Can we predict the future of security? Yes and no, says UK security futurist David Lacey, speaking at the first Australian CSO Perspectives Roadshow in Canberra.
Lacey says that there are actually many things we already know, and many trends that enable us to get a good idea of what the future will look like. It’s getting the timing right that can prove difficult, he says.
Bill Gates once made the point that people often overestimate what’s going to happen in the next two years, but underestimate what’s going to happen in the next 10. “He was absolutely right,” says Lacey.
“We know technology is getting faster, smaller and more numerous. We also have a pretty good idea about what the impact of major infrastructure changes are likely to be. Professors of urban planning have been looking at what the impact of changes like roads and water will be, for years – the Internet is just another one.”
He suggests that by gathering together experts from the right blend of disciplines such as a lawyer, a scientist, a technologist, a security expert and so on – with the right expertise – and by taking into account all the different trends and influences and blockers, you can actually get a pretty good idea of the future.
So what about security? Well, right now, he points out, we’re only at the very start of a move away from the kinds of industrial age, standardised organisations that have been designed around mass production.
“In these organisations you can have very strict rules, all you need to do is have a very big set of rules and laws, create a perimeter around it, and you’ve got a secure organisation. The organisation of the future will be enabled by networks with very soft internal rules and relationships – very soft policies because it’s constantly changing. It’s constantly creating new relationships, new products, its moving very fast, so it’s very outward looking. It will be an entirely different organisation where the emphasis is on flows of information and relationships, not on fixed assets.”
To put security around those relationships and information flows, security will need to change. “With a hyper-connected world, we’re only beginning to see what the impact might be. All of the major power in the world, all of the major assets are in data. It’s a long term trend and we’re already seeing the start of this, the new battle ground of cyber espionage and warfare.” So networks are the most important thing, he says.
“As we move forward,” says Lacey, “the value will actually be in the flows of information, not in the data assets you have. Communicating it, exploiting it faster than other people – the value is in the flows, so putting walls around everything, firewalls isn’t going to stop that problem.”
Like clicking champagne glasses at a toast, when the number of people increase, the number of relationships in the network grows exponentially. So networks are becoming the enablers of all kinds of things such as sharing, commerce, espionage, collaboration and communication. He describes how over time, these changing networks and relationships erode institutional authority.
“There are less vertical command lines, and more people networking externally. We’re losing control of our organisations. Power is going shifting more into the hands of the workforce, as with Snowden,” he points out.
“This will not go away, it has been building for a long time, as we get more network, more systems, more databases centralised, greater privileges, more powerful tools. We’re going to have to live with people having enormous power, enormous reach, we can’t turn the clock back.”
He also predicts that threats will become more serious. People will have greater knowledge, and there’s a greater potential for collaboration in networks, so we are going to see more and more professional threats, and we’re already behind.
“Our cyber defences are currently a decade out of date – at least. Whatever you have in place, whatever you think is the accepted industry standard is not good enough for today’s world or any of the attacks we’ve seen in the last few years – so it’s certainly not good enough for the future.”
On outsourcing he’s resigned. “We’ll see increasing externalisation. Activities [work] will go to the cheapest place – we’ve seen a lot of outsourcing over recent years. It doesn’t work, but we’re stuck with it, it’s the way the world is because of short-term gain. “
And BYOD is just the beginning of infrastructure security challenges. “We’ve got a situation with mobile devices. The users have left the building and applications are following them. Apps are going into the cloud. We won’t actually need private infrastructure in the future, people will be able to use public infrastructure, if we can secure it,” he concludes.
So how are we going to trust things, let alone control things?
Controlling things, he says, might have worked in the past, but we won’t be able to do this in the future. “We’re just going to have to learn to live with that. We’re going to have to trust people and verify that trust.”
And this brought him to information itself. He says information has three major components: availability, confidentiality, and integrity. “The first thing that business ever cared about, was continuity, most of the focus organisations had was on disaster recovery. Availability we’ve dealt with, but nobody cared about confidentiality. You couldn’t sell laptops with encryption. But then we had a few major data breaches and we realised losing the data was much worse. Now nobody is addressing integrity. Integrity is where confidentiality was 10 years ago.
“If you think it’s bad when somebody steals the data, just wait till somebody changes it – then you’re out of business forever. Networks tend to make these things worse – can you trust data? That’s the world we’re heading for.”
With all the things predicted that security practitioners don't like, such as mobility, externalisation, globalisation, abstraction, complexity, diversity, acceleration and volatility, how is such a future going to be possible?
Legacy is the barrier, Lacey says. New security skills will need to emerge, and we’ll need security enabling technologies. We’ll need to focus less on safeguarding our internal infrastructure and more focus on external supply chains. Less focus on backwards facing audit, and more on the now, with controls giving way to relationships and persuasion.
The answers, he concludes, could probably come from such inspiration as nature. The way to manage complex situations has been done by nature for a long time.