Can we predict the future of security?

Can we predict the future of security? Yes and no, says UK security futurist David Lacey, speaking at the first Australian CSO Perspectives Roadshow in Canberra.

Lacey says that there are actually many things we already know, and many trends that enable us to get a good idea of what the future will look like. It’s getting the timing right that can prove difficult, he says.

Bill Gates once made the point that people often overestimate what’s going to happen in the next two years, but underestimate what’s going to happen in the next 10. “He was absolutely right,” says Lacey.

“We know technology is getting faster, smaller and more numerous. We also have a pretty good idea about what the impact of major infrastructure changes are likely to be. Professors of urban planning have been looking at what the impact of changes like roads and water will be, for years – the Internet is just another one.”

He suggests that by gathering together experts from the right blend of disciplines such as a lawyer, a scientist, a technologist, a security expert and so on – with the right expertise – and by taking into account all the different trends and influences and blockers, you can actually get a pretty good idea of the future.

So what about security? Well, right now, he points out, we’re only at the very start of a move away from the kinds of industrial age, standardised organisations that have been designed around mass production.

“In these organisations you can have very strict rules, all you need to do is have a very big set of rules and laws, create a perimeter around it, and you’ve got a secure organisation. The organisation of the future will be enabled by networks with very soft internal rules and relationships – very soft policies because it’s constantly changing. It’s constantly creating new relationships, new products, its moving very fast, so it’s very outward looking. It will be an entirely different organisation where the emphasis is on flows of information and relationships, not on fixed assets.”

To put security around those relationships and information flows, security will need to change. “With a hyper-connected world, we’re only beginning to see what the impact might be. All of the major power in the world, all of the major assets are in data. It’s a long term trend and we’re already seeing the start of this, the new battle ground of cyber espionage and warfare.” So networks are the most important thing, he says.

“As we move forward,” says Lacey, “the value will actually be in the flows of information, not in the data assets you have. Communicating it, exploiting it faster than other people – the value is in the flows, so putting walls around everything, firewalls isn’t going to stop that problem.”

Like clicking champagne glasses at a toast, when the number of people increase, the number of relationships in the network grows exponentially. So networks are becoming the enablers of all kinds of things such as sharing, commerce, espionage, collaboration and communication. He describes how over time, these changing networks and relationships erode institutional authority.

“There are less vertical command lines, and more people networking externally. We’re losing control of our organisations. Power is going shifting more into the hands of the workforce, as with Snowden,” he points out.

“This will not go away, it has been building for a long time, as we get more network, more systems, more databases centralised, greater privileges, more powerful tools. We’re going to have to live with people having enormous power, enormous reach, we can’t turn the clock back.”

He also predicts that threats will become more serious. People will have greater knowledge, and there’s a greater potential for collaboration in networks, so we are going to see more and more professional threats, and we’re already behind.

“Our cyber defences are currently a decade out of date – at least. Whatever you have in place, whatever you think is the accepted industry standard is not good enough for today’s world or any of the attacks we’ve seen in the last few years – so it’s certainly not good enough for the future.”

On outsourcing he’s resigned. “We’ll see increasing externalisation. Activities [work] will go to the cheapest place – we’ve seen a lot of outsourcing over recent years. It doesn’t work, but we’re stuck with it, it’s the way the world is because of short-term gain. “

And BYOD is just the beginning of infrastructure security challenges. “We’ve got a situation with mobile devices. The users have left the building and applications are following them. Apps are going into the cloud. We won’t actually need private infrastructure in the future, people will be able to use public infrastructure, if we can secure it,” he concludes.

So how are we going to trust things, let alone control things?

Controlling things, he says, might have worked in the past, but we won’t be able to do this in the future. “We’re just going to have to learn to live with that. We’re going to have to trust people and verify that trust.”

And this brought him to information itself. He says information has three major components: availability, confidentiality, and integrity. “The first thing that business ever cared about, was continuity, most of the focus organisations had was on disaster recovery. Availability we’ve dealt with, but nobody cared about confidentiality. You couldn’t sell laptops with encryption. But then we had a few major data breaches and we realised losing the data was much worse. Now nobody is addressing integrity. Integrity is where confidentiality was 10 years ago.

“If you think it’s bad when somebody steals the data, just wait till somebody changes it – then you’re out of business forever. Networks tend to make these things worse – can you trust data? That’s the world we’re heading for.”

With all the things predicted that security practitioners don't like, such as mobility, externalisation, globalisation, abstraction, complexity, diversity, acceleration and volatility, how is such a future going to be possible?

Legacy is the barrier, Lacey says. New security skills will need to emerge, and we’ll need security enabling technologies. We’ll need to focus less on safeguarding our internal infrastructure and more focus on external supply chains. Less focus on backwards facing audit, and more on the now, with controls giving way to relationships and persuasion.

The answers, he concludes, could probably come from such inspiration as nature. The way to manage complex situations has been done by nature for a long time.

Join the CSO newsletter!

Error: Please check your email address.

Tags CSO Perspectives Roadsho

More about BillCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Wheeler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place