The worst thing that organizations can do is take a hard stance with their cybersecurity efforts. The digital threat landscape is constantly evolving. If organizations settle into a viewpoint, they could elevate one source of risk into something unrealistic—all while missing other digital threats.

This reflects just how much assumptions drive cybersecurity-related decisions. Forbes put it this way: “Risk assessment, budgetary needs and priorities are the outcome of hypothetical debates and are subject to internal pressures and politics. Both security professionals and business executives continuously seek solutions or methodologies that will put a $ sign next to their investment, as well as risk.”

Subsequently, it’s not a surprise that there are some open questions in cybersecurity around where organizations can take their strategies in the next few years. Here’s a recap of five open questions that are currently shaping the cybersecurity space and how we are seeing these addressed in the industry.

1. Do Passwords Do More Harm than Good?

Technology firms like Microsoft are abandoning the password for three reasons. First, they’re looking to Single Sign-On (SSO) and other technologies that don’t hamper their workers’ experience and productivity as much as traditional password-based identity protection. Second, passwordless authentication makes it easier for organizations to defend their authorized accounts against brute-forcing, credential stuffing and other attack attempts that rely on guessing weak passwords. Third, organizations are choosing to embrace multi-factor authentication (MFA) and other controls as a way of limiting what a malicious actor could do with a compromised password.

But there are risks involved with implementing passwordless authentication. For instance, fingerprint readers, biometric scanners and other security measures provide new targets that attackers can potentially misuse to access user data. Passwordless authentication also does not exempt organizations and users from phishing attacks, scams and identity theft.

Notwithstanding those risks, passwordless authentication is here to stay. Organizations, therefore, need to understand its associated benefits and risks so that they can best protect their users going forward.

2. Do Firewalls Serve Any Purpose for Zero Trust?

The answer is nuanced. Traditional firewalls can’t protect organizations against threats that infiltrate the network. As such, they can’t help organizations uphold zero trust.

But the same doesn’t apply to next-generation firewalls (NGFWs). These types of firewalls can complement zero trust by functioning as segmentation gateways, multifaceted tools which leverage network access tools, micro-segmentation, web application firewalls and other functionalities to enforce zero trust. Segmentation gateways operate at the center of the network, not at the perimeter. In doing so, they provide insight into data access that infosec teams can use to spot a potential attack before it evolves into a security incident.

3. Can Cyber Ranges Help Organizations?

Demand for cyber ranges increased after organizations shifted to remote/hybrid work in 2020 and following high-profile attacks like the Colonial Pipeline incident. It’s important to keep in mind that not every organization needs a cyber range on a long-term basis. Some just can’t justify the cost of building and maintaining one.

That said, cyber ranges do carry benefits. They provide a means through which organizations can improve the level of coordination and experience of their security teams, for instance. Through cyber ranges, infosec personnel can immerse themselves in real attack scenarios and explore what a live response would entail. Cyber ranges also help organizations to satisfy the compliance standards and mandates established by the National Institute of Standards and Technology (NIST) and other bodies.

Organizations just need to remember that not every cyber range is created equally. With that in mind, they need to figure out which type of cyber range fits their security needs. From there, they can build and maintain a solution that works for them.

4. Is a Traditional Career Path Required for Security Pros?

Not even a little bit. Infosec personnel come from all types of backgrounds such as playing poker online, serving in the military and obtaining music degrees. These experiences have helped to inform security professionals’ work, giving the community fresh perspectives with which they can protect organizations’ systems and data. This is to say that anyone can forge a career in cybersecurity.

5. What Can Developers Do to Ensure Their Organization’s Security?

There’s a lack of cohesion around who’s responsible for security. Many security professionals don’t trust the ability of developers to write secure code, for instance. Meanwhile, developers don’t feel they have the proper guidance to uphold security for their employers.

These viewpoints underscore a lack of clarity around digital defense in the workplace. In a recent survey conducted by GitLab, for instance, about a third of security personnel said that they were responsible for security. Nearly three in 10 participants said everyone in the organization was equally responsible, while 21% said the onus was on developers specifically.

Clearly, something needs to be done. Most developers are releasing software and apps more quickly today than they did just a few years ago. This highlights the opportunity for developers to play a role in contributing to their organization’s security.

The key is for security experts and developers to work together as partners for the purpose of achieving secure code. One of the ways they can do that is to expose the services they provide through a seamless API consumption-based model. Doing so will make it easier for developers to blend security naturally into the software development life cycle.

Additionally, organizations can make sure that they’re providing security awareness training to their developers. These employees won’t be able to function as a full partner in DevSecOps unless they understand the security risks confronting them. With that in mind, organizations need to approach DevSecOps as an opportunity to foster a collaborative and inclusive security culture.

Cybersecurity Is Always Changing

The questions discussed above might not be open or debatable several years from now, but they give something for organizations to consider in the meantime. Fortunately, the security industry is a community. As such, we’ll continue to explore these issues as a community going forward.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today