ISF's Durbin: IoT, Government Intervention Are Top Future Security Challenges

Government intervention, risk management changes and technology adoption (think internet of things) are the three broad trends affecting the confidentiality, integrity and availability of information of the next two years, according to the Information Security Forum (ISF).

The ISF’s Threat Horizon 2018 postulates that information security threats will certainly intensify over the next two years, and organizations risk becoming disoriented as they grapple with complex technology, an explosion of data, increased regulation, and a debilitating skills shortage.

Technology adoption dramatically expands the threat landscape. Technology increasingly becomes an integral part of even the most mundane everyday activities, resulting in an expanded and more complex threat landscape over the next two years.

Governments are expected to become increasingly interventionist. “Governments will adopt a more intrusive approach to organizations, which is often justified as combating organized crime or deterring anti-competitive practices,” the report noted.

Also, the ability to protect will be progressively compromised as established methods of information risk management will be eroded or compromised by internal or external non-malicious actors. And, this is exacerbated by trend No. 3, where technology adoption dramatically expands the threat landscape. As technology and IoT devices increasingly become an integral part of even the most mundane everyday activities, ISF expects this to result in an expanded and more complex threat landscape over the next two years.

“There is a danger that in our rush to embrace IoT and derive benefit from the interaction that such devices provide (along with the associated insights and business opportunities), that we focus too much on the device and not enough on the data,” said Steve Durbin, managing director at the ISF, in an interview. “We need to see more devices having security designed in from the outset, but in the meantime we need to apply more rigor to our risk management processes.”

This takes an understanding of how to best protect the highest value data that is being collected, shared and stored both at the outset and at end of life, he said. That presents a significant risk management challenge.

“Not least because of the sheer volume of data that abounds, but again, with regulators tightening the controls on what organizations need to be doing to ensure privacy and protect personal data (not to mention intellectual property, business critical data insights, research and development),” he said. “We need to be sure that we fully understand the risk level we are operating at and to ensure that it is in line with the risk appetite of our organizations. No small task.”

Durbin also said that two issues will continue to provide the backdrop for dealing with emerging threats for the foreseeable future: the endemic cyber-security skills shortage, and the lack of board-level awareness of threats.

For one, he said not to expect the skills shortage to go away any time soon.

“The means of dealing with it will be twofold: one by increasing the dependence on technology, but with this will also come challenges and the introduction of new threat vectors (overdependence on vendors, assumptions around code integrity, algorithmic risks as outlined); and secondly, expect to see organizations spending more on growing their own talent and attempting to retain key resources through retention planning and career development opportunities.”

These efforts will play out as C-suite awareness slowly improves.

“Initiatives such as ‎the Senate proposal in December to have someone on the board who understands cybersecurity will help, but it will be increasing regulation and legislation with associated penalties for non-compliance (EU GDPR) which will begin to drive home the need for cybersecurity to be a board level matter, fully represented, probably via the risk or finance route,” Durbin explained. “But in this area too we see skills shortages in the people capable of straddling the business and cyber-divide. I expect these skills to be increasingly in demand.”

Photo © Volonoff

What’s Hot on Infosecurity Magazine?