It's mid-February, which means IT security executives' and industry analysts' plans for 2018 are really starting to gather momentum. Every year, this personnel faces the difficult task of deciding what security investments they should make given current developments in the cyber threat landscape. Google Trends and other services can help organizations make these types of decisions over the short-term. But it's more difficult when we begin discussing what cybersecurity challenges organizations could face in 2028. Why is this so? Well, there are lots of factors that should inform how we think about what the world will look like in 10 years. In the MIT Sloan Management Review, Amy Webb identifies a framework known as CIPHER that accounts for Contradictions, Inflection points that are indicative of change, new Practices that upset established norms, Hacks that change how users traditionally interact with a product, Extremes that push boundaries, and Rarities. These factors, in turn, help us separate what's probable, including developments in cybersecurity, from what's merely plausible or possible. Once you use these techniques to think about the future, you'll be in a good position ask yourself five questions about future scenarios in cybersecurity. Some of these questions are as follows:
- How likely is it?
- What is the level of risk?
- What will threat actors do?
- How will we defend it?
- What is the end state?
There are numerous scenarios to which IT security executives and industry analysts can apply these questions in an effort to predict what cybersecurity could look like in 2028. For example, they should reflect on the potential for quantum computing to break every traditional encryption algorithm that exists. Under this Y2K event for encryption protocols, an attacker might be able to steal encrypted data and use quantum computing to decrypt it 10 years from now. Some pieces of information might not be as important in 2028 as they are currently but there are some things, like classified government data, that we'd still want to be protected. So, we need to ask ourselves: how long do we want data to be secure? The National Institute of Standards and Technology (NIST) is taking the lead in developing new encryption algorithms for the age of quantum computing. Of course, it's unclear when this new age of computer technology will emerge and who will have access to it. But it's a certainty that every encryption protocol will need to be retrofitted with NIST's new encryption algorithms. Cybersecurity decision-makers and forecasters should also reflect on those five questions with respect to these other scenarios:
- Artificial Intelligence: On the offensive side, what if attackers' tools were more self-aware in that they could mimic a sophisticated human cracker when breaking into a network? As for defense, what if bots streamlined an organization's defense using machine learning and artificial intelligence?
- Automation: Is more automation a good thing? Vendors are already trying to connect different technologies and security controls together to automate incident response. What could a fully automatic response process look like? And where/how could human analysts fit into this process?
- Cold Storage: In an age of increasingly expensive data breaches, should organizations deploy a cold storage strategy and stow their data offline? If so, should organizations remove the critical data entirely? Is there a benefit to keeping a bit of it online?
No doubt some of these scenarios will bear fruit before or in 2028. But when they do, not everything will change. Security professionals will still need to configure their systems properly, patch for vulnerabilities, and monitor their systems for anomalous behavior. They can do this using foundational security measures like the Center for Internet Security's (CIS) Critical Security Controls (CSC). We must also be prepared for black swans, events or occurrences which deviate from the norm and could therefore fundamentally change cybersecurity. What black swans do you think could revolutionize the security business in 10 years? Let us know in the comments.
