How many of us have looked ahead and asked: “What is in the future, and how can we anticipate what’s going to happen?” I am asked that many times as it relates to the future of cyber security.
It is as if there were only one future, but there is not. The fact of the matter is, we are not preparing for just one future; the future is an amalgamation of many future aspects. This big future contains the future of breach, the future of economics, the future of ecosystems, the future of politics, the future of privacy and that list goes on and on.
All of these futures play a role in shaping what the amalgamation of futures looks like. All of these futures are continuously moving, shifting and reshaping, which means we need to be flexible enough to move along with the ebb and flow so that all aspects are covered.
Any change in either of these futures changes their trajectory, and every change has a ripple effect on many other aspects. It is also dependent on which breaches and exposures are reported and their ramifications. These impact the future of personal responsibility as well as tolerance.
With this in mind, it is hard to really anticipate what the future of cyber security is, but easier to anticipate and prepare for any of these shifts that affect the future. With this level of connection, if we lose track of one aspect, then we will lose track of a critical piece that influences the future. Xerox is decomposing all those futures and works internally and externally to address security.
Six things you need to know about the future of cyber security. Xerox CISO Dr Alissa Johnson ?explains.
The future is the IOT
The Internet of things (IOT) is changing cyber security. Not only do we need to think about connectivity in our homes, but also connectivity in our offices; our printers and smart devices are now more connected externally and open us up for network exposures. We can now be potentially thought of as an endpoint and have to protect ourselves from being a conduit into the network.
The IOT is also the largest ecosystem with a diverse set of components, and thus has a tendency to blur the lines between business and personal data. The goal is not to hinder this sort of innovation but protect the data and compartmentalise it to an extent where usage is acceptable as opposed to shadow environments. We accept the fact that users want more functionality and businesses want less shadow IT environments, so the enhancement of IOT security is important.
The future is layered
The future is a dynamic, heterogeneous environment with many layers. Each of these layers plays an important role in maximising the security of the environment.
The first layer is data security. In this layer, we evaluate our data and prioritise it, making our most coveted assets more important over those less meaningful.
Dr Johnson says: “It is hard to really anticipate what the future of cyber security is, but easier to anticipate and prepare for any of these shifts that affect the future.”
Those “most coveted” are usually referred to as crown jewels. A king and queen will have their most prized possessions protected by knights, guards, a moat, and may store them in a highly secure location. Our crown jewels should be protected in the same way. No longer can we provide the same broad brush stroke security policies across all of our data. It is now necessary to classify the data, prioritise the data and ensure that investments are made proportional to the value of the data.
The second layer is application security. Our applications must securely handle the data to prevent leakages and exposures. Applications have essentially become a conduit to carry and process data outside of our typical network boundaries. We must encourage secure coding practices and secure data processing.
The third layer is infrastructure security, which focuses on the hardware. Vendors are always enhancing the security of their products. We must accept those enhancements and integrate them into our operational infrastructures. As a participant in the vendor population and a consumer of goods, Xerox takes a simplified approach. It has partnered with key security vendors to ensure it easily integrates into its customers’ environments.
The last layer is our security processes. This includes processes and policies. The adversary depends on human trust so our policies must protect us. Many times, non- security controls and implementations help to increase the security posture. In this, I am including automation and simplification of our processes, which in turn will have additional benefits with security.
In the end, all of these layers have to be congruent, non-tangential. They have to work together but may not necessarily be presented in a specific order. The goal is to increase harmony in order to influence cohesive security.
The future is governance-driven
Culture should not dictate governance; governance should dictate culture. We cannot accept that an organisational culture can push back on security elements such as two-factor authentication or changing passwords. We have to instead look at what is best governance for an industry, for a company and then teach the culture to be accepting. Educating the culture is key, as security is everyone’s responsibility.
The future is partner-based
As we focus on each part of our layered architecture, we must include our partners. We are in an arms war, which means we need to increase our partnerships and include our partners in our arsenal. Security is really solutions-based as opposed to device specific. A device is a part of a larger infrastructure that integrates with other vendor components. Partnerships are important in ensuring the ease of integration, acceptance of security controls and improving the security posture. It is a team event. The goal is to develop and maintain continuing partnerships to ensure the solutions are more secure and not just the individual components.
Xerox works with compliance-testing organisations and security industry leaders, such as McAfee and Cisco, to enhance and protect devices with the latest security standards. These leaders also help with integrating into our customers’ security architecture and enhancing protections within their environment.
The future is cognitive
Cognitive processes increase our ability to allow machine learning to enhance security. Right now, we allow engines to analyse data, thus the large focus on data analytics and synthesis. The future extends that in allowing the engines to react and respond based on learning baseline infrastructure behaviour. This may be an interesting way to address the shortage of cyber security talent. The more processes that we have to react and address lower level tasks, the more we can allow human interaction to be focused on higher level, higher risk processes and procedures. That’s evolution; that’s cognitive security.
The future is exciting
It is our responsibility to ensure we continue with a partner-based strategy. We are more prepared as a community than we will be individually. As we continue to grow, collaborate and sharpen our solutions, we will continue to create synergies, we will shift, and we will grow.
The reality is we can’t stop the adversary, and we will never be bulletproof, but the strategy is to make it so difficult and so expensive for the adversary to compromise, that they will move on. Time is money; thus, time is valuable, and everything is a moving target.
If we look at the game of basketball, in the most basic explanation, the goal is to score more points than the opponent by shooting the ball into the hoop. Now, if we changed the target and have the hoop constantly moving in a circular motion, we have increased the complexity and, in essence, changed the game. This is what we, as a technology company, try to constantly do. We are changing the game of print, and we are changing it with increased print security.