This year has been a tumultuous year of paradigm shifts and changes on a global scale affecting all nations and people regardless of race, creed or religion.
The COVID-19 pandemic brought out vulnerabilities in a lot of areas and governments, organisations, businesses and individuals have been forced to refocus and reprioritise where they spend their time, efforts and money.
COVID-19 refocused security teams on the value of cloud delivered security and operational tools that don’t require a LAN connection to function, reviewing remote access policies and tools, migration to cloud data centres, and securing new digitisation efforts to minimise person-to-person interactions as travel restrictions and social distancing became the norm.
Without the internet of things, we wouldn’t have edge computing; without privacy concerns, we wouldn’t have such strong legislation growth.
Here are some challenges:
Automation
Moore’s Law about technology’s acceleration rate may be nearing its end—but a subset of the maxim will continue to apply to IT security teams.
The complexity and volume of firewall rules and policy are but one example: Nearly one-third of people surveyed for Cybersecurity Trends Inc have more than 10 firewalls on their network, up from 26 per cent in 2018.
Security operations (SecOps) teams are managing this complexity by bringing on more vendors and types of firewalls—in fact, juggling these is the third-most-cited challenge in firewall management, according to the report.
Between growing security threats, robotic process automation and the continued dearth of skilled workers, automation may be less a cybersecurity trend than a necessity.
Transparency will continue to grow in importance
Consumers’ awareness of privacy and security issues is growing—most notably with data breaches, but also with how companies use their personal data.
Couple that with legislation such as the European Union’s General Data Protection Regulation (GDPR) and closer to home, New Zealand’s Privacy Act 2020 (wef 1st December 2020), and security professionals’ obligation expands beyond their clients to the public at large.
Communication about best practices may play an increasingly important role in this cybersecurity trend. Security professionals will have an ever-greater responsibility to liaise with all divisions of their organisations to ensure that cybersecurity is unilaterally understood to be more than simply the territory of the IT department. It should be a standard practice and not something reserved for emergencies like data breaches.
I typically use the analogy of a medical scenario where during emergencies you’ll call in the experts – ambulances and doctors, but everyone should know the basics of First Aid and be responsible for their own personal health on a daily basis.
Similarly cybersecurity awareness including online privacy should be a basic level of aptitude before an individual goes online or uses a corporate network – even for basic email.
Children are dependent on their parents or guardians for this – health, privacy and now basic cybersecurity. While the education system provides some guidance and safeguards at school, it is the responsibility of parents and guardians to safeguard their children’s welfare, health and safety in both the physical and cyber worlds.
Security challenges presented by artificial intelligence will intensify
One of Gartner’s 2020 technology trends, AI security may be a cybersecurity trend, but it’s more than that—it’s a fundamental challenge even a paradigm shift in cybersecurity.
It’s not simply a matter of protecting AI systems and using the technology as a method of security; it’s also about staying ahead of attackers’ own use of AI.
Using their own cyber trends like training-data poisoning, model theft and adversarial samples, attackers are becoming more sophisticated in manipulating AI systems.
With adversarial samples, for example, attackers can alter data to cause an AI classifier to misclassify it, and they do it with such delicacy that human observers can’t spot the change.
These sorts of attackers make automation all the more essential to AI security, particularly as it frees up human labour to work on the more nuanced attack scenarios that require critical thinking and the human element of, dare I say it – deviousness.
Edge computing will further complicate security issues
Data is on the edge—literally, in the case of the cybersecurity trend of edge computing, which processes data closer to the geographic area where it’s needed as opposed to a centralised location.
It exemplifies the tension between security and development: Edge computing’s agility brings new vulnerabilities. By definition, edge computing expands data’s surface area, so its attack surface is also increased.
Threat intelligence will become more actionable
The core result of security orchestration, automation and response programs – threat intelligence, provides the information security teams act upon. Problems arise when sheer volume can prevent threat intelligence from being used, well, intelligently.
SecOps teams’ true challenge is to discriminate among potential threats to root out the real problems—impossible with the abundance of data.
While 80 per cent of respondents to a recent survey from the SANS Institute say threat intelligence has improved their security response, most organisations still rely on manual or semi-automated processes.
Leveraging the possibilities of automation makes the most out of the glut of data, all in real time. In this landscape, upgrading to automated tools that allow for validating and contextualising threat intelligence will be one of the cybersecurity challenges of 2020 and beyond.
Cloud security issues
Enormous amounts of data and virtually all business processes along with infrastructure have moved to the cloud, especially for multinational, multi-office/ branch corporations.
This makes cloud protection a major challenge in the cybersecurity industry as the number of cloud-related threats and cyber attacks continue to grow as cyber criminals will follow the data – that’s where the money’s at!.
SMBs and corporations are all at risk of data breaches mostly due to poorly secured data and unauthorised services and applications that end-users can easily install, subverting all the effort and expense in securing the core in the cloud.
Cloud services from Amazon, Google and others don’t mitigate the situation. Solutions from these and other companies are not protected from attacks on the client end. Meaning that human error, phishing, synchronisation errors are still a threat which cyber attackers are very much aware of.
Cybersecurity skills gap
According to the MIT Technology Review report, there will be about 3.8 million unfulfilled cybersecurity jobs in 2021. Which means it’s expected to grow by 380 per cent.
Put simply, the demand for cybersecurity specialists outstrips supply by several magnitudes.
A major reason to take this cybersecurity trend seriously is to consider the exponentially rising number of threats that security teams have to deal with daily.
I’d like to highlight that women are highly underrepresented in the field of cybersecurity.
In 2019, women’s share in the US cybersecurity field was about 20 per cent, compared with 48 per cent in the general workforce.
The problem is more acute outside the US.
In 2019, women accounted for 10 per cent of the cybersecurity workforce in the Asia- Pacific region, 9 per cent in Africa, 8 per cent in Latin America, 7 per cent in Europe and 5 per cent in the Middle East.
Women are even less well represented in the upper echelons of security leadership.
Only 1 per cent of female internet security workers are in senior management positions.
In my experience, I have found that Internet security requires strategies beyond technical solutions – lateral thinking outside the box.
Women’s representation is important because women tend to offer viewpoints and perspectives that are different from men’s, and these underrepresented perspectives are critical in addressing cyber risks.
Women are also more likely to suggest innovative solutions to cybersecurity challenges regarding children’s online exposure and privacy.
I highlight this with the hope that the appropriate authorities and institutions start addressing this huge gap in cybersecurity skills and gender inequality and the huge potential for future employment and startups in this industry not just in Fiji or the region but globally.
As the digital transformation of governments, organisations and business continues to escalate and evolve and the proliferation of the Internet and IoT devices invades all aspects of our lives, security and privacy need to be addressed and implemented at all levels to ensure the safety, security and freedom of the individual, human rights and even democracy itself.
As the brilliant Albert Einstein once said: “The world as we have created it is a process of our thinking. It cannot be changed without changing our thinking”.
* Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com