Richmond, Surrey, UK, 28 November 2022: The global political unrest from this year will seep into 2023 with serious ramifications for the security industry, according to Infosecurity Europe’s community of cybersecurity leaders. However, with stricter regulations and developments in Artificial Intelligence (AI) and Machine Learning (ML), CISOs may be in a stronger position to minimise threats next year.
The organisers of Europe’s most influential information security event asked its network of CISOs and analysts to comment on the major trends they foresee shaping the next 12 months in cybersecurity, categorised by themes; Human Element, Threat Vectors, Legislation and Regulation and the current news agenda.
Commenting on how one of the most topical issues from 2022 will affect cybersecurity next year, Maxine Holt, Senior Research Director, Omdia says: “The political landscape is fragile. New cyber weapons are being developed and used by governments. The likelihood of being accidentally impacted in the crossfire is increasing, particularly as most organisations now host their infrastructure with third parties, increasing the risk of a cyber-attack. Nation-state cyber weapons have the ability to cause mass disruption to national infrastructure and critical third-party suppliers, but CISOs can only watch and take sensible precautions.”
Looking closer at the technology within the industry, conversation around AI and ML in countering cybersecurity has been rife, causing conflicting views among those in the industry, but Munawar Valiji, CISO, Trainline believes that “Enhancements in AI and ML will help address human weakness in the cyber kill chain.”
Steve Wright, Partner, Privacy Culture, former Interim DPO Bank of England is more mindful: “Whilst AI is revolutionising the data [cybersecurity] and data analytical landscape, AI may make it harder to understand when, and how, individual privacy and security rights apply to this data. It is more challenging to implement effective access and other control mechanisms for individuals to exercise those rights, so where the data is being utilised by AI – then appropriate safeguards and governance to address individuals’ rights is essential. AI also triggers ethical and moral considerations. For example, AI/Machine learning systems must be used in a responsible and ethical way that deserves the trust of users and society.”
Legislation and Regulation
Looking at the legislation aspect of AI, Wright believes CISOs should be worried: “More recently, the new EU AI Act divides AI systems into four categories based on the risk they pose and provides requirements for them accordingly. A risk-based approach must be adopted (which is business as usual for every CISO). Although some AI uses are prohibited, others are subject to hard requirements, and others are not caught by the regulation at all. So, the focus must be on data safety and the fundamental rights of EU citizens. The AI regulation imposes fines even higher than the GDPR’s. So, it will naturally shape how AI systems are developed and deployed. Therefore, every CISO should be reading the text, conducting a risk assessment, and getting ready to justify why, and how, AI is used in 2023 and beyond.”
Quentyn Taylor, Senior Director Product, Infosecurity and Global Response, Canon EMEA predicts that we will see significant changes in legislation, “both in the UK with a new Internet of Things legislation that's expected to be passed, as well as more globally, with huge amounts of legislation pending around the Internet of Things.”
Holt believes that security will be embedded at a more fundamental level: “Security will be everywhere and pervasive. We hear talk of the security fabric, security mesh – call it what you will – essentially it means that security is part of everything that an organisation does and must think about. The geopolitical situation continues to be volatile and evermore consideration must be given to this at an individual organisational level. However, the bigger issue with pervasive security is about resilience and maintaining continuous organisational operations. Without consideration being given to security, when it comes to everything from innovation, compliance, expanding threat landscape, risk, and more, then organisations will not be as resilient as they need to be.”
Maria Bada, Behavioural Science Expert, AwareGo believes the industry is seeing regulation efforts on a global scale: “We see the UK taking very positive steps with the Online Harms Regulation and Policy coming out. Also at the international level, there have been significant steps forward, not just around cybersecurity, but in relation to cyber-crime specifically. We now see countries actually focusing on specific ransomware related policies, which is a big step forward.”
David Edwards, CEO, ZeroDay360 predicts that “the adoption of Zero Trust systems will be one of the biggest advancements of 2023” however, it is widely accepted among the network that the threat of ransomware will continue.
Holt foresees that the threat of ransomware will be ever more aggressive and organised: “Long gone are the days of a moral code being applied to cyberattacks, and pretty much every organisation is considered fair game, evidenced by the huge impact on the healthcare industry this year.”
According to Edwards, next year will see a move to targeting employees individually to leverage insider fraud. He elaborates: “Employees are easier targets at home and have access to critical business processes. Forcing employees to click on phishing emails, install programs or enable business email compromise, will become an increasing trend.”
This sentiment is shared by Wright as he states: “Coming out of the global pandemic, hybrid working has created a greater risk of work information becoming mingled with personal information as the boundaries between ‘work-space’ and ‘private-space’ and ‘work-time’ and ‘personal-time’ become increasingly blurred.”
Valiji is less concerned as he believes that “organisations will be investing heavily in improving user awareness - delivering thematic and tailored awareness programs.”
What lies ahead?
With the short-term future in mind, Troy Hunt, Founder CEO, Have I been Pwned predicts the evolution of passwords: “Very often we hear of talk about passwords getting better, more feasible, and usable by everyday people. I think we will still have more passwords in five years than we do now because old passwords don't die, but I do think we're getting better at augmenting it. Take, for example, face ID and fingerprints to get into your phone. It’s, of course, a very gradual process, but the undeniable trend of more devices, more online services, more people, more exchange of data, will inevitably result in more data breaches and so, it’ll be interesting to see how passwords, too, evolve.”
From a personnel point of view, the future of cybersecurity is bright, believes Holt, who is pleased with the growing number of women in the industry: “From the in-person events I’ve attended, it was great to see so many women. We’ve still got a long way to go before we have gender parity in the workplace from a security perspective, but it is getting better. It's a real win and a big step forward of course, but also demonstrates more recognition of security as a profession – something we desperately need at the moment.”
Nicole Mills, Exhibition Director at Infosecurity Group, says: “With the rebuilding of business and society after the pandemic and the political situation between Ukraine and Russia, 2022 has certainly been another year of historic events. While these events have definitely had an impact on the cybersecurity industry, it remains to be seen whether they will have quite as big an impact in 2023. Many believe they will, but with the advent of Pervasive Security, more stringent regulations and increased familiarity in, and in some cases, adoption of AI and ML, CISOs are holding their own.
“These discussions we are having now will help shape our content for Infosecurity Europe 2023 and we look forward to generating some thought-provoking conversations on the growing trends in the industry and how organisations can once again, look to overcome the many challenges that will inevitably come their way in 2023.”
The conference programme at Infosecurity Europe 2023 will cover the topics raised by the CISOs and analysts who contributed their thoughts, with presentations, talks and workshops exploring the themes across the different theatres. Infosecurity Europe will run from Tuesday 20 to Thursday 22 June 2023 at ExCeL London. Full details about the exhibition and conference programme will be released on the website in the coming months.