Cybersecurity has become one of the top concerns of enterprises around the world over the past several years, and in 2020, that trend is bound to continue. Privacy legislation like Europe’s General Data Protection Regulation and the upcoming California Consumer Privacy Act will begin to play a larger role in CIOs’ decision-making related to data handling and privacy.
Granted, many companies’ technology teams are still trying to figure out exactly how these mandates affect them, and many more will face the same challenges in the months ahead. Inevitably, American lawmakers will enact federal legislation that creates even more complexity for data security professionals; whether we see that in 2020 is anyone’s guess.
Beyond regulation, the potential threats posed by internal actors will be a popular watercooler and boardroom discussion topic. CIOs will need to invest in employee education aimed at stemming the tide of data breaches originating internally, or else the status quo will persist. The deliberate or inadvertent exposure of data by company stakeholders has cost organisations dearly in 2019, and mitigating this threat must be a top priority for all.
For many security professionals, the new year will also likely be a time for reevaluating platform and application security protocols and for assessing the merits of software as a service versus a platform as a service versus infrastructure as a service. This assessment must be highly nuanced and must take into account the unique benefits and challenges posed by each delivery model. For instance, while PaaS solutions tend to offer robust feature sets, valuable customisation options, and better performance to inform data, they’re also significantly more complicated than SaaS models, which an organisation’s security strategy must account for.
Each of these topics is related, and it’s almost impossible to address one without considering the others. How organisations approach them together will ultimately determine success in 2020 from a security standpoint.
The rules of the game
Regulation will have implications for both internal threat management and platform security, making it perhaps the most pressing issue facing security professionals in the year ahead. There will likely be a lot of focus on the “safe harbor” provisions being included in new legislation, such as the CCPA’s safe harbor for data encryption. Organisations can and should work hard to adapt to safe harbor clauses, though they’ll likely achieve varying degrees of success.
If you’re an enterprise-level executive attempting to stay ahead of cybersecurity threats in 2020 and beyond, consider the following three strategies:
- Front-load investment: Many companies will attempt to front-load investments in data protection, paying extra in the short term to avoid huge penalties down the road. This is a wise move, but it needs to be thoughtfully planned and surgically executed. Don’t spend on security measures with the sole reason being regulatory compliance until your organisation knows exactly what the law requires.
Now that companies realise that there are these potential “get out of jail free” clauses in new legislation, they should prioritise spending accordingly to avoid severely impacting cash flow for the year while ensuring that the solutions being implemented comply with the safe harbour clauses as written
- Aim for proactivity: Speed and response times matter, arguably more than ever before. Knowing when incidents occur before they become full-blown crises will be critical for every organisation that collects and stores customer or employee data. Cyberattacks are inevitable, but lasting damage is not. The ability to detect data egress in as close to real time as possible will allow companies to contain threats and avoid fines, severe revenue losses, and PR nightmares
- Scrutinise permissions: The importance of mitigating internal threats should be top of mind for every business, and this starts with knowing who has access to what data. Especially in smaller companies, employees often have access to valuable information that they don’t really need to access to carry out their day-to-day responsibilities.
Most employees want your company to be successful, but good intentions don’t qualify them as security experts. Develop a system that allows you to grant proper permissions so that you can spend more time dealing with the threats that come from outside your walls.
The above strategies are each components of an overall security posture that puts you in the best position to succeed in an increasingly risky digital environment. However, none can be executed without the right personnel in place, so put people first.
You’ll need access to legal counsel and compliance experts to help you navigate new and forthcoming regulatory standards, as well as a finance department that can direct your investments in a way that minimises wasteful spending without compromising compliance or security. You’ll need your IT team to be flexible and agile enough to spot threats as they appear, and knowledgeable enough to respond appropriately when data does leave your system. And perhaps most important, you’ll need a workforce that treats security as a top priority at all times.
By making cybersecurity a core part of every employee’s purview, from the C-level executive to the newest intern, you can create a network that is more resilient and more resistant in the face of constantly evolving cyber threats. That’s a worthy resolution for the new year.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.