noun_Email_707352 noun_917542_cc Map point Play Untitled Retweet Group 3 Fill 1

Leadership trends in cybersecurity - 5 predictions for the CISO in 2020

Important trends and influences that are shaping management decisions and priorities for 2020.

Oskar Ehrnström / November 21, 2019

Usually when someone writes predictions, it is just before or after New Year’s Eve. But if anything is to be addressed in 2020, it needs to be considered in the budget planning already this fall. And also, I wasn't planning to talk about the usual attacks and payloads. Instead I wanted to talk about some important trends and influences that are shaping management decisions and priorities for 2020.

1. Escalating Nation-state funding

Just a couple of years back, nation states engaging in, or funding offensive cyber operations was something just a few nations were capable of.

Of course, many countries are strengthening their defensive capabilities, but many are at the same time working on offensive strategies in the area of cyber. The reason behind this is often to complement their military capacity, but this can also be utilized as a powerful tool to create economic advantages in a global market. This is something that all CISO's, Risk Managers, CEO's etc. need to consider when developing their cybersecurity plans for the future.


2. Outsourcing to ensure predictive capabilities

Threat landscape, compliance requirements and digital transformation are all adding pressure on an already burdened security organization. It is important for decision makers and managers in IT to keep the holistic perspective on cybersecurity; this should be a matter of ensuring the organizations capabilities.

Ensuring capabilities requires not only state of the art solutions (tools), but it is in fact techniques, people and processes that make the difference.

If you are operating in a market (like in the Nordics) where you have very limited access to talents to come work for you, you are probably one of those who are looking at contracting a partner to provide these capabilities for you. The MSSP (Managed Security Service Provider) market has reached a level of maturity that makes it a fast track to all the capabilities you need. And when we are talking about operative capabilities, what you need is the ability to:

  1. Identify and prioritize what needs to be addressed in order to be able to protect the organization.
  2. Protect organizations assets, i.e. Information, Infrastructure and Brand against threats.
  3. Detect threats that has managed to breach your protective efforts.
  4. When a threat is detected, you need to be able to Respond quickly and accurately, in order to minimize impact and reduce down time.
  5. Recovering from an incident is an invaluable opportunity to learn from your experience. Take your learnings and feed them into Preventive Improvements in your Protection, Detection and Response capabilities.


3. Aligning cyber risk with business risk

All areas of IT are involved in the yearly chase for their precious piece of the budget. The development within the cybersecurity area is requiring cybersecurity to get a larger part of the budget. But, to be able to compete for budget, cybersecurity managers are starting to engage with, and speak the same language as the business.

Even though cybersecurity efforts rarely can be attributed to innovate and transform the business itself, it is absolutely providing business benefits in managing risk and enabling business transformation. This needs to be quantified.

I recommend you start with looking at the ISF (Information Security Forum) approach, which consists of four phases:

  1. Establish relevance by engaging to understand the business context, identify common interests and develop combinations of KPRs and KRIs
  2. Generate insights by engaging to produce, calibrate and interpret KPI/KRI combinations
  3. Create impact by engaging to make recommendations relating to common interests and make decisions about next steps
  4. Learn and improve by engaging to develop learning and improvement plans.

You can read more about ISF's 4 step approach to relevant KPIs and KRIs here. Research organizations like Information Security Forum has plenty of tools and methods that will help you to fast-track your journey to quantifiable cybersecurity.


4. Networking to your advantage

Engaging in external networks is a great way to get access to knowledge and best-practice. You are rarely the only one experiencing your specific challenges, and usually people are very willing to share their experiences. External networks are also a key ingredient in building successful cybersecurity ecosystems. It’s not possible to fix all problems with a hammer, even if it is your favorite hammer. Sometimes, the best solution is to leverage someone else’s skills or resources. Let's help each other be more secure.

Internal networking is key in spreading security awareness, as well as getting to know the business. Your purpose is to support the business, and respond to its needs. Engaging with the organization will build relationships and improve your understanding of your business, and ultimately enable you to stay relevant. Cybersecurity is hotter than ever, and this is something that many are using to their advantage.


5. Sunshine or storm - What hides in the Cloud?

Show me an organization that is not in, or considering moving to the cloud. As a CISO, this creates a whole range of new possibilities and challenges. Your job will be to find and offer ways to enable this transformation in a safe and secure fashion.

There are many ways to secure the cloud, as well as deliver cloud-based security, and sometimes there might even be security included in the services you buy. However, never assume anything, and to make sure you don't get lost in the house of mirrors of SaaS, IaaS, PaaS etc. you should fall back on the foundational principles of cybersecurity. There are different models to work with here, like NIST Cybersecurity Framework and ISF’s Standard of Good Practice for Information Security 2018.


Runner up - Practice makes perfect

As an organizations cybersecurity matures, they tend to shift their focus away from the protective efforts, and focus more on detecting, responding to, and preventing threats. And just as with fire evacuation as well as firefighting, solid training and regular practices drastically increases the probability of a positive outcome.

In the world of Cyberdefense, most organizations have been performing penetration testing and developed their end-user security awareness programs for many years, so the maturity level there is rather high. However, when it comes to training the security professionals, most organizations are just beginning to create structures. Today, continuous Red team-Blue team exercises, Incident Response training and Resilience Testing is what characterizes a very mature organization. But as organizations improve their cybersecurity posture, this will be an important factor to get the most out of their cybersecurity investments.


New year’s resolution

If I would leave you with just one advice, it would be to make 2020 the year when you align your cybersecurity with your business. If you haven't already. This will make sure you are able to deliver maximum value to your organization, and support your organizations modernization.


Oskar Ehrnström



Oskar Ehrnström
Lead Business Development Manager

With over 20 years of experience in sales and marketing, and with 11 of those as a leader and trusted advisor within cybersecurity, Oskar Ehrnström drives business innovation and transformation within Tieto Security Services.


Oskar Ehrnström

Lead Business Development Manager

Share on Facebook Tweet Share on LinkedIn