http://www.digitaljournal.com/tech-and-science/technology/cybersecurity-insights-definition-of-vulnerability-will-broaden/article/563913

Cybersecurity insights: definition of vulnerability will broaden Special

Posted Dec 19, 2019 by Tim Sandle
According to Gaurav Banga, CEO and founder, Balbix, in 2020 infosec leaders will shift their focus from increasing their overall headcount to improving overall efficiency as the definition of a vulnerability will broaden.
US and Chinese diplomats launched talks on maritime disputes and cyber hacking as Washington pledged...
US and Chinese diplomats launched talks on maritime disputes and cyber hacking as Washington pledged to pull no punches in seeking to resolve simmering problems between the two world powers
Thomas Samson, AFP/File
According to Banga, the development of cybersecurity in 2020 will see a continuation of the poor understanding of the massive enterprise attack surface, and this will remain the root cause of much cybersecurity-related frustration and anxiety. In addition, CISOs will begin to leverage education and new tools to communicate business risk and economic exposure to the board in a way they will understand.
To gain a deeper insight into the trajectory of cybersecurity in 2002, Digital Journal caught up with Balbix's Gaurav Banga.
Skills gap
In light of the ever growing cybersecurity skills gap, and an exploding attack surface, Gaurav Banga tels us "infosec leaders will shift their focus from increasing headcount to increasing efficiency. By prioritizing tasks based on risk, solving the most impactful issues first, CISOs can ensure that even a small team can have maximum possible impact.£
The accepted definition of a vulnerability will broaden
According to Banga: "Typically associated with flaws in software that must be patched, infosec leaders will redefine the term to anything that is open to attack or damage. The impact will be systematic processes, similar to those commonly applied to patching, extended to weak or shared passwords, phishing and social engineering, risk of physical theft, third party vendor risk, and more."
Role of the CISO
Banga: says: "In recent years, CISOs have gotten much desired access to the board of directors, yet have struggled to speak in a language that resonates. This has limited the value of their exposure to the board, with many struggling to achieve the appropriate backing for their initiatives. In 2020, CISOs will recognize that business leaders will never understand technical security details such as threats and vulnerabilities, and will begin to leverage education and new tools to communicate business risk and economic exposure to the board."
Massive attacks on enterprises will continue
Banga: notes that "unfortunately, poor understanding of the massive enterprise attack surface will continue to be the root cause of much cybersecurity-related frustration and anxiety. Discussions with BoD members and C-suite execs on security posture will still be based on gut instinct and incomplete data. Vulnerability management tools will continue to report 1000s of issues, and BU owners will still not be able to keep up, leaving thousands of assets unpatched."
He adds that: "Senior executives will still fall for phishing attacks, with embarrassing and expensive consequences. Security teams will still not fully understand the risk of breach of sensitive data like intellectual property. CFOs will once again approve bigger security budgets, and the organization will continue to have no idea whether that was money well spent. Infosec leaders will still not be able to tell curious execs whether the company is vulnerable to the next Wannacry."
Furthermore: "Business unit teams will still surprise the security team with new soon-to-go-live product offerings that just need to be “blessed.” And by the end of 2020, most organizations will still be one bad click, a single reused password, or one unpatched system away from a major cybersecurity incident. The others will use risk-based tools to transform their cybersecurity posture."