Understanding the uncertainties of cyber security — Morris McLane
Business as we know it is undergoing one of the most drastic changes it’s seen, and technology is at its heart. From online operations to cloud computing, companies are embracing technology in a variety of ways, and cybersecurity is rising as a result. Sadly, uncertain politics and untested applications mean cyber-attackers are continually finding new ways to launch attacks. To protect themselves and their clients, chief information-security officers (CISOs) must, therefore, be at the forefront of emerging cybersecurity organizational and operational models.
As soon as you turn your attention to this issue, you’ll realise just how many uncertainties cybersecurity can bring. In fact, perfect foresight here is impossible, meaning you have to stay ahead of the curve to protect operations. To do that, you must understand the uncertainties of cybersecurity and implement a working hypothesis to manage them. To help you do that, we’re going to look at the cybersecurity uncertainties you should consider in 2020 and beyond.
How market expectations shape modern cybersecurity
While consumers haven’t paid much attention to cybersecurity implementations until now, that’s changing as large-scale threats come to the fore. Now, individuals and nations are placing certain security expectations that are shaping cybersecurity as we know it. By keeping on top of and even foreseeing these, you can stay one step ahead of security uncertainty at all times.
Regulatory, political, and environmental expectations
Perhaps the most notable market-based cybersecurity shift is that of regulatory, political expectations. Companies looking to operate in areas like Europe, Brazil, California, and more must now adhere to strict data privacy rules that often tend to bring contradictions in terms of data protection and the security you’re striving to achieve. Moving forward, it’s therefore vital to both be aware of regulations, and consider whether you can reconcile between privacy and security in your chosen markets.
What consumers want
It’s also vital to consider the expectations of consumers. In keeping with the regulations mentioned, clients typically focus more on the handling of sensitive data than they do on cybersecurity itself, a fact that’s only been enhanced by wide-scale data breaches. But, uncertainty dictates that this indifference could shift, especially as issues of cyberthreats reach the public domain. As such, it’s vital to understand this capacity for changing priorities and apply your incident-response plans accordingly. To do this, consider both where your client sensitivity lies, and how you can keep concerns at a minimum moving forward.
Uncovering evolving risks
Once you know what the market expects, it’s time to consider how you can tackle evolving risks moving forward. These may be uncertain, but trends, technology, and more can pave the way for an understanding of issues you’re likely to face. Advancements at the moment suggest that evolving risks could include –
Targeting by nation-state actors
Global tensions are reaching breaking point, and nation-state actors are turning towards cybersecurity rather than war. As such, there’s some risk that companies will become collateral damage or even direct targets for geopolitical threats. This is something we’ve already seen in the NotPetya attack, as well as potential claims of media manipulation and election interference.
Whether or not these claims pose a significant company risk has yet to be seen, but businesses should be treating them as such. Government bodies and security agencies have access to the most advanced cyber threats in the world, after all, and companies could suffer significant breaches without due preparation. As such, you should think about how you can manage security in the face of direct and collateral compromises.
A new technological environment
The Internet of Things (IoT) has opened many connective possibilities for companies, pervasive sensors included. Thanks to this advancement, businesses can generate massive amounts of sensitive data across a range of networks. As much as this spells good news for operations, however, it also increases the stakes of cybersecurity. With such an influx of new data, companies will have to consider both what kinds of information they’re collecting, and who would benefit from compromising it. Most companies are already preventing executives and managers from sending or even viewing sensitive documents on private devices for this reason. Moving forward, it may be necessary to take security steps here even further by prohibiting even company calls taken at home in IoT-compromised spaces. One thing’s sure; both understanding and foreseeing the uncertainties of this new pervasive sensor environment is essential.
Compromised machine-learning capabilities
Machine-learning systems are now a wide-spread favourite among businesses, providing as they do an opportunity to optimise business, understand analytics, and much more, all without adding to workloads. That said, it’s also vital you understand the propensity for compromise where your machine-learning capabilities are concerned. Due to the automated nature of analytics like these, a cybersecurity compromise here may be incredibly challenging to detect. While retaining the easy-to-achieve analytics of this modern business model, it’s therefore vital for companies to consider how they can ensure the validity of their machine-learning results moving forward.
Quantum computing compromises to encryption
Encryption is the cornerstone of cybersecurity, yet even this may come under fire in a decade due to quantum computing. By encoding information into qubits that can exist in superposition, predictions suggest quantum computers could crack standard encryptions within 24-hours. While quantum encryption should be able to protect against such quantum-based decryption, studies indicate this security counterattack is as many as twenty years away. That leaves a large gap of untested cybersecurity landscape, and it means you need to start foreseeing a switch to quantum risks now if you’re to stand any chance at retaining security.
Understanding the evolution of security protections
Looking at the potential risks set to evolve in the coming decade and less can paint a rather bleak cybersecurity landscape. Still, it’s vital to note that cybersecurity protections are also advancing quickly, and implementing these can help you to negate and account for upcoming risks. To stand your best chance at protection even in this climate of evolving cyber threats, you must consider protections such as:
The zero-trust model
Zero-trust working models operate on the assumption that no-one on a network gains access to sensitive information by default unless it’s expressly granted. This ensures tailored levels of security on each application while limiting the ability of hackers to move across technological structures. The one downside is that less than 10% of companies believe they’re ready to implement zero-trust applications across the board. Still, some outsourced services are already making this method possible with specific applications, and considering these alongside developments could help you to enhance zero-trust capabilities in the least possible time for improved security applications moving forward.
The end of passwords
Despite being an age-old security method, many CISOs now realise that passwords open companies to all manner of security risks. As well as writing down passwords for memory purposes, many employees will use the same password across their accounts, and thus leave cybersecurity compromised in a significant way. That’s why it’s also vital to consider how you could eliminate the need for passwords and the risks that come with them. By instead using authentication methods like fingerprints and even facial recognition software, you could drastically increase security levels within your operations. To make this work, simply think about how you can implement authentications that continue to meet security standards and regulations.
The evolving security-technology market
The security-technology market should, in theory, be at the heart of your cybersecurity methods, but this isn’t always the case. In the past, security-technology offerings have been unworkable and, frankly, risk-filled. As cyber-threats increase and evolve, however, the security-technology market is also evolving to meet new company needs. Instead of assuming you have to find alternative ways around the cybersecurity landscape, then, it’s worth considering advancements here as they evolve. To get on top here, you need to both ask market leaders how their offerings can benefit your security landscape, and also how this differs across market segments.
Security in the cloud
Cloud computing is drastically growing in popularity among businesses for both ease of use and remote working capabilities. Yet, CISOs everywhere are still struggling to maintain security in this new storage market. When it comes to considering cybersecurity in your cloud infrastructure, there are two main pointers to consider depending on the size of your operations, and they are –
Is security possible in large-company cloud consumption?
Cloud computing may offer exciting and cost-effective business operations, but many larger companies are still reluctant to implement this modern business must-have. This is primarily due to the fact that risk-assessment and system configuration are both long-winded processes when it comes to companies using large amounts of potentially cloud-based applications. To work around this, larger companies primarily need to consider how quickly they can build cloud-enabled security, and which opportunities are available to them.
Could smaller companies use cloud services to reduce security footprints?
While large companies struggle to restructure security around the cloud, smaller companies should be revelling in the opportunities on offer here. That’s something you can make sure of by considering the level of risks inherent in accelerating your transitions to business applications such as SaaS and network connectivity.
Final thoughts on security operating models
By definition, a security operating model is a collaborative, continuous improvement process that aims to sustain control and secure your enterprise. As such, it makes sense to wrap up this article by considering how exactly security operations and their implementations fit with the uncertainties you’re attempting to understand. As you can guess, operating models are also evolving in the ever-changing cybersecurity landscape, but how?
Improvements in the cyber insurance market
Until now, cyber insurance has been risk-filled at best, despite predictions that it’s set to be the ‘next big thing’ in cybersecurity enhancement. Instead, insurers typically fail to consider everything from reputational to cyber risks. As such, most CISOs have shied away from cyber insurance implementation, but things may be about to change. While we have yet to see any valid results from this platform, the emergence of quantitative assessment methods could see carriers successfully insuring against risks if they pay due attention to their underwriting processes.
The developing scope of security organisations
As cybersecurity comes to the fore, management teams and more are realising the need for on-hand security organisations. That’s good news for your security bottom-line, but it may not mean implementation right now is your best bet. In reality, the organisational structure of cybersecurity in businesses is still far from stable, with companies implementing a variety of structures, including –
IT-risk groups responsible for security, compliance, business continuity, and more integrated organisations that deal in both cyber and physical security, combined security and privacy efforts.
As of yet, it’s unclear which, if any, of these organisational efforts can improve cybersecurity in accordance with evolving needs. As such, it’s vital to continually watch developments so that you can see which organisation emerges as successful, and implement it into your operations.
The evolution of cybersecurity talent pools
Cybersecurity talent has long been in short supply, with few people foreseeing that it would become such an essential aspect of modern business operations. As demand for cybersecurity professionals comes to the fore; however, more and more individuals are opting to take cyber security-specific courses. As such, CISOs should consider how available talent can align with security strategies right now. It may be, for instance, that outsourcing someone with low-end cybersecurity experience is best until experts with advanced skills are available. Or, you may prefer to keep cybersecurity in-house until more advanced professionals are filling said talent pool. Either way, you need to think about both your cybersecurity right now and in the future.
There may be no exact science to understanding the uncertainties that surround cybersecurity right now, but there is enough information out there to help you make pretty educated guesses. By considering what you do know about how cybersecurity looks set to evolve in the coming years, you can undoubtedly improve processes until this landscape becomes more stable for full-blown implementations later on
Originally published at https://morrismclane.com on November 2, 2019.