Why Information Security Isn't Boring Anymore

Whenever I’m introduced to a friend of a friend, it doesn’t take them long to realise their error after asking the inevitable, “so what is it you do?” and then to change the conversation entirely.  

Information security is not sexy and I want to talk about it over a couple of glasses of wine just as much as everyone else does. Professions that fuel conversation long into the night tend to be a bit more glamorous, perhaps more scandalous, or at least more prosperous. 

But then, as a discipline, we have had our fair share of scandal. There are examples, too many to name, where organisations have poorly protected their customer data, or worse, wilfully misused it. Penalties for these firms in cash and brand have been substantial and the cost of getting it wrong is rapidly increasing.

Our economy is digital and our most valuable assets are stored as a string of ones and zeros that can be accessed from anywhere. Our strategies, our secrets, our customers and our colleagues are, at this very moment, being threatened by not only well funded criminal syndicates but also by the vast resources of hostile nation states. 

The concept hasn’t changed since Enigma. It is advantageous for you and I to communicate instructions and data over a network or via the airwaves. As new technologies or methods are introduced these advantages are apparent. But, like Enigma, it is only advantageous if we can be sure that no hostile elements have interfered in this process. 

Cloud computing is a great example of this. The advantages to using the public cloud are obvious. As a customer of public cloud services, you receive a significantly better service, at a far greater speed, with no cost of provisioning. It wouldn’t be right to describe the work conducted in this field by Amazon over the last decade as anything other than pioneering. Many firms now, can now look to a future in which their infrastructure teams needn’t bother themselves with the installation and maintenance of physical servers, but instead just code their requirements into the Cloud environment. 

But to get the big players on board, Amazon needed to demonstrate not only the power of their proposition but the security of it as well. For applications running on the AWS cloud, everything from code commit, through testing and scanning, to go-live is fully automated and the speed that new environments can be spun-up and deployed means that there’s now zero tolerance for any change to a live environment. Live environments in this world are immutable. If anything looks remotely suspicious, isolate the instance, delete it and start again. No service disruption necessary.  

Cloud computing has quite rightly earnt its place on virtually every horizon scanning, big ideas, things to watch out for, buzzwords to drop into an interview list on the first 10 pages of Google. It represents a significant shift in how we operate as businesses and as individual consumers. But it’s going to be overshadowed. Cloud computing, at its core, is just a very good way of doing the same things that we have been doing for the last decade. Amazon still employs legions of technicians armed with screwdrivers and wire-cutters, but we just don’t see them. 

AI and quantum computing are examples of two technologies that are just around the corner are going to change the world. It’s that simple. 

Think of it like this: the secret to breaking the cryptographic key that’s currently protecting your details on your mobile banking app isn’t really a secret. It’s just hard to do. With current computing power, it’d take us hundreds of thousands, if not millions of years to crack it, but with quantum computing, it could take just minutes or hours. 

A similar baffling scenario can be thought of for new AI applications. At present, the best a human can hope for is, with a bit of luck and allowing for cognitive decline, 50 years’ operating at full capacity. An AI solution will be able to amass that same experience, again, within minutes. 

Apply this reality to something like malware. It’s highly likely that soon, the malware that is continuously directed against large organisations and governments will be able to learn on the job and to call on a far greater experience of success and failure in meeting its objectives than any human. The intelligent attacker will be able to disguise itself as a functioning part of the code and develop entirely new techniques for bypassing evolving security protocols. Today, attackers are already capable of digital espionage, but as our understanding of AI develops so will the attacker’s intelligence. The future of malware can then be thought of as a binary Kim Philby with an infinitely greater dedication to the job in hand!

The potential for this technology is indescribable and we have to assume that the same nation states and criminal syndicates that are threatening our information assets now, will also have access to this stunning potential. As this will represent such an immense departure from how we currently operate, security measures may not be able to keep pace so confidently with the opportunity as it has done with other technologies to date. 

Information security functions across Financial Services and beyond must now ready themselves for the unknown. 

This is not as nebulous as it first reads. 

New technological threats can only be treated once the technology becomes apparent, but the core defences, such as proper information classification, effective and reactive operating models, diligence embedded into the corporate culture and consistent adherence to policies will provide the greatest foundation for future defensive manoeuvres, whatever they might be. 

Although information security may never be glamorous, as we, once again, move into a new world of opportunity, our information will become our most valuable asset and those protecting it will command a much greater influence on all aspects of our daily lives.