The State of IT Security in 2019

What can we expect to see in the future, from a rapidly changing IT security landscape? We ask our expert panelists Andy Burston, William Brennan and Sascha Giese for their thoughts

In today’s modern world, the blurred edges between the physical and digital domains means that cyber security is quickly finding itself at the forefront of the global conscience. As British mathematician Clive Humby opined last decade, if ‘data is the new oil’ then the protection of that data becomes a sovereignty imperative transcending from the national level through to individual citizens.
    
Andy Burston, our panellist from ISSA UK, says that rather than using an oil comparison, data is actually like sunlight - it will not run out anytime soon. If handled well then we greatly benefit, if handled poorly or we ignore it, we burn.

After 2017’s headlines on how the NHS was affected by the WannaCry ransomware, the public sector has been relatively quiet in terms of the changing IT security landscape. However, the lack of a specific targeted attack against the public sector causing this kind of widespread disruption in 2018 should not be cause for complacency.
    
The same automated tools developed to assist digital purging will lend themselves to a number of alternative applications including a police service looking to solve long standing missing person cases by contrasting the photograph of many years ago to the masses of data online today. Or perhaps a health authority seeking to recognise the tell-tale symptoms of disease and ill health in a single individual across as many sources of bulk digital evidence as possible.

Andy suggests that this enables the broader ethical approach to data retention. The more options made available to an individual in respect of just how much they ‘opt in’ and how accurately their data is retained and presented, then the more confidence others will have in the security and data protection approach of the organisation concerned.

Bill Brennan of Leidos says that, when considering what we can expect to see in cyber security’s future, the challenges are extensive but the requirements coalesce into a few critical areas. Sascha Giese is in complete agreement, claiming that there is no question that the threat landscape is diversifying and changing as public sector security teams and hackers face off in an ongoing race against each other. Giese also points out that it is not just the threats that are diversifying, but also the angles of attack.

As we move to an always-on, always accessible digital culture, attackers no longer have to lie in wait, watching for an opportunity. Research shows that the cyber attack surface is ever growing with the advent of the Internet of Things and its 31 billion devices projected by 2020. You only have to read our second Panel of Experts discussion in September with Gabe Chomic, Simon Daykin and Paul Parker to be reminded that, while IoT is a natural evolution of our technology enabled and connected world, it also poses a security risk. This is part of the dichotomy of moving to the cloud. On the one hand, the cloud offers a standardised approach that is easier to manage. On the other, adopting cloud infrastructure puts control of the physical and network access in the hands of a third-party provider. This means that tremendous quantities of data are made readily available in computers no longer protected by an organisation’s own security infrastructure. While the cost, speed, and functionality benefits of adopting cloud computing are irrefutable, data-centric cyber security has to be a key strategic element.  

Many of these devices were never engineered with security in mind but instead the priority was put on connectivity and functionality. This provides bad actors ready access to control everything from cameras, to automated doors and locks through security systems from the safety of their home locations. As more devices become Internet connected it is imperative that our cyber security solutions protect these devices without impeding the functionality they are intended to deliver. While security is regularly seen as a binary, all or nothing endeavour, the modern solutions must recognise and balance risk effectively.

Then we must consider how well directives are followed. Sascha highlights how people seem less engaged with critically considering the security implications of new infrastructure; when organisations receive a directive to adopt the cloud, for example, it can be difficult for individuals to feel confident and enabled to disagree or challenge the decision from a security perspective.

A big part of this is the need for general awareness, throughout public sector organisations. These days people expect there to be physical security when you’re at a train station, and it can be useful to apply a similar level of vigilance to IT threat awareness in public sector security. IT users might not know how a cloud works, and they don’t need to, they just need to ensure that it is secured.

Bill Brennan emphasises that there is a worldwide dearth of cyber professionals, with a projected shortfall of over two million openings worldwide by the end of the decade. This is also complicated by a dramatic lack of diversity in the cyber security workforce which further shrinks the workforce capacity. Without significant increases in the global workforce this shortfall will further compound the challenges of securing IT devices.

Planning to educate end users about security matters is a task that IT should be devoting the same level of preparation to as, for example, planning to secure operating systems. Sascha and SolarWinds establish three steps public sector organisations can take, in the defence space and beyond, to be more prepared for whatever IT security threats emerge in 2019: root out vulnerabilities; keep your security procedures checked and up to date; and embrace a range of defences.

The watchword for 2019 is very much vigilance when it comes to the changing IT security landscape. As threats diversify and cyber criminals get smarter in their targeted assaults, it will be all down to ongoing preparation to be able to withstand any attack. Leidos suggest that the solutions to the future challenges in cybersecurity will be found in achieving visibility and by optimising the human/machine interaction. As Bill says, ‘you cannot protect what you cannot see and you cannot control what you cannot track’. Future success will be dependent on finding secure ways to protect the devices holding and processing organisational data. Additionally, a keen understanding and execution of data governance, understanding what data is and its importance/risk to the organisation, separate successful organisations from their peers.

Final thoughts

Andy Burston, ISSA UK

Andy Burston is a member and advocate of the Information Systems Security Association UK, a registered charity and membership body to help others further their career and to ensure that providers have a safe environment to collaborate and share ideas.

Final thoughts: “Innovation and fresh thinking are key for the cyber security industry to maintain their competitive advantage. However, the security future in the next five to 10 years will be just as much a change of mind-set as technology.

"Organisations will increasingly carefully consider their behaviours and responsibility to data long after the noise surrounding high profile breaches die down. Consumers cannot assume that the mere adoption of technology or services makes them any more secure than previously thought without first taking the appropriate steps to identify what personally and corporately matters most.”

William Brennan, Leidos

In this role as senior director, William uses his 15 years of experience in cyber security to protect Leidos Corporation and support the cyber goals of clients around the world.

Final thoughts: “In the near future the reliance on machines for automated cyber defence must exponentially increase; this is not to downplay the importance of humans but instead underlines their key role in success. The advent of modern SOAR (security orchestration, automation, and response) technologies will change the role of humans from operators of machines to curators of actions.
The closer integration of machine learning and eventually artificial intelligence into cyber defence will require humans who can not only do the action themselves but teach a machine how to make the decision to take that action automatically in the future.”

Sascha Giese, Solar Winds

Sascha Giese holds various technical certifications and has more than 10 years of technical IT experience, four of which have been as a senior pre-sales engineer at SolarWinds.

Final thoughts: “As the IT security landscape changes, the main challenges will be awareness and user education. Remaining vigilant and prioritising training to meet new and emerging threats is a useful first step.

"On top of this, investment in the right range of IT security tools such as automated patch management, device tracking, network monitoring, and firewalls can help public sector organisations be ready for whatever 2019 may bring.”