Robert Lemos / Source: SearchSecurity
In April, high-end audio maker Bose Corp. found itself in the crosshairs of a class-action suit alleging that its Bose Connect app “demonstrates a wholesale disregard for consumer privacy rights and violates numerous state and federal laws,” because it collected information, such as song titles, from consumer devices. Bose scrambled to head off the row, refuting the allegations as “inflammatory [and] misleading,” but noted that the product does collect “information about songs playing on the device” and updated its app to allow consumers to opt out of data collection.
The incident put consumer product makers on notice. Diving into the internet of things (IoT) — or other disruptive technology trends that could compromise sensitive data — must involve the security team.
Bose rival Harman International moved quickly to head off any potential legal jeopardy following the lawsuit announcement by checking its own products for similar failings. “We … are absolutely doing a risk assessment on every single connected product that we sell,” said Maurice Stebila, CISO of Harman, a subsidiary of Samsung Electronics Co. Ltd. that specializes in connected automotive systems and other technologies for the consumer and enterprise markets.
Stebila noted that security teams will have to broaden their focus in the future. “For the most part, CISOs are typically responsible for IT security issues, not the end product,” he said. “But with these end products being connected, we have to work very closely with the business units to provide expertise and technology to minimize risks — both to security and the business.”
Emerging technologies are forcing change on enterprise security teams. Digital communication systems involving voice, data and internet connections are rapidly evolving, and organizations must keep pace. Disruptive technology trends such as IoT pose unexpected risk to networks and data security.
Other game-changing technologies — such as machine learning technology, big data and automation — will alter how security gets done within companies, augmenting teams with systems capable of prioritizing critical alerts and taking initial steps to head off attacks with incident response.
Some technologies are too far out to be near-future disruptors. Quantum computing, which promises faster processing and problem-solving than current computer systems, will be a strong disruptor when the technology is practical. In addition to ongoing research at military labs and universities, work on commercial systems is underway at NASA, Google and IBM’s recently established Q division. “When it comes to everything we know today about securing the internet, if we ever get to the point of quantum encryption, then all of our encryption technologies will be obsolete overnight,” said Sebastian Hess, former CISO of global insurance provider American International Group (AIG), who left in May to become CISO at the Isabel Group, an internet banking provider in Brussels.
Yet thinking ahead has definite benefits. Some cryptographers have already suggested ways of making RSA cryptography encryption-proof against future breakthroughs in quantum encryption. Whether those techniques bear out remains to be seen.
Looking forward, CISOs and venture capitalists have identified four disruptive technology trends likely to change security operations.
1. A complexity of clouds
Nearly every company has integrated cloud computing into their business — whether through purposeful steps to select the best services and provide them to employees or from workers using cloud services without corporate oversight. The average company uses 1,053 cloud services, including sanctioned applications and shadow IT employees adopt without permission, according to Netskope’s June 2017 Cloud Report.
For security teams, however, that means dealing with complexity created by multiple clouds — not just infrastructure as a service, but also cloud applications and hybrid infrastructure, said Alberto Yépez, a managing director at Trident Capital Cybersecurity, which has invested in AlienVault, Qualys and Solera Networks, among other security companies.
“Even for the most sophisticated companies, the adoption of multiple clouds and keeping those clouds secure is rapidly becoming a problem, and very few companies have a good solution,” he said.
Companies should transition from protecting systems to protecting data, Hess advised. “A large issue for most CISOs is, how do you control the security of your outsourced IT environment? I think the real paradigm shift from a security perspective is to shift over to a data-centric approach,” he said.
2. Marriage of the physical and the digital
Whether an organization focuses on manufacturing and infrastructure, like industrial control systems, or on consumer and information technology — such as the internet of things — everything is rapidly becoming connected and potentially accessible from the internet. Already, the industry has seen a variety of compromises of IoT devices, such as the 2015 hacking of a Chrysler Jeep Cherokee’s digital systems — Chrysler issued a 1.4-million vehicle recall — and last year’s massive denial-of-service attacks unleashed by the Mirai botnet.
“With all of these devices interconnected, there is going to be a surge of cybercriminal activity that will seek out easy…
Click here to read more