Managing Complexity, Dispelling Myths: Another Year at Infosecurity Europe
In opinion / By Phil Muncaster / 14 June 2019
Every June in a part of west London filled with nothing but coffee shops and conference centres, you’ll find Infosecurity Europe. Europe’s self-styled “number one” cybersecurity trade show has been running for more years than anyone can remember. I’ve been going for the past 14, and although the three-day show can be a bit of a slog, it’s always a great place to see what’s hot and what’s not — what the vendors are trying to flog and, more importantly, what the independent experts and practitioners are talking about.
With the caveat that there’s far too much going on at the show for one person to see, here are my five key takeaways:
AI still dominates…
It should come as no surprise to learn that artificial intelligence (AI) and machine learning are still the big buzzwords on the show floor. You’d have been hard pressed to find a single vendor — whether they were selling endpoint security, threat intelligence tools, server protection or something else — that didn’t claim to have an “AI-powered engine” lurking somewhere. Just how many are telling the truth about their ‘industry leading capabilities’ is another matter.
A recent report from VC firm MMC Ventures found that 40% of European AI start-ups don’t actually use the technology in any meaningful way.
…But can we trust it?
Another big question mark hangs over whether AI is being used effectively by firms. Titania CSO, Nicola Whiting, argued that challenges over data accuracy, bias in the datasets systems are trained on, and transparency and validation issues mean the technology is not yet ready to be trusted in some use cases.
Security professionals should by all means look into AI-powered tools as a way of enhancing their existing capabilities. But it would also be prudent not to rely too heavily on such systems, and the claims made by vendors. The basics of AV, intrusion detection, regular patching, privileged account management, pen testing and more still apply — and are likely to have just as big an impact as flashy new tools.
We need fixes not fear
Industry and governments need to stop fear-mongering and take a more pragmatic approach, educating business leaders and focusing on solving key challenges. That was the message from National Cyber Security Centre (NCSC) boss Ciaran Martin. Although the UK is faced with an unprecedented array of challenges — from eye-catching nation state attacks to “sustained, ubiquitous and chronic” cybercrime — there is hope, if organisations get the message and start improving baseline security, he argued.
This pragmatic approach should extend to the design of resilient 5G networks so that, whoever the supplier of core equipment, they can’t be manipulated at will by a foreign power, Martin argued. Most importantly, it will require a closer engagement with non-technical business leaders. Interestingly, it is they, he suggested, that need to get more technical, rather than CISOs simplifying their message.
Boards and CISOs are still not communicating
That was somewhat at odds with the message that came from others at the show. In fact, Graham Hill CISO, Killian Faughnan, argued that CISOs should have no more than three key messages when they present to the board, and be aiming for just one slide if possible. The art of a good security leader, he explained, is to be a good marketer: this requires knowing your audience, tailoring the message accordingly and ensuring it remains positive in tone.
Former Lloyd’s of London CEO, Inga Beale, also pleaded with CISOs to keep things simple, claiming that most of the time, board members simply don’t know what they’re on about.
However, chiming with Martin’s suggestion, she advised CEOs to ensure they have at least a couple of tech experts on the board, so that the right questions are being asked about risk.
IoT growth will challenge our very democracy
What is the worst that could happen if cybersecurity is neglected? A major hit to the corporate bottom line and brand reputation, for sure. A serious attack might even drive a firm out of business or make it vulnerable to takeover. But beyond that, nothing that could fundamentally undermine our way of life, right? Wrong, according to best-selling author Jamie Bartlett.
He painted a worrying picture of a future 10-15 years from now in which users start losing faith in technology. This could have serious implications for society as a whole. Take elections. If the Cambridge Analytica model continues unabated, we could increasingly see democracy undermined by micro-targeting of swing state voters by secretive online ads. Thus, elections become less about big debates and more “data science and subtle nudges”, he argued.
The IoT could accelerate this by offering yet more info for nefarious data scientists to crunch, profile users and then target them with ads. If a voter’s smart home devices are monitored closely enough, they may be able to tell pollsters when they are most hungry, and therefore potentially crankier and more liable to sympathise with “robust” messages from politicians. Cue a doomsday scenario of opening a smart fridge to make dinner only to be presented with a personalised message from Jacob Rees-Mogg.
Thankfully this nightmarish vision Bartlett painted is still some way off. But there’s plenty of work to do to stop it becoming a reality.
In fact, one unifying theme from experts speaking at this year’s show is that the job of the cybersecurity professional has never been more important — to their organisation and the country as a whole. It’s not an exaggeration to say that this undervalued and chronically under-staffed segment of the workforce is crucial to the UK’s continued economic growth and social prosperity.