91探花

Security leaders predict next year鈥檚 top trends, challenges and risks, with technical debt, credential stuffing and access control all highlighted. As we prepare to enter the third decade of the 21^st century, Infosecurity Europe, Europe鈥檚 number one information security event, has once again asked its community of C-level security professionals what they think the year ahead has in store. The list includes a range of challenges, opportunities, and broader trends across technology, business and the world.

Many of the CISOs highlighted the risks presented by emerging technologies that are expected to become more widely adopted in 2020. Deloitte cyber risk partner, Peter Gooch, says: 鈥�2020 will see more deployment of security automation tools. Where this is done well, it will allow organisations to adapt rapidly to changing attack tactics. Where it is done poorly, it will be more complicated to unpick.

鈥淭here will be a drive for more transparency when contracting for cloud services, with vendors required to expose more data and events for consumption by SIEM tools, and to evidence security practices and capabilities closer to real-time. Hackers are increasingly targeting unstructured data to hide and launch attacks, so the priority is to implement robust governance.

鈥淢ore than 100 companies worldwide will begin testing private 5G by the end of 2020, which could increase the attack surface, making data flows harder to follow and the job of those responsible for securing them more challenging.鈥�

Mark D. Nicholls, Head of Information Security & Governance at housing association, Peabody, flags up vulnerabilities with AI and IoT. 鈥淢achine learning has established itself in 2019, and we will begin to move to true AI in 2020, but one must remember whatever can be used for good can also be used by the criminals. Imagine a DDOS attack powered by true AI,鈥� he warns.

鈥淎s consumers strive for a smarter, more connected world we will see more attacks targeting connected devices as a means to an end. This is not new, but the attack surface will get bigger. We must continue to educate to ensure humans are our strongest line of defence.”

The attack vectors most likely to take centre stage in 2020 was another common theme. Becky Pinkard, CISO at award-winning bank, Aldermore, expects to see more attacks due to technical debt. 鈥淚n the bid to keep pace with consumer demand and technology capabilities, industry is borrowing more technical debt than it鈥檚 repaying. I think we鈥檒l see more headlines about successful attacks due to this growing debt and the associated 鈥榮hadow risk鈥� it creates. The march to open banking in financial services, incorporating APIs, distributed ledger technology and AI in rapid-fire succession, and with a focus on capturing the customer鈥檚 attention first, often means security gets de-prioritised on the route to delivery.”

鈥淲e鈥檙e seeing credential stuffing run rampant, and I wonder if this will escalate as more data and more username and password pairs are out there,鈥� says Troy Hunt, Microsoft Regional Director and Founder of Have I Been Pwned and 2019 and recent Infosecurity Europe Hall of Fame inductee. 鈥淥r we might reach a tipping point where organisations decide they need to block some login attempts that have the right username and the right password but are not coming from the right person. In the US, enforcement cases are being brought against 鈥榗orporate victims鈥� of credential stuffing. It鈥檒l either get worse, or organisations will have to adapt.鈥�

When it comes to the security approaches that will mitigate the risks which dominate in 2020, David Boda,聽Head of Information Security, Camelot Group believes 鈥榖ack to basics鈥� is best. 鈥淎 focus on robust and timely access control and patching will still give the biggest reduction in risk for the聽majority of organisations across all sectors. These are the two areas that vendors, consultants and end user organisations should all be talking about.鈥�

Killian Faughnan,聽Group CISO of William Hill agrees that access control will be important 鈥� particularly in the next-generation workplace. 鈥淎ccess聽control is difficult to solve without being either too restrictive or too lenient. Given that in 2020, 35% of our workforce will be聽millennials, we need to find the right balance to enable employees in a way that works for them.鈥�

Some CISOs believe that solutions will come from the industry working more closely together. “I believe we will start to see greater collaboration between security companies, hopefully resulting in greater end to end security capability,鈥� says Mark Nicholls.

On a similar tack, Peter Gooch thinks convergence will be a key trend: 鈥�2020 could see a number of high-profile mergers and acquisitions as well an expansion and formalisation of vendors into a more converged world. This is likely to be similar to the ERP revolution that transformed the way many finance and operations teams function and could mean a more efficient operational model for those in cyber.鈥�

Two topics that were 鈥榟ot鈥� in 2018/2019 are not front of mind with our CISOs this year. One of these is the skills shortage. 鈥淲e will continue to talk about it,鈥� says Killian Faughnan, 鈥渢hough I think we may have hit a critical point, and that more companies will begin to recruit from pools of聽potential聽security professionals rather than existing ones. It鈥檚 easier to teach a developer how to be an application security professional than the other way around.鈥�

There was also less focus on GDPR, probably due to the fact that the regulation and its impact are no longer the unknown they once were. Paul Watts, CISO, Dominos Pizza UK and Ireland, has observed signs of 鈥榖reach apathy鈥� and wonders whether 2020 will see a continuation of this trend. 鈥淲hile this could be attributed in part to political聽distractions, I do think industry seems to be reporting more, but are the public caring less? I鈥檓 still reflecting on whether this is a blessing or a curse聽for CISOs as we move into the next decade鈥︹��

One question that is often pondered at this time of year is whether we鈥檙e about to see the 鈥榤ega breach鈥� that will put high profile incidents like Equifax鈥檚 in the shade. 鈥淥ne thing we can never know is: will there be a crazy data breach that turns the world on its head again?鈥�, asks Troy Hunt. 鈥淚f we see another incident like Ashley Madison or Equifax, which had a massive and serious impact across tens of millions of people鈥檚 lives, this will be a headline-grabber that sticks around for some time. But these things are enormously hard to predict.鈥�

Nicole Mills, Senior Exhibition Director at Infosecurity Group says: 鈥�2020 will see the continuation of some long-standing trends, challenges and security risks. For example, a number of technologies that have been talked about for some time will become more widely adopted, and we need to be ready to implement, use and protect these in an appropriate way.

鈥淭here was less emphasis on the skills shortage and GDPR in our CISOs鈥� predictions this year, but we do need to remember that these challenges haven鈥檛 gone away. The 鈥榯alent gap鈥� is still growing, and we need to continue working together as an industry to find solutions. And while GDPR is not the burning issue it was last year; organisations can鈥檛 rest on their laurels. If they鈥檙e compliant they need to work to stay compliant. It鈥檚 not just the fines, keep top of mind that brand and reputation that can take years to redress.鈥�

Infosecurity Europe, now in its 25^th year, takes place at Olympia, Hammersmith, London, from 2-4 June 2020. It attracts over 19,500 unique information security professionals attending from every segment of the industry, as well as 400+ exhibitors showcasing their products and services, industry analysts, worldwide press and policy experts. More than 200 industry speakers are lined up to take part in the free-to-attend conference, seminar and workshop programme.