February 21, 2020 –
Our Mayfield CISO Network (An innovative network of security leaders)
We recently held a series of Chief Security Officer meetings and roundtable events in various cities across the U.S. Our goal was to uncover the highest priorities for the CISO in 2020 and return these insights back to our community. As a venture capital firm, we focus our discussions on what’s new, what’s emerging and where are the solution gaps in the cyber market.
RSA 2020 will bring keynote speakers to share their view of the market including Mary Barra, Chair and Chief Executive Officer, General Motors Company, Kara Swisher, Co-Founder and Editor-at-Large, Recode, and Dr. Peggy Whitson, Record-Breaking NASA Astronaut and Biochemist.
Major topics will include: how to handle the implications of CCPA (and where we’ll see similar regulations outside of California), the convergence of physical, IT and operations into a new SecOps thesis for the enterprise, and the ongoing talent needs of a SecOps team + the evolving ways to leverage AI tools to help.
Top Security Predictions for 2020:
- GDPR Comes to The United States – In 2020 expect that ten or more states will enact similar laws to California’s CCPA
- The Marriage of People + AI – Humans will unravel new threats and AI will automate real-time detection at volume
- Deepfake Video Content – This type of content is on the rise. It will be used as misinformation and targeted to manipulate outcomes
- DevSecOps – DevSecOps will rise to prominence as growth in containerized workloads causes security controls to “shift left”
- Application Programming Interfaces (API) as the Weakest Link – APIs will be exposed as the weakest link leading to cloud-native threats
- Cybersecurity Skills Gap – With an exploding attack surface, information security leaders will shift their focus from increasing headcount to increasing efficiency and automation
- Vulnerability Will Broaden – The impact will be systematic processes, similar to those commonly applied to patching, extended to weak or shared passwords, phishing and social engineering, risk of physical theft, third party vendor risk, and more. Basically, the attackers will continue to exploit “low hanging fruit”
- The CISO Whisperer – The board of directors and business leaders need to understand technical security details such as threats and vulnerabilities – CISOs will operate as the translators for impact to business. Also, CISOs need to better understand and align with business issues
- Phishing – Phishing will become more believable, targeted and sophisticated – BEC (business email compromise) will be the primary threat; it has increased 100% since 2018
- 5G – Attackers will find new vulnerabilities in the 5G/Wi-Fi handover to access the voice and/or data of 5G mobile phones
What are the highest priority issues that today’s CSO is facing?
- We’ve heard from our network that CISOs are still struggling with their end users. Regardless of all the technical tools in place, users continue to perform unwise actions compromising the security of the company’s information assets. Everyone is looking for more effective ways to educate and track their learning progress more efficiently.
- Finding qualified talent and insider threat once that talent is obtained
- Getting a better handle on IoT devices throughout the enterprise
What are white spaces, or gaps that are not being addressed sufficiently with technologies offered today?
- Companies deploy a lot of different security tools; unfortunately, most of them still don’t talk to each other, making managing the security space quite challenging
- Better monitoring and management of IoT devices
How are CSOs building talent or preparing for future needs?
- A few mature organizations are investing in nearby colleges with robust intern programs to ‘lock in’ some good talent
- Many companies are modifying their policies to allow remote work
- There is a rise in the addition of unusual perks (like day care for younger children) to lure new employees
2020 Cyber Technology Gaps
- IoT devices with bad security, especially on the health and fitness side
- Widening surface area and increasing use of instrumented devices in critical infrastructure attack surface; many open access points
- Industrial controls are wide open, and a better approach is needed. They are mission critical from a business operations standpoint, and therefore SOC teams cannot easily update without having to shut down the production/supply chain operations. Business leaders will not allow security teams to do random checks and updates, teams are limited to annual updates
- Blockchain – Distributed ledger applications will pose a new gap in cyber. Quantum computing offers a similar new need, but will require different technology to support quantum based applications – the banking sector will likely be the early tester of this new technology, but only if it is secure
- Competent talent – Issues with finding, recruiting, and keeping knowledgeable employees
- Insider threat from new and veteran employees and vetting external vendors
- Zero-Trust security for healthcare; getting a zero-trust model up and running in order to streamline secure access
- Vehicle to vehicle communications – There is an emerging need for security around V2V communications that right now remains widely insecure.
- Business with China more broadly and their new encryption laws
- How to respond to a breach once it has already happened? Are there better ways?
- Customer/employee security education (including passwords that are poorly managed at the end user level)
- Employee compliance – The process of getting employees to comply and support cyber requirements needs a better way than just more rules (e.g. implementing bonus incentives for good behavior)
- Bio-signatures for applications and identity
Mayfield is a global venture capital firm with a people-first philosophy and over $1.8B under management. Mayfield invests primarily in early-stage enterprise, consumer, and health IT companies. Since its founding in 1969, the firm has invested in more than 500 companies, resulting in 117 IPOs and more than 200 mergers or acquisitions. Some notable investments include Grove, HashiCorp, Lyft, Marketo, Moat, Outreach, Poshmark, and ServiceMax.