CISOs are also bracing themselves for further disruptors likely to have a (largely positive) impact on cyber security.
Artificial intelligence (AI) has broad possibilities: from building on basic robotic process automation (RPA), to sophisticated machine learning (ML) and analytics, covering increasingly large data sets, interacting ever more frequently with people and core corporate processes.
The new connected world has broken down traditional perimeters, with multiple parties accessing organizations’ data and systems, from anywhere in the world. Add in 5G, edge computing and millions of IoT devices, and cyber security becomes incredibly complex using conventional security approaches. In this environment, the concept of zero trust or Secure Access Service Edge may provide a basis for future security models, founded as they are on the assumption that no one inside or outside the network can be automatically trusted and must prove their identity and access rights before accessing key resources.
“Organizations’ capacity to defend themselves, both internally and externally, has become table stakes — although today it is still frequently talked about like an innovative differentiator. The winners will employ AI, advanced machine learning and cyber tools; not just reacting to threat actors, but proactively taking to cyber space to fight them.”
Addressing the challenge
We’re used to computers operating in predictable and deterministic ways, with security reviewing fixed algorithms and code. But the growth in machine learning (ML) is posing new questions: How has the ML algorithm been trained and what biases have been introduced? How can we supervise its behavior to ensure it’s operating within parameters? How could it be manipulated by an adversarial AI technique and what would the consequences be? This is a new and immature field, requiring a blend of data science, security and ethics skills.
Addressing data nationalization
The democratization of data was meant to remove all boundaries. But as the monetized value of data rises, expect a return to nationalization, as GSK SVP and CISO Matthew McCormack explains: “We will start to see national fences popping up, with countries setting guardrails to protect citizens’ privacy. This makes life harder for security professionals who have to meet newer and tougher regulations on use of data from multiple parts of the world, and may result in companies moving away from flat, global networks to rebuild national castles.”
Embracing zero trust
Zero trust is about knowing where your data is and taking control of access to that data, with strong identity management, advanced analytics and a device inventory. Organizations can learn to better detect unusual behavior and prevent communication with unauthorized apps, servers and accounts.
This kind of thinking can lead, in the words of Darran Rolls, IAM market and technology specialist with over 25 years’ experience as a CTO, CISO, to “Smarter clouds and dumber endpoints, with the endpoints merely offering browser sessions to (hopefully) smarter integrated cloud services.” In such a world, notions such as bring your own device become outdated, as organizations seek greater visibility over network access.
Zero trust and SASE are not just for the security team — they should also apply to those building code and developing infrastructure.
“One mustn’t forget that that zero trust is an idea not a technology. Too many companies view it as a finite project, but it’s not. It’s a mind shift, an ongoing philosophy with no beginning and no end.”
Data is the future
Securing data now matters more than securing end points, and companies must accept that many individuals and organizations access their data through a variety of channels. Zero trust and SASE help manage this complex mesh of rights, while major cloud providers increasingly establish secure collaboration environments to enable this new ecosystem, backed by federated identity and access management models.
Data handling policies will only become more complex as privacy regulation develops, and the rights of data subjects become clearer, while nations also assert their right to control their citizens’ data within or beyond national boundaries. This places a premium on meta-data accuracy — and on control of access by applying increasingly sophisticated policy rules based on that meta-data.
These access rules will also interact with machine learning systems to control how they interpret base data. Which calls for sophisticated supervision of ML, as part of a wider extension of information governance within organizations, as the role of the CDO expands.