One Person’s Opinion on Cybersecurity in 2020: Part 2 (What Won’t Happen)

Tim Junio
Expanse Co-Founder and CEO Tim Junio.

People love stories, so here are some stories about the future based on what I learned last year. I’m the CEO of Expanse, which sells Internet Operations Management software to very large companies and government agencies, including cybersecurity buyers.

In Part 1, I highlighted five consequential things that I think will happen in 2020: fragmentation of the Internet will accelerate; AI will get attacked in the wild; enterprise networks will adopt or perpetuate hybrid models; Internet attacks will be copied faster than ever; a major supply chain breach will occur.

In this article, Part 2, I share some opinions on three hyped technology trends that won’t matter much this year.

1. “AI” or “automation” will not solve, or even modestly ameliorate, cybersecurity labor deficiencies.

Two of the buzziest expressions in cybersecurity today are “artificial intelligence” and “automation.” Go to a trade show and you will see dozens of vendors touting AI or security automation technologies. Go to an industry event and you will hear IT and security teams claiming to have implemented automated solutions.

Scratch the surface, and the claims quickly fall apart. Cybersecurity AI or automation almost always means creating a rule that does not cut across various platforms, conditions, and business units. Such systems are brittle; they are often only an upgrade cycle or product change away from completely breaking. And the automated output is usually a ticket in a work queue for humans.

This isn’t anybody’s fault or deficiency; it’s a really, really hard problem. The challenges are not implementation challenges. They are foundational technology challenges. Foundational technology doesn’t emerge overnight. There is no glimmer of a major breakthrough in academia, or DARPA, or big companies anywhere close to the AI innovations we’ve seen in other fields like advertising or computer vision. There may be one coming, but not likely this year.

I believe that we’re going to see more spending on managed service providers and consulting firms to supplement insufficient in-house labor. This will continue to lead to a workforce that is understaffed, undertrained, and highly mobile between employers.

2. Blockchain is not going to revolutionize anything.

It’s been a great run for (some) cryptocurrency speculators and startups seeking to take a coefficient of that new market, but it’s been awfully quiet waiting for technology breakthroughs associated with blockchain. Simultaneously, blockchain continues to come up as a technology area in cybersecurity, and I’m often asked about it while generally around in the world.

Among my 2020 predictions is that we’re not going to see a takeoff in important solutions involving blockchain technology. My belief is driven by how I’d answer two questions: Is there a compelling use case for blockchain, and can existing technology address that use case?

Most proposed applications of blockchain are solvable by existing technology, including classic crypto that has been around for a very long time, like certificates, public key infrastructure, etc.

The use cases that make sense for blockchain technologies are those that benefit from decentralized control, such as validation processes that are shared between organizations. In the rare circumstance that no one should be trusted — not Google, not DNS authorities, not ICANN, etc. — then a distributed ledger might be an elegant solution.

Even the most compelling use cases for blockchain suffer, though, from various factors and therefore I do not think will make it into a big bucket of spend in 2020. First, the talent market is tiny. Second, turnkey solutions do not exist yet — everything is custom and contingent on hiring or contracting within the small skilled labor market. Third, governments will likely push back on more than just cryptocurrency for taxation — as in other areas of cryptographic security, many countries require cooperation for law enforcement purposes. Distributed secure systems may fail to be certified in some regions, whereas centrally managed traditional cryptographic systems fall within known compliance and legal regimes. That may not be good for how you personally feel about Internet freedom, but it’s the reality of how modern enterprises have to operate.

3. Commercial cloud will not be a security panacea.

It’s new conventional wisdom that commercial cloud products, like Amazon Web Services or Microsoft Azure, are more secure than customer-managed on-premises infrastructure. There are many reasons: cloud providers have strong incentives to get it right, they can hire top talent, it’s easier to keep software up to date, etc.

I believe it’s true that on average, companies are more secure in cloud environments for those reasons. However, this is the case for small-to-midsize businesses, not large enterprises. A surprising lesson I learned in 2019 is that almost no big companies have worked out how they are going to do cloud governance and security. The problem for big companies is very different from small ones because of their multi-provider, hybrid environments.

Unlike many other security practices that have evolved over decades, there is no handbook and set of standards regarding how to set up and maintain a hybrid corporate network that includes multiple clouds, on-premises assets, subsidiary networks, regional offices, etc. Companies are figuring out solutions for the first time, and often for themselves.

This means that commercial clouds can actually increase the risk to large enterprises, because they increase the prospects of shadow IT (e.g., the company decides to use AWS, but an employee sets up an unmonitored asset in Azure) and other security risks.

CISOs are always chasing two basic things: visibility and control. Complex network architectures, including cloud as part of a broader solution set for enterprise computing, definitionally reduce visibility and control. While I’m optimistic regarding how major cloud providers can help with visibility and control in their environments, I am very worried about the near-term implications of cloud as a new, ungoverned layer of complexity in big networks.