McKinsey suggests that by 2025, the IoT could have an $11 trillion impact[i]. A range of technologies with high values at stake – from driverless cars to the emerging wearables ecosystem will rely on this very infrastructure. New security models are sorely needed if this potential is to be realised; if our current models are insufficient for today, they will be woefully unable to deal with tomorrow’s threats. Relying on perimeter defence and rule-based security is already inadequate, especially as organisations exploit more cloud-based services and open APIs for customers and partners to integrate with their systems[ii]. This security set-up remains all too common. New, as-yet-untested models of security are needed that can deal with new and evolving threats such as deeply embedded advanced persistent threats.
Whilst technologies represent new vectors of attack, they also represent a range of tools that could improve security. Analytics will be key. Blockchain – the technology behind BitCoin could for example, dramatically reduce the cost of governing regulatory compliance in the future. New encryption methods and interfaces – such as MasterCard’s scanning of your face to authorize payments will increase in the coming years. Biometrics are evolving in new areas; ‘brainprints’ represent a new system allowing accounts to be unlocked using brainwaves[iii]. Whether quantum computing will break all known security architectures, renew them or do both remains to be seen. In any case, the acceptance that preventative services cannot be solely relied upon will be a cornerstone of data security in the future, even as the array of preventative services evolves.
Adaptive security architectures are likely to prevail. IT leaders must focus on detecting and responding to threats, in addition to the more traditional blocking. Application self-protection, as well as user and entity behaviour analytics, will help fulfil the adaptive security architecture. Such systems need to balance access with security, and concepts are gaining traction that seek to do just this. Cloaking and containing, which can also be described as the concept of least privileges, provides the least amount of information that someone needs to do their job. At the same time, security could be built inside services, by design – especially with regards to customer facing applications and services. Perhaps the key missing issues for many in visioning new security architectures lies with the board. Cybersecurity needs to be regarded as a strategic organisational pillar and a shared cultural concern, for which both executive level and board level awareness needs to rise. Appointing members fluent in tech matters is a critical step, as is building the competence of existing members and ensuring an open and transparent relationship with the CIO and other key stakeholders.