Information security has come a phenomenally long way since the first anti-virus software appeared in the US a quarter of a century ago, but some observers say – perhaps rightly – that information security has evolved more swiftly in the last 25 weeks than in the previous 25 years.
The rapid pace of security evolution is being driven by a technology change that is equally dramatic. Where, then, will we be in ten years time on the information security front?
Infosecurity put this question to some of the industry’s key players and received some surprising responses.
Part of the human psyche
Nigel Stanley, practice leader for security with Bloor Research, says that the current task of information security, which seeks to defend networks, desktops, laptops and smartphones against an increasingly sophisticated tsunami of security threats, will change markedly by the time 2020 rolls around.
“We are seeing a very profound change in the way people interact and work. People are communicating as never before. The inventor Nikola Tesla said back in the early part of the 20th century that people would have personal information communicators by the year 2000 and that has clearly happened”, he says.
“However, what has not changed is that people in 2010 still want the same things as they did in 1910: good jobs, health and money”, he adds. Because of this, Stanley argues that whatever technology we use in 2020 will be similar in concept to today’s computers.
We are, he says, talking about computers in their broadest sense, as come 2020, Stanley expects the technology we use to be a central part of the human psyche and the inherent need for people to communicate with each other.
|"Security vendors will have to develop technology that is a lot easier to use and is far less obstructive than it is today"|
|Darren Turnbull, Fortinet|
Against this backdrop, Stanley says that, although the technology that people use will change markedly by 2020, the security threats – and therefore the information security solutions needed – will not change as significantly because black hats will still be a threat.
“The biggest challenge the information security industry faces is the development of quantum computing and its ability to crack encryption algorithms in relatively short timescales. If you can factor numbers rapidly by 2020, where does this leave encryption as a means of protecting data?” he asks.
Information security history, he continues, has shown us that the infosec evolution has always been symmetric, and there is no reason to think that symmetry between the black hat attack vectors and the solutions that we deploy will change.
A radical transformation
Eugene Kaspersky, CEO and co-founder of Kaspersky Lab, takes a more radical view of technology as, by the year 2020, he says that the current IT infrastructure as it is today will have disappeared, along with the internet and the information security industry as we know it. That includes the existing business model of most IT security vendors – including Kaspersky – he confirms.
Kaspersky predicts that by 2020, people will be using digital mobile devices, clipped to their belts or in their purses, which will contain all the required data they need access to. That means a lot of data – petabytes – if needed.
|"The biggest challenge the information security industry faces is the development of quantum computing and its ability to crack encryption algorithms in relatively short timescales"|
|Nigel Stanley, Bloor Research|
Mobile networks, he says, will take over from ISPs, and quite probably, IT security vendors, as they will wield immense power. Desktops, laptops and computers, he predicts, will have disappeared as we know them today.
IT security, says Kaspersky, will still be needed, as there will be a strong need to authenticate the user of these highly portable digital devices.
So here’s the bad news, says Kaspersky: The bad guys will still be around, working out the highly sophisticated attack vectors they need to employ to defraud people, systems and other entities. “There will be a new generation of malware. Cybercriminals are always watching for new services and ways they can defraud you. If you slow down on the IT security front, you are going to be dead, as it is now a state of constant war”, he declares.
Kaspersky’s prediction of a new IT backdrop for an ongoing battle between black hats and IT security professionals is similar to the 2020 landscape envisioned by Peter Wood, chief of operations with penetration testing specialist First Base Technologies.
Wood, whose IT experience dates all the way back to the late 1960s, and who is an ISACA conference committee member, predicts that information security will almost certainly still be a headache in 2020.
“Every time a new technology arrives in the marketplace – whether its mainframes in the 1960s or social networking in the 2000s – it arrives with little or no security. Security has to be retrofitted and added as technology evolves”, he says.
The problem of defending company IT infrastructure in 2020, he continues, will be that users will be hard-wired into the technology, with in-body wireless connectivity or similar technology to deal with. IT history has shown that inventors do not think outside of the box, but when cybercriminals do, it’s then that problems arise.
“Even if you secure the immediate IT environment in 2020, history has also shown that hackers will move on to the next level. If the operating system is locked down, they move elsewhere”, he says.
Despite the brave new technology world of 2020, Wood believes there will still be a lot of legacy technology around dating back to the present day. “Most businesses cannot afford to change. We’re seeing this in the clients whose systems we pen-test and check for security”, he says. “Corporates will still be using similar technology – and information security – in 2020 as they do today”.
A lot to defend
Fellow ISACA board member – and the security association’s vice president – Rolf von Roessing, disagrees slightly, insisting that wearable IT will become the norm, in business and in leisure, in 2020. He observes that history shows that each generation tends to forget the mistakes of the previous generation.
“By 2020 there will be an awful lot of technology around that we will rely upon for our day-to-day lives, whether in business or outside. This technology will effectively dictate what you can and cannot do”, he says.
“If hackers gain access to this technology, you will be in deep trouble, as you cannot perform your basic day-to-day functions without access. The big problem for information security professionals – who will still exist in 2020 – is how much invasive security will the users put up with”, he adds.
Then there’s the problem of who supervises the overall security. Will it be the government, or will it be major IT companies, he asks.
Because of the changes in technology, von Roessing expects that the real control over IT security in 2020 will be in the hands of far fewer people and companies than at present.
|"There will be a new generation of malware...If you slow down on the IT security front, you are going to be dead, as it is now a state of constant war"|
|Eugene Kaspersky, Kaspersky Lab|
Furthermore, the ISACA vice president says that end users will be far less concerned than at present with their IT security. It will, he predicts, be highly transparent to most businesses and people.
“The big question is who’s in real control here? This is about IBM and Microsoft actually controlling the people more than the government, which means that the information security has to be 100% watertight, otherwise we could be in big trouble in 2020”, he says.
Boundaries will blur
Darren Turnbull, product management director with Fortinet, has a considerable track record in IT. Infosecurity asks him where information security vendors will be in 2020.
“By the end of the decade”, he says, “we will have reached the end of our ability to control our technology, but IT will evolve and people’s usage will evolve as well.”
Defending the IT resource, however, will not be easy, as the traditional boundaries that today’s businesses see on their IT assets will blur considerably.
“Facebook and other social networks have given users the ability to chat interactively on a near anytime, anywhere basis. That’s good, but what happens when the social network operators start to monetise their business?” he enquires.
The difficulty of defending your company and personal digital assets in 2020, he adds, will be compounded by the fact that the IT infrastructure will be ostensibly hidden to many people. Because of these factors, Turnbull says the task for security professionals will be a lot harder in ten years’ time, as vendors will first have to map exactly what they are trying to defend against hackers and their multiple attack vectors.
You don’t, he explains, lock your house when you go out because you want to. It’s because you have to.
“It’s the same with IT security. Users will have to defend their digital assets, and not just because they want to. Security vendors will have to develop technology that is a lot easier to use and is far less obstructive than it is today”, he says.
Like ISACA’s von Roessing, Turnbull is concerned about who will control the IT infrastructure in 2020.
Will there need to be an IT security vendor landscape like there is today? Probably not, he says, as the control the major companies will exert on the technology landscape of 2020 will be a lot stronger and far more resilient against hackers and cybercriminals.
“If you look at the iPhone you can see where technology is headed. It’s great technology, but Apple controls everything, right down to what software you can run”, he says.
Sure, he adds, some users jailbreak their iPhones, but come 2020, he predicts that this need will disappear, as the vendors will have got the technology just right.
Why does Turnbull expect this to be the case? “Because the IT industry, including the current information security business, right down to CISOs and their teams, have no choice”, he responds.
“The cost of closing the security window, if it is allowed to open, in 2020 will be too great. There is a cost-risk equation here and the equation says the IT vendors will not allow their architectures and systems to have any security issues”, Turnbull asserts.
The comments collected for this article make one thing clear: the information security landscape will certainly not be immune to change in the next decade.
The good news is that the infosec industry will keep pace with the evolution of technology and the cybercriminal threat that hackers will pose.
The potentially bad news, however, is that information security will be more centralised, undoubtedly meaning there will be fewer IT security vendors/suppliers and people needed to control the technology at the sharp end.
This could, nevertheless, be a blessing in disguise, as the soft skills that many IT security professionals are well versed in today will be more in demand come 2020. This has to be good news for the salaries of CISOs and their IT professional teams, as staff remunerations will be healthier in 2020 than at present.
According to John Colley, managing director of (ISC)² EMEA, the average salary of information security managers in 2009 was £50 000 – one wonders how much that figure will rise to by 2020?
But that, of course, is another prediction entirely…