2020 Cyber Security Predictions from a CISO

2020 is here and hopefully all security teams have resolutions of improving the cyber security of their business in the new year. But what new challenges and developments will 2020 bring that you need to be prepared for?

How cyber security will change in the next 10 years

Fewer passwords: In the next few years we will see the adoption of more non-password-based consumer authentication technologies (e.g. FIDO). Consumers and tech companies are increasing the pressure to move to systems that require fewer passwords. Technologies like single sign-on (SSO) and multifactor authentication (MFA) can help users authenticate users without requiring them to remember passwords.

Biometrics: There’s going to be more movement towards leveraging rich biometrics for convenience (e.g. Iris scans). These rich biometrics will leverage significantly more and better sensors (iris scanning, body posture, etc.) in consumer/end user-facing devices. 

Machine learning: Advanced machine learning models will allow for better context-based authentication assessments and improve the authentication process, like geofencing and device biometric sensors. Some of those models and technologies are already available. For example, MFA solutions can do geofencing based on GPS. Advanced sensors on mobile devices will also be usable over the next several years.

The key to implementation is back office instrumentation – there’s machine learning that needs to take place to understand normal vs. anomalous behavior and that takes time.

Security breaches and passwords

According to the Verizon Data Breach Investigations Report, 80% of breaches are still caused or enabled by weak and reused passwords. So the question remains: when will consumers and end users improve their password behavior?

This really comes down to two questions: 1) When will it be harder for breaches to occur so fewer passwords are exposed?  and 2) When will users use better and stronger passwords? 

In terms of reducing breaches, this will be a long journey that requires enterprises to incentivize good security practices such as secure development over glitzy features. Over time, insecure services will have a higher likelihood of failing due to falling customer trust. This has started (e.g. scrutiny over Facebook’s data losses) but will still take more time to become considered a top tier risk for enterprises.

In terms of better passwords, this is all driven by consumer awareness. Newer authentication technologies will continue to whittle away at password-based systems, which may alleviate parts of this problem. But companies dealing with sensitive data (fintech, healthcare, etc.), they will also start enforcing more complex password policies to lower their risk. 

Biggest identity and access management challenges/ trends in 2020

All companies will face different challenges depending on their size and their sector. However, all companies face the challenge of security awareness among employees, contractors and customers. And without the support from all users, technological efforts will not be fully effective.

To help with this effort, here are a few recommendations:

Multi-directional communication is extremely important in a security program, meaning working from the top-down, bottom-up, and side-to-side to get your messaging across. Reinforcement of best security practices should come from an employee’s manager, peers, c-suite and more. And yes, it’s true. Security is everyone’s responsibility.

People learn differently – some are more receptive to visual guides or written instructions while others may want a hands-on lesson. Also, the content can vary depending on your audiences. Some may like content that is funny, serious or provides a historical background. Whatever you choose, providing consistent communication is the key to a strong awareness program. Part of our focus is to make sure we are delivering our security training and materials in a variety of channels. We’ve also included employees in everything from video creations and contests – and it gets them involved and excited about it too.

When it comes to high-tech industries like those in the finance or healthcare industries, the key is to establish and maintain control over BYOD and Bring-Your-Own-App policies and mentality without impacting employee productivity.

I’m excited to see where this new decade takes us. Leave a comment below with your predictions for 2020.


  • Richard says:

    What will 2020 bring? There will be some consumer surprises or surprised consumers as new technologies are rolled out. These new technologies will produce complaints and resistance among consumers who currently do not use best practices information security. As long as enhanced security can be turned off, many users will turn it off because for them security is a nuisance. The adoption of the new technologies will be hampered by the existing legacy installed base. The millions of desktop, laptop, tablet, phone and other devices that are not equipped with the hardware to accommodate the new security measures will continue to be used by the people who love them and do not want to learn, or are unable to learn the new procedures. For the rest of us, 2020 is going to be an adventure that will bring more freedom and responsibility to users.

  • Jesse Justice Zeitz says:

    You can never be too careful

  • Herbert C Dixon says:

    This was very enlightening to read, it really capture my attention. I am always very conscious when I use my credentials, at gas stations, grocery stores or even at the atm machines. Never knowing when I will be a target to hackers/criminals.

  • David Friar says:

    It sounds like we’d be in far better shape if people would consistently use the tools that are already available. Perhaps some of the most intensive R&D should focus on creating behavior change in users. In a similar vein, if we apply what we have already learned in studies of persuasion and behavior change were applied to to security behaviors, we’d see a significant reduction in breaches.

  • Suzanne M. Vanet says:

    Yes, even this 71 year young retired Commerical Reaktir is using two factor I’d on many new accounts!
    I will review all and increase my awareness in how to use fewer only password protected systems!
    As a Last Pass customers already, I am happy to trust this form of protection.
    Thanks for the outline for 2020!

  • Andy says:

    Thank you