Information Security now demands a greater authority in a world where cybercriminals will exploit the use of Artificial Intelligence (AI) and Machine Learning (ML) to attack systems and applications, phishing attacks will intensify and become more complex, fileless malwares and other Advanced Volatile Threats (AVTs) will increase, attackers will try to use the weak human link to gain a backdoor entry, IOT devices will be hijacked and used for distributed denial-of-service (DDoS) attacks & ransomware attacks and above all Crypto-Currencies will play a critical role in facilitating planned cyberattacks. More recently, most of the multi-national companies have assured that their Chief Information Security Officer (CISO) does not report to the Chief Information Officer (CIO), instead directly reports to the Chief Executive Officer (CEO).
As expected, the position of a CISO has risen in the organizational hierarchy to the inner echelon of the C-suite, giving the CISO top-level authority and visibility within the business. Changes don’t end there. Various roles will now report to the CISO. The Head of Cyber-Security, Head of Information Security Emergency Operations & Incident Management, Head of Security Engineering & Asset Management and the Project Management Office for Information Security will now directly report to the CISO. That doesn’t guarantee 100 percent autonomy since many other positions such as Physical Security, Facility Management, and few other functions need to coordinate extensively with the CISO. However other critical factors such as CISO’s ability to propose a budget and justify it at the topmost level and the ability to make decisions independently will be boosted with this new change. We all know that this change was imminent, considering recent developments in technology, AI and its subsets, Internet Of Things (IoT) and the global landscape of threats to Information Security Management System (ISMS).
Governance and compliance will have a key role in the future as privacy and data protection laws intensify. European Union's (EU) Global Data Protection Regulation (EU GDPR) is expected to come into effect in 2018 and it will transform how businesses approach compliance and data security. CISOs, Governance Heads, and Compliance Heads have a major role in facilitating a smooth implementation of the GDPR for the concerned entities or if required enabling absolute compliance with the GDPR.
Unlike the common misconception that Information Security is an IT issue, Security is actually a topic that must be addressed by the entire company and not just the IT or the ISEC department. Many forget that CISO's job is not to protect IT - a CISO's job is to protect the very business itself. This also means that a stricter regulatory framework with more emphasis on accountability and liability from all stakeholders in a business entity is mandatory for an effective implementation of ISMS regulations and policies.
As we continue to churn more data and work on new technologies and as organizations continue to store data and adopt these technologies, threats will grow in both volume and complexity. It should also be noted that unpredicted emergence of lethal variations in malware, ransomware, trojans, and worms, will radically change the existing approach to mitigate threats in a typical information security landscape. Ransomware attacks like Wannacry will be more targeted and less haphazard in the future. On the other hand, IOT will lead to a sharp rise in DDoS and Advanced Persistent Threats (APTs). Information Security and Cyber Security will have to implement AI subsets such as Machine Learning (ML), Deep Learning (DL) and User Behavior Analytics (UBA) to counterattack enormous threats that arise while defending information and especially at a time when IOT interconnects multiple devices in the coming years.
Mobile Security is one area which many global entities often forget or even ignore. Few organizations have stricter guidelines and defense mechanisms to protect their interests on the corporate mobile-phone. Forget operating systems or application platforms, many organizations now realize that they have little control over the most basic features that an Android or an IOS would host. This makes us reflect on the German terms Datensparsamkeit and Datenvermeidung which mean data reduction and date economy roughly, although a clear English equivalent for these two terms does not exist. In brief, these two words say that we should only handle data that we really need and avoid unnecessary storage and processing of data. This holds true for mobile security too since it is much easier to hack most of the mobile devices and apart from that, forums like Whatsapp and Skype are often abused by users who do not adhere to their terms and conditions of usage.
We expect a lot of changes in the coming decades that include the end or ‘death’ of passwords. Passwords will soon be replaced by much-advanced authentication techniques such as biometrics or voice recognition. Overall, we expect stronger Information Security Management System than ever before. As protection tools are becoming better, the Internet is likely to become more secure, the costs of backup and redundancy are likely to fall sharply, and cryptographic methods are likely to spread. This does not rule out the possibility of lethal attacks and new variations in attack vectors. It’s high time that organizations realize that while the long-term information security environment is likely to become better in obvious ways, it is likely to worsen in subtle ways due to technology and vested interests. The key to understanding this phenomenon lies with, how tomorrow's information systems are going to be used. This calls for an active participation in Information Security Management System activities right from the top to the very bottom of an organization.