Happy New Year, everyone! While it’s ever-so-tempting to begin this blog post with an already overused “2020 vision” cliche, I will resist the urge and carry on without. We hope that yesterday’s holiday brought everyone good company, great cheer, and a renewed sense of opportunity for what the next 365 days may bring.

Here at Rapid7, we have continued one of our favorite seasonal traditions by rounding up a slew of security pros to predict what will come to be in the coming year. Interested in what the group had to say? Read on!

Shawn Valle, Chief Security Officer, Rapid7

In the next year, I expect to see more consolidation in the cybersecurity space. We have seen traditional network security companies in an acquisition frenzy in 2019, scooping up quick-growth security product companies. I predict this will accelerate in 2020, though I also anticipate new players will emerge with newer capabilities and fill the gaps left by acquisitions.

Steven Maske, Information Security Manager

Generally I try to avoid predictions, but I have no doubt we’ll see more of the same.
The one thing we can count on for sure is more regulation. GDPR is in full force, so I imagine we’ll see a few landmark fines and CCPA will bring new challenges for organizations. A number of other states have consumer protection laws in various stages of development, so it’s bound to get interesting attempting to comply with all of them.

Deral Heiland, IoT Research Lead, Rapid7

I predict we will see cyber-attacks against smart cities on a scale never before encountered as cities continue to move to smart technology such as lighting, traffic control, mobility solutions, and fire and safety. This could potentially have serious impact on day-to-day life within impacted cities that could potentially bring city life to a screeching halt.

Tod Beardsley, Director of Research, Rapid7

I think 2020 will be a great year to be a radio hacker. More IoT means more IoT radio, and the exceedingly cheap and ubiquitous gear for radio hacking with software-defined radio (SDR) software and hardware means that we're going to hear about a ton of radio-based infoleaks and attacks affecting all sorts of devices.

Katie Ledoux, Senior Manager, Trust & Security Governance, Rapid7

In 2020, we’ll see more third-party risk management programs (yay!) but many of them will fail to drive significant risk reduction (boo!). A lot of organizations have implemented third-party risk management programs over the past few years. I love to see organizations really paying attention to which third parties they're sharing data with, and digging into how those third parties are protecting their data.

Harley Geiger, Public Policy Director, Rapid7

Cybersecurity will feature in electoral politics in 2020. Expect candidates to talk about privacy and cybersecurity at a high level. It's become an issue that gets at least a mention in modern candidate platforms—if a platform excludes cyber or does a good and detailed job describing it, that's telling. For some candidates, this may be linked to a broader message about corporate reform, regulation, or national security.

Chad Kliewer, Information Security Officer, Pioneer Telephone Cooperative, Inc.

We will continue to see a ton of technical vulnerabilities uncovered, overwhelming organizations of all sizes with perceived problems that don’t deserve everyone’s attention. I am very hopeful that work will progress on the human vulnerabilities and educating the public on the issues that really matter without using scare tactics. I do foresee a concentrated effort on small and medium business (SMB) information security awareness.

Bob Rudis, Senior Director, Chief Security Data Scientist, Rapid7

I predict the ransomware industrial complex will bottom out after Q2. Signs are pointing to a “bust” period for digital currency markets, and lawmakers are finally starting to take action at every level of government. This will put the brakes on what has been a fast-forward favorite attack for many an adversary.

Matt Scheurer, Senior Systems Security Engineer, First Financial Bank

Some organizations will struggle with an increased attack surface of vulnerabilities in 2020 with vendor support officially ending for Windows 7 and Windows Server 2008 R2 in mid-January. Having a handle on vulnerability management will become increasingly important during the coming year, especially in light of recent trend reports indicating an uptick in ransomware attacks. I predict an increased demand for mitigation strategies and compensating controls as vulnerability attack surfaces increase in organizations struggling to upgrade their environments. With a recent stream of privacy laws enacted, I expect an increased focus on data governance and DLP strategies across organizations.

Tod Beardsley, Director of Research, Rapid7

Election results across the United States are likely to be called into question as years of fretting about election security come to a head and losing candidates see an opportunity to blame The Cybers.

Mitch Skinner, @skirmitsec

Container and cloud provider security are going to be critical for more than just development shops. As more mature organizations continue to move to the cloud, internal security teams will be required to learn how to secure it. More mature organizations will be hiring exclusively for people with cloud security experience. More mature organizations will (hopefully) be paying for employees to take cloud security training.

And of course, more unsecured AWS environments and the like are going to be exposed, accidentally causing more breaches.

Bob Rudis, Senior Director, Chief Security Data Scientist, Rapid7

DoH / DoT will become the bane of infosec and IT departments worldwide. Thanks to “HTTPS Everywhere,” everybody seems keen to slurp up our DNS queries these days. IT departments will be fighting browser manufacturers for the entirety of 2019, and attackers will use these peek-proof channels to command, control, and exfiltrate ALL THE THINGS!

Harley Geiger, Public Policy Director, Rapid7

China and the U.S. will continue diverging on their vulnerability disclosure policies. The U.S. government increasingly sprinkles standards-based coordinated disclosure into its policies. In 2020, China will take a sharply different approach with regulations restricting vulnerability disclosure.

Pedro Dominguez, Senior Security Engineer/Architect, City National Bank of Florida

I predict this to finally be the year looking at IPv6 attacks to be a requirement for many organizations. It will be interesting to see the defensive response.

Deral Heiland, IoT Research Lead, Rapid7

I predict smart technology manufacturers will embrace security in 2020 and begin to understand the impact of improper security within their products. With that knowledge, they will begin to implement better security programs that include product testing prior to go-to-market, improved automated patching solutions, and internal reporting processes so any issues discovered within their products can be easily and quickly reported for resolutions. IoT manufacturers that do not get this will see the impact of not embracing good security practices within their sales and market share.

Shawn Valle, Chief Security Officer, Rapid7

As SOAR started to grow in 2019, I believe it was mostly on the “A” automation side. I anticipate the “R” will ramp up in 2020, with automation in security patching and incident response picking up and the overall SOAR market heating up.

It’s your turn!

We’d love to know what you’re expecting to see in the coming year, so hit us up on Twitter (@Rapid7) using the hashtag #Rapid7Predicts to share your own predictions. Also, if you’re interested in seeing how our predictions have stacked up in past years, check out our previously published New Years prediction blogs here: