have, and as has been proven with this year’s Capital One /AWS
breach, even the best-resourced teams will have an occasional lapse in
operational implementation of identity policies and controls.”

Sean Gallagher, IT and national security editor for Ars Technica,
agrees the almighty ‘cloud’ isn’t the answer: “As more businesses rely on cloud
resources, they are going to inevitably screw up securing them. We’ve already
seen lots of problems with Amazon S3 bucket security because of bad developer
security practices.”

Meanwhile, lots of attacks against cloud platforms take advantage of misconfigurations and “bad hygiene” moves, such as a lack of two-factor authentication or reuse of passwords. “‘Credential stuffing’ and harvesting passwords from other breaches to get into cloud email accounts is going to continue to be a threat, as is business email compromise,” Gallagher said.

Changing Roles and Accepting Responsibilities

“The case for why companies should protect consumer data is
clear: companies lose less money and consumer information is safe from
predators,” said Simon Marchand, chief fraud prevention officer for Nuance
Communications. “But in the event of a data breach, what many people don’t consider is that, once
their data is stolen, it is often made available for the highest bidder on the
dark web. And, in some cases, this personal data is used to fund some of the
most heinous of crimes—from terrorist organizations to drug and human
trafficking.”

Companies have a responsibility to stop the broader implications
of fraud that go beyond their bottom line and their brand perception, Marchand
added: “It’s not only about preventing
customer information from being stolen, it’s preventing fraudsters from getting in
organizations with information stolen elsewhere.” 

To that, Munya Kanaventi, senior director of information security
at Everbridge,
added: “A gap exists in the current
Chief Security Officer and Chief Information Security Officer job descriptions,
which is the ability to add strategic value to the company. There’s a lot of highly technical
people in this role, but when you advance to the C-suite title, there’s a need for business
vision alongside technical prowess.”

In other words, cybersecurity professionals who work within a company’s upper echelons need “soft skills” and a broader understanding of the business, in addition to their technical abilities. “Understanding how the company’s threat management strategy ties to the overall business goals and developing an action-orientated plan will be essential for CSOs in 2020,” Kanaventi continued. “As the CSO, it is your job to develop the company’s operational risk and demonstrate how that fits into larger business goals. After outlining the risk, the CSO must be able to establish a program that protects their people and assets from cyber and physical threats.”

2020 should be the year companies take a hard look at their
processes and people to decide if those in charge of protecting staffers and
users are properly skilled, and have the right tools to do the job they’re
assigned to. It’s now clear that breaches and hacks aren’t one-off events meant
to snipe user info; the compromised data is being used for much more than opening
up a credit card in someone’s
name.

The Cybersecurity Growth Balloon Pops

At some point, being ‘cool’ stops being cool. One of the coolest
things in tech is inflating growth, and security advocate Johnny Xmas
thinks 2020 will see the bubble burst.

“It is nearly impossible to go a single hour in InfoSec career
channels without hearing about how projected growth is absolutely insane, and
so far above every other industry that new types of math are actively being
developed to accurately calculate it,” he told Dice. “This propaganda seems to
mainly be spread by university career counselors and the respective current and
former students trying to justify the tuition costs, and, like all great
statistics-based scams, are suspiciously always presented with percentages.”

He continued: “[The role of information security analyst] is expected
to grow by 32% in the next 10 years. That sounds absolutely insane—until we do
the math. It turns out that 32 percent is a paltry 35,500 jobs. This is a tiny,
tiny industry, and as more and more IT pros come out of university with the security
knowledge the graybeards initially lacked, we’re going to see companies slowly
shrinking their internal teams and outsourcing way more, where costs and
salaries are always significantly lower.”

And Finally, the 2020
Presidential Election

Whatever your political leanings, a United States Presidential
election is always a microcosm of our society at the moment. For DevOps and Cybersecurity
professionals, this election cycle may represent a significant challenge.

A number of cybersecurity professionals think the 2020 election
will again see state actors influencing voters via social media and the
like—and we may see some good old-fashioned hacking. As voting machines roll
out to garages and libraries across the country, we’ll again be reminded that
the hardware is dated and insecure…
and so are the systems backing them up.

This sorry state will no doubt illicit hot takes from
cybersecurity pros. Based on our conversations, nobody necessarily believes the
election can be hacked broadly enough to forcefully and directly influence the
election itself, but the attempts to do so will nonetheless prove instructive
for cybersecurity and DevOps professionals.

State-sponsored hackers are among the most skilled black hat
hackers there are, and the election will shine a bright light on their
activities. If you’re in a cybersecurity or DevOps role, keep a close watch on
the election. Ignore the campaign rhetoric, but stay for any lessons imparted
by some of the best hackers in the world. A lot can be learned from them;
politicians, not so much.