With the end of 2018 rapidly approaching, thoughts are now turning towards exactly what the future holds for Cyber Security. It has been a year of upheaval, as companies increasingly prioritise Digital Transformation projects, thereby requiring a more secure Digital presence. With this in mind, we’ve pin-pointed five new trends that look set to become important in the world of Cyber Security in 2019.
It is estimated that the use of passwords and tokens to identify a user will drop, by up to 55% in medium-risk use cases by 2019. This is due to the increasing range of biometrics available to help establish a user’s identity, including fingerprinting, retina scanning and voice recognition. Passwords will not completely disappear, but the focus will shift to products that promote an environment of continuous trust and good user experience.
2) Internet of Things
A significant proportion of devices in the Internet of Things (IoT) will suffer in 2019, due to poor authentication measures. As a result, they will be unable to address both old and new threats. Organisations will have to establish and carry out measures to identify authentication risks, identity assurance, and benchmark metrics to help develop these measures further.
3) Cloud Access Security Brokers
As more firms go digital, increasing quantities of data are being stored inside Cloud-based software. Organisations are still skeptical about cloud migration and must be prepared to weigh up the pros and cons of cloud-based access security brokers (CASBs). Increasingly, these packages will be homogenous, including a network firewall, secure web gateway (SWG) and web application firewall (WAF), amongst their platforms.
WannaCry and NotPetya breaches have already tarnished the reputations of major international organisations in the last year. Due to accelerated distribution methods and attack vectors, ransomware is now predicted to attack a business every fourteen seconds by 2019. Additionally, ransomware is moving from attacking general IT systems, to specifically focusing on attacking IoT technologies and point of sale (POS) facilities.
5) GDPR and Third-Party Risks
GDPR has already changed the landscape of cyber security in the last six months and both services and suppliers are now looking outwardly towards the business as an extended enterprise. Third parties are now liable for GDPR directives for data processes and firms must make sure they are aware of the potential ramifications.
WHAT IS YOUR GENERAL APPROACH TO BUILDING AN INFORMATION SECURITY TEAM?
I think my general approach to building a security team is focused around passion. So, you know the idea that you hire passionate people and then inspire them, rather than just hiring technically capable people because they're not necessarily the most passionate. So passion is always one of the key things that I will look at and that will come across in CVs and through interviews, you know, fairly apparently and fairly quickly.
HAVE YOU DEVELOPED ANY TECHNIQUES TO IDENTIFY GENUINE PASSION FROM CANDIDATES?
So, I think in order to find out if somebody's passionate, it's not just a case of asking them if they're passionate, it's about asking them what it is that they're passionate about, and what it is that they're doing about it. So, they could be passionate about things outside of info-sec, and that's fine in of itself. Obviously I want to know what makes them passionate about this role as well but it's going to be things like getting involved in social media, actually attending events, engaging with people, perhaps even you know, blogging or writing papers about stuff that they may not necessarily be qualified to do, but they're actually engaged enough to want to do it in the first place. I think actually finding out what it is that they're actively doing is really important. I mean, I think the benefits are getting involved in things like social media and conferences is actually that they get to engage with people who are already in the business. They're not just trying to get a job from the outside, they're trying to work with people who are already in there, who can give them advice, who can point them in the right direction, and actually who can also refer them as well. So, I think you're actually starting your career choice from the inside of a community rather than the outside.
WHAT OTHER ADVICE WOULD YOU OFFER FOR SOMEONE BEGINNING THEIR CAREER IN INFO-SEC?
I think, other advice for people starting out is things like, really find out what it is that the company you work for is doing, what is their business? What is their core business? What are they trying to sell? If you haven't read their company report yet, then how do you know what the company is actually trying to achieve? So, actually aligning yourself to the business, rather than the business of security is significantly more important. It actually changes your perception and changes your priorities some way as a result. Now that should come across as well, from the leadership of whichever company you’re in, or whichever security group you're in, but sometimes you just need to do these things for yourself and actually start to form your own opinions and then you can engage with your broader team internally, around what it is that you think you should be doing, or the team should be doing, in order to meet and further the aims of the company.
WHAT ARE SOME OF THE SKILLS THAT YOU BELIEVE WILL BE BE MOST IN DEMAND IN INFO-SEC IN THE NEXT FEW YEARS?
So, I think the skills that will be in the most demand in the near future, near to middle term future are things that are more hybrid skills. So, there's a lot of niche skills, so security testing or business continuity from two sides of the same coin there. But, I think the hybrid skills also involve you know, legal aspects for instance. So understanding the legal impact of you know, security provisions and privacy etc. I think people who come from a background of physical security, and then combining that with the stronger elements of information security. Having that hybrid approach is actually going to help someone be a far more rounded individual, which means that they can be fluid in where they work in an organisation, and with security teams being stretched to fulfil, you know, any demands and at any time, and short notice etc., you do need these kind of hybrid roles because they can turn their hands to most things most times, and that I think is going to be very, very key.
HOW IMPORTANT IS CULTURE WITHIN AN INFO-SEC TEAM?
I think culture is vital because a culture is what will help somebody identify with a group of potentially random strangers. It helps people, you know, create a bond, they have; the culture will often have shared goals or should have shared goals, it should have shared objectives and actually that people feel more aligned, and they feel more of a part of a team as a result. So, actually having that culture very clearly stated is really important, and that doesn't just cover business objectives as well. So for instance, you know, one of my cultural objectives is that we work hard and we play hard at the same time. We actually try and enjoy ourselves, we try and laugh. I was in an office just a few weeks ago, and actually it was great to walk in and hearing people chatting and laughing about things, the work that they're doing and you know, some of the experiences they've had, because they are actually creating an emotional and visceral response in people, that makes them feel a part of something, makes them feel a part of something that's doing good. So culture for me is really important, and it has to come from everybody at the top, and now and it can manifest itself in different ways be that: going out for dinners, having social events etc. But, it's also in the way that you pull together when you actually have to deliver work on very short notice in difficult circumstances; you know you can rely on people because they're sharing the same aims and goals as you are. I think a strong culture is by its very nature inclusive, and it doesn't come from a place of separation, and you know, trying to you know, create some niche groups etc. A good, strong culture is one that includes everybody, so I think when it comes to diversity, it should be very welcoming. It should be you know, it should be you know, culturally very, as I say, very inclusive and not actually making people feel uncomfortable, or you know, feel as part of an outsider. It can come down to you know, even little things like you know, a good strong culture doesn't rely on alcohol for instance, you know, that may be an element of it for, you know, at some times but actually alcohol itself is not necessarily, you know, important for certain people, you know, be it for religious or personal reasons. So the culture has to surpass that, and actually has to go beyond just key aspects like that. So, I think it again, it depends on the environment, it depends on who's there, but if your culture stops certain people from actually entering into it, it's a toxic culture you know, by its very definition.
WHAT DO YOU TYPICALLY LOOK FOR WHEN EXAMINING A C.V.?
So when it comes to CVs, the key things for me are a social media presence, you know, and it could be Twitter, it could be LinkedIn, it could be anything really, as long as there's some kind of presence on there because our jobs are very much in, you know, the public eye at the best of times, and it also shows a willingness to put yourself out there. I think it is, you know, to be honest with you, a C.V. that is well laid out and easy to read and actually talks about capabilities, and evidence of those capabilities in past accomplishments etc., rather than purely stating job after job or project after project. Actually, what was the individual impacts that you were able to to bring to that? The things that really stick out for me are spelling mistakes. I think the C.V., love it or loathe it, is still, you know, the single most important document for for getting work in any industry. So you need to put some care into it, and you need to present it well. It needs to be in an easy-to-read font, you know, that sort of thing, so anything that helps make it stand out for all the right reasons, rather than the wrong reasons.
CAN A CANDIDATE MOVE INTO THIS ROLE AT ANY TIME IN THEIR CAREER, OR SHOULD IT BE THE GOAL FROM THE OUTSET?
Yeah, I think people can move into this industry at any point in their lives. I think, you know, transferable skills alone are something that can be used. If you're a student of psychology for instance, and you decided that academia is not for you, well actually you'd probably make quite a good auditor because you can actually use some of those psychological skills to work out, you know, and find out evidence and analyse evidence and how it has been presented to you. I think again, it's not what, it's not always about the technical skills, it's about the passion. So you know, I always say that we can teach technical skills, that's not an issue at all, but what we can't teach is the passion, and the values and the culture as it were. You need people to come in who really want to do this. I witnessed, you know, multiple people you know, thinking of one in particular, who I met through Twitter who was working self-employed in a retail environment. And just through his spare time, and you know, kindness of strangers on Twitter as it were, has actually you know, now progressed into a very highly respected security researcher and has got you know, a good paid job out of it and that's over a period of, you know, five years. But this individual has just decided that, you know, it's what they want to do. They have numerous skills, they're willing to learn, they're passionate, they're vocal and they're engaging with the community. So actually it doesn't matter whether you're, you know, 18 or or 80 to a certain extent. If you're willing, able and capable to demonstrate that passion, demonstrate what you can do for the community, then all should be welcomed.
HOW DO YOU ACHIEVE THE BEST INTERESTS OF THE BOARD?
So I think there's a couple of ways of getting engagement from the board and executive leadership. I think the first one is, just forget this notion that information security is about reducing risk by saying no to everything. It's an old-school approach; yes you can reduce risk by saying no to everything, but you're also squashing business fluidity and flexibility. You're creating shadow IT and shadow security, as a result of it, which is stuff you just don't know anything about which is even greater risk than saying yes to something in the first place. I think the role of the CISO, and the role of the security group is to help the business do more, sell more, be able to hit the market with more product, or you know, a broader range of skills or whatever, you know, maintain shareholder value, increase shareholder value. That's the core business of a CISO, but by doing so through the judicious use of information security. So you can start to engage your board by talking about risk profiles. What is the board, what is the business willing to accept from a risk perspective? It's not for security to say what you can and can’t do. It's for the business to say what you can and can’t do. Just because something is a high security risk, doesn't mean it's a bad business idea, it could be a very valid business move to continue anyway. I think the other way as well, is to start communicating with the executive leadership etc. in a way that means something to them. More often than not, that's financial. I think, you know, as they become more aware of the impact of security breaches around the world, if you can translate some of your own incidents or translate some of your own investments into financial returns, or financial opportunity costs, or financial fines etc. then you can actually start talking to them about the value that you bring to the business, and so it's a two-way street you know; they’re being more made aware of these these things through the media and we need to bring things to them in a way that makes sense to them.
10. HOW BEST CAN SOMEONE WITHIN THE INDUSTRY EDUCATE AND INFORM THOSE FROM OUTSIDE THE SECTOR?
I think the role of individuals within the info-sec communities, is really important in sharing the key messages as to who we are, what we do you know, how we operate. Actually, how open we are to getting people with different skills, different- you know- career stages, the transferable skills we spoke about etc. It's down to all of us to do that, you know, we have to volunteer our time for this. This could be through conferences, it could be through engagement of schools. There's various info-sec bodies out there, which help info-sec professionals to talk about security in schools, and then you know, talk about the importance of it etc. We need to, rather than just talking in security conferences, let’s start going to pitching ideas to, you know, finance conferences, or to HR conferences, or to legal conferences, there's so many crossover subjects that we can get involved in and start talking about. I think we often get stuck in our own echo chamber, just shouting the same thing to the same people expecting, you know, changes to be made when we actually should be engaging in a far more broad manner, and that's down to everybody, you know. Be that, you know, shouting on Twitter or, you know, shouting at a conference, we all need to do that in our own individual ways.
For a long time Cyber Security and business Marketing teams have firmly stayed in their own corners, and rarely the two would meet. Finally, marketers are realising that this is a lost opportunity, and for real marketing headway to be made, they need to enter a dialogue with the cyber security professionals to build and boost their brand.
A recent Harvard Business Review has explained why this marrying of minds is essential in current business practice. Whilst previously cyber security was held to be successful only if you never heard about it (you only were alerted to their presence when there was a security breach), it’s now becoming imperative to place Cyber Security firmly on the marketing agenda.
Marketing and Cyber Security – The Past
In the past few decades, particularly in the retail industry, cyber security experts have done their job well if no one even knew they existed. With it being a relatively new, and ever changing priority, success was measured by how well you could keep your business secure without anyone glancing up in your direction. Board members were only really interested in cyber security when there was a problem, not as a matter of board-level importance prior to those problems occuring. Delivering quietly and unassumingly was the aim.
Marketing and Cyber Security – What’s Changed Every single business, whatever their purpose, has a web presence that was simply unheard of previously. This is particularly notable in the retail industry. Competition is fierce, expert marketing is essential, and consumers now have knowledge and fear of cyber security threats. It is no longer enough to quietly state that your business is cyber secure. Rather, you need to actively entice your customers and consumers based on your assurance that they, and their data, is safe with you.
In order to make this happen, businesses require a much more visible cyber security presence. Beyond the cyber security presence is the fundamental need to protect and promote your cyber security reputation.
This results in it being “time for marketers to recognise the inextricable link cybersecurity has with brand reputation and success”. It’s time to actively promote the brand, and your trustworthiness, through cyber security presence.
The Marketing Opportunity of Cyber Security
If marketers can build trust in the business through assurance of all matters pertaining to cyber security then you can ultimately drive sales. Your brand becomes one to trust in a climate of mistrust. The only way you can do this is by making the cyber security presence felt. This might be through mail shots to customers that your security systems have been updated, or the placement of an image within key parts of your eCommerce site, or perhaps by adding in additional authentication steps.
All of this must be done in dialogue between the marketing and cyber security teams. It is essential for the brand to balance ease and reassurance for the consumer against any additional ‘hassle’ it may incur. Of course, we want the hackers to be put off from attempting access to our consumers by the difficulties we create, but not at the expense of alienating consumers with lengthy processes.
Marketing Sense, Cyber Security Sense
In reality it will become obvious that these two different specialists become even stronger when united. Both teams operate most successfully when they have access to the most reputable data. Cyber Security specialists are professionals at collecting the data. Marketers can benefit as a by-product.
The converse of this is also true. If the marketer attempts to harvest data without due heed to cyber security then they are creating a weakness that will damage their own reputation. Marketers in 2016 and beyond need to be highly aware of current information security threats.
When It Goes Wrong
Finally, marketers are starting to realise that even when things do go wrong, and there is a cyber security breach, it’s a marketing opportunity. When things go wrong with cyber security it can severely damage the brand’s reputation. In the current marketplace it doesn’t take much for loyalty to be lost and your hard earned consumer’s trust to be placed elsewhere.
However, if there has been a cyber security breach and you can demonstrate that you mitigated its damage and responded immediately and with success, then you stand to further build your brand’s reputation and with it, customer loyalty. If you handle the breach well by addressing all legal, privacy and trust issues in a way that serves to reinforce your consumer’s relationship with your brand, then this can be hailed a marketing success.
Marketing and Cyber Security – The Future
Whilst boards are now recognising the importance of both these two specialisms, it is the ones who are harnessing their collective power that are proving to be the successful brands of the future. Looking at success stories such as Amazon 1-Click, where cyber security and marketing join together, it’s possible to see how the future of cyber security and its marketing presence will be seen.