When the Cognitive CISO think about the future of cybersecurity, they should be thinking about the emerging trends in technology and threat landscapes, and where they intersect with science, and philosophy, and physics. I have a saying in the world of cyber: “As a CISO, We see the storm coming before the clouds arrive.” Big Data and IoT are the two storms we see coming as it relates to privacy. So start to connect the dots between Big Data, and IoT, and Privacy. (Check out what happened in the German/EU Courts today with Facebook and privacy…go ahead and google it I will wait….)
As CISO’s everywhere begin to develop and adopt technologies related to big data, cognitive computing and the Internet of Things (IoT), we will see more and more cyber-threats growing in both volume and complexity. The cyber-threats will be more focused on privacy issues than they are today, think “Cause/effect.” Legislation and regulations will bring this to the forefront. Keep in mind the world of cyber changes at the rate of hours and not years,….this is a game changer regarding planning and reacting very nimble. This will be difficult for many organizations because of legacy applications and the desire of the developers to keep those legacy systems alive and well for job security all disguised in the cloke of “cost savings.’
All companies and not just financial service companies are in the mad hatters’ race to secure their systems and devices before the bad actors figure out how to exploit them. To minimize the time between a breach and the awareness of that breach and breaches are all about privacy. If privacy were not at stake, there would be less pressure and concern about securing the environment. It is all about knowing and understanding when and how your “breach’ occurred and what privacy was compromised. Every CISO lives knowing a breach can and will happen, it is a matter of to what degree. But what keeps the CISO up at night is what element of privacy is now exposed?
Let us take a look at the most important themes and innovations shaping our increasingly interconnected world for 2019.
The Power of Big Data vs. Privacy
The fact is that many devices, people and processes produce large amounts of data. More devices mean more data, both structured and unstructured. Mobile adoption as the standard for social networks has generated even more data. However, what happens if cybercriminals get their hands on this data? (Yes, you know the answer to that question.)
In 2019, 2020, and 2021 you will see a new world of privacy being defined in the form of regulations, rules, and laws. Privacy is and will continue to be “confusing” to individuals and businesses alike just like many other regulations until it just becomes a way of life. Translation: It is going to take time…but technology will not wait….let that settles in for a moment…
What is interesting about privacy legislation and regulations is this: Who is being protected? Is privacy bound by economic status? By political state? Alternatively, is privacy an inalienable right? Who owns privacy? Who is the owner of the data? Who owns Data anonymization? How many companies will say the anonymization of the data no longer belongs to the individual because of anonymization. Will we see lawsuits?
Richard Clarke whom I have quoted before says: “While storage of vast amounts of data has led to hugely valuable benefits from analysis and correlation, it also has led to significant erosion, if not almost complete destruction, of any meaningful concept of privacy.” (Richard Clarke was senior White House adviser for the past three presidents on matters including cybersecurity and counterterrorism.) So put that into perspective as you been to experience over the next several years regulators and governments making attempts at managing privacy.
The “Yin and the Yang” of Big Data and Privacy
Humans produce data for all sorts of reasons; for research to analyze, for marketing, for evidence, and for entertainment. Scientists use sensors to understand how the world and the environment react to certain stimulants and conditions in the world in the interest of scientific advancement. The data produced is highly valuable to not only us but also malicious actors alike. If it were not, corporate and governmental espionage would not exist.
We all recognize the benefits of big data and the analytics that can be produced, but the traditional methods of privacy protections dealing with big data have failed. The underlying premise of privacy relies on informed consent for the disclosure and use of an individual’s private data. We need to remember that big data means that data is a resource that can be used and reused, often in ways that were inconceivable at the time the information was collected.
The anonymity of your data is also windswept in a big data paradigm. If you think that every individual piece of information you perform Data anonymization on is stripped of personal information, think again. The relationships between The different parts can reveal the individual’s identity…..let that sink in for a moment, it is like putting a puzzle together, and now you begin to understand where the Europeans are coming from with GDPR, which I mused about previously this year.
What do I see as coming changing as time goes on?
Welcome to the world of Cognitive Security. By now in my musing and the title of this blog, Cognitive Security is what the Cognitive CISO is all about in the daily life of protecting the organization.
Cognitive Security will be the new branch of Cyber Security. It is already taking shape in the market; progressive leading thought leaders in many companies are laying the groundwork in their companies for cognitive security. (I am going to predict that in five years the term cognitive security will replace cybersecurity and the CISO will be the Cognitive CISO)
What is Cognitive Security?
Think of it as a cross blend with data scientist, philosopher, physicist, and data intelligence analyst. This discipline will rely on machine learning, psychology, philosophy, physics, advanced behavioral analytics, an understanding of humanities, and data management techniques. Cognitive Security professionals will be able to process threat data more efficiently, and more accurately predict violations and activities relating to privacy and data. This is just one of the many ways in which cognitive computing will shape the future of cybersecurity. However, it will also develop the world of privacy. You will see Cognitive Security analyst keeping an eye on how marketing, actuaries, sales and business planning departments use data and ensuring that confidentiality is maintained. This will be accomplished with big data, and it will be in near real time with zero latency.
As the United States Government starts to implement new regulations to protect data to keep up with Europe and the rest of the world, the increasingly sophisticated threat landscape demands a sweeping culture change when it comes to security. Social media will be in for a “makeover” and will have to adopt necessary security solutions to address the growing concerns of privacy. (You saw that with the Facebook and German Court situation)
You can expect across all industries there will be a movement towards implementing new “security controls” that are solely focused on privacy. This will translate into new training programs with a greater emphasis on the management of data. We are entering into an era where; Privacy is the new Norm for managing data.
As new privacy laws are ushered in over the next five years, you will see organizations struggle to manage and monitor user identities as the key to maintaining privacy. Legacy applications will be the bain of the financial service companies. Software companies will identify new governance and risk-based solutions that will help in maintaining integrity and confidentiality and the correlation between the two. They will build that into the applications just like they did supply chain best practices into ERP. Keep in mind this will not give any company an advantage on staying a step ahead, it will only provide a baseline standard to build real privacy protection upon.
Let me make another prediction …. In five years, there will be legislation or regulations firmly stating that companies do not own any data of individuals including data anonymization, they are merely custodians of data.
With the new emphasis that is, being placed on privacy you will eventually see a “death toll ring” for common passwords. What you will see is the advent of advanced authentication techniques such as biometrics on all devices, and the methods will be morphed and integrated with the applications. (start thinking about those legacy applications now) I will predict the days of single sign-on will morph into a biometric single sign one that will require periodic authentication and all of this will be role based with the applications and AD and other directory services and identity management applications.
The traditional “Risk Assessments” will become an infrastructure assessment and we will see the new “Privacy Risk Assessments” evolve and focus on the privacy of all data versus cybersecurity as it relates to infrastructure. We will see the Cognitive CISO responsible for both the Privacy risk assessments and the infrastructure risk assessments.
You will also see the format for privacy risk assessment to become more detailed and specific to cause/effect and answering the WHY Question for example:
Identify all the potential harms that could arise from big data collection and explain how are these risks currently addressed? What changes are you making in your technology, processes, and procedures to address privacy? Besides, how are you monitoring the privacy risk?
Explain the legal frameworks currently governing big data within your department, and are they adequate? If not why not?
Explain the steps you are taking to be more transparent in the use of big data? For example, are you publishing algorithms? (trust me that one is coming)
Explain from a technical perspective the measures you are taking with big data that will minimize the privacy risks of individuals?
What are the best practices in your industry sector you using to address the challenges of big data? What have the best practices in your industry you opted not to adopt?
To wrap this up, let me share some Big Data Statics to help you see why this is a growing concern:
Big Data Statistics
“Google is more than 1 million petabytes in size and processes more than 24 petabytes of data a day, a volume that is thousands of times the quantity of all printed material in the U.S. Library of Congress.”
36 billion searches are performed each month on Twitter.
More than 1 billion users visit YouTube each month and over 6 billion hours of video are watched each month on YouTube – that is almost an hour for every person on Earth and 50% more than last year.
90 percent of the data in the world today has been created in the past two years.
In 2020, the amount of digital data produced will exceed 40 zettabytes, which is the equivalent of 5,200 gigabytes for every man, woman, and child on planet earth.
1 Gigabyte = Approximately 1 full-length feature film in digital format; 1 Petabyte= One Million Gigabytes or a Quadrillion Bytes; 1 Exabyte = One Billion Gigabytes; 1 Zettabyte = One Trillion Gigabytes or One Million Petabytes.”
Now ask yourself do you know where all your customers’ data resides?
Do your customer’s know where all their data reside?
Be vigilant. Be safe.
I am Richard, and I am always looking out for you!!