Posted on 21/06/2017 by Peter Sanders
When it comes to information and cyber security, few events in the calendar come close, in size or scale, to Information Security Europe (InfoSec for short). The annual exhibition and conference attracts 18,000 information security professionals, service providers and vendors and 270 expert speakers from all four corners including, this year, Dame Stella Rimington, former Director General of MI5, and former Newsnight presenter, Jeremy Paxman.
The three days are rammed with the latest innovations, the world’s most forward-thinking security minds and the biggest brands in the business. Among the thousands of visitors was identifi Global’s Pete Sanders (below), taking notes, making connections and finding out the biggest issues of an industry in flux.
Here are his five key talking points from this year’s event.
AI and mitigating human risk
In his talk on day 2, CTO of IBM and self-styled ‘security guru’, Bruce Schneier, focused heavily on the IoT and cyber-physical systems like automation and, particularly, Artificial Intelligence. The question he asked was one of the central concerns for the industry as a whole: Do AI and machine learning represent a cybersecurity risk or an opportunity?
Increased interconnectivity means that bots have never been smarter, quicker or more adept at taking on human tasks. Yet many of the IoT and AI products thus far have been rushed to market, which leaves an open goal for cybercriminals. This isn’t a new question by any means, but it’s a question being asked louder with the rapid development of new tech which is reaching deeper into our everyday lives than ever before.
Building agile security teams
This was the focus of a talk on the main stage featuring Vicki Gavin, Compliance Director and Head of Continuity and Information Security for The Economist Group; Stuart Hirst, Skyscanner’s Head of IT Security; Mahbubul Islam, the Head of Secure Design from DWP, and Network Rail’s CISO, Paul Watts.
Agility is key from both sides of the workforce: employers and employees. Agile teams allow employers to quickly and efficiently respond to customers’ needs, of course. But employing with agility and future proofing in mind shows potential employees that the business is committed to investing in its staff, making it a more attractive prospect all over - essential when there is a shortage of standout stars in the industry.
In real terms for candidates applying for cybersecurity roles, the demand for agility in the sector proves the increasing importance of being able to showcase the ability to successfully handle projects away from your core capability and demonstrate flexibility. That requirement may vary from one organisation to the next, but for candidates, the ability to step out of their specialism and quickly pick up other skills when needed was hugely attractive to employers.
The wider question asked was whether the industry as a whole was implementing agility successfully enough throughout businesses and teams, and whether companies had the in-house capabilities to drive agility as a central tenet to team building. As Stuart Hirst from Skyscanner pointed out: “Security is asynchronous and is impossible to plan for, and most policies are out of date once they are written.”
As the cybersecurity sector grows and morphs rapidly over time, the need for speed becomes an imperative to keep up.
Of course, with data at the forefront of both technical advances and security concerns, the General Data Protection Regulation was at the heart of much of the conversation at InfoSec this year. Central to this was the extended session on the Keynote Stage featuring a panel representing the Information Commissioner’s Office (ICO), HSBC, John Lewis, Costa Coffee and BH Consulting, which left visitors in no doubt about the size and scope of the challenge for the industry. Away from the main stage, probably 50% of exhibitors had some kind of presentation looking at the new laws and how businesses should tackle GDPR.
For us, the key things we took away were firstly, the fact that accountability is key when handling data: businesses need to take ownership of every element of the risk. Secondly, the law is coming into play in less than a year, but the guidelines still allow for a certain amount of ambiguity which is worrying for such a huge piece of legislation with serious consequences for non-compliance. And finally, we echo the sentiment that GDPR is not a compliance issue, it’s a technical one.
Disruptive technology (and the problems with it)
Technology, as ever, was a huge talking point across the board. AI and machine learning took centre stage, as discussed above. But Blockchain continues to generate a huge buzz, albeit with caveats.
Jaya Baloo, CISO at KPN Telecom in the Netherlands, looked at the exciting developments and future untapped potential of Blockchain technology in her talk on the Keynote Stage on Day 2. But alongside the positives, she highlighted the security pitfalls for businesses if the tech isn’t implemented properly. Blockchain alone, she said, won’t solve everything; there is a structure and a foundation businesses need to have in place - the protocol, the exchanges, ethical mining and more - before they launch a new product.
And this was a key takeaway for us from all the discussion around disruptive technology. Tech is often sold as a panacea, but it’s not the answer to everything. Blockchain needs to have strict security protocols in place to get the most out of it. AI and machine learning are brilliant tools for spotting known threats, but with technology and cybercrime moving so quickly, the challenge is in keeping up with new threats.
As Jonathan Stevenson, Technical Marketing Engineer, Network Security & Threat Defense for Cisco, said in his Tech Talk: “How do you defend against threats you can’t currently address?” The answer is human powered: Gaining more visibility into what is likely to cause a cyber-attack on your business, learning about the updated techniques that hackers are using to infiltrate businesses, detecting the ‘serious’ alerts from the crowd. These things will undoubtedly involve tech, but tech alone is not a solution; it’s a tool.
From BBC Technology reporter, Kate Russell, talking women (or lack of) in cyber to the multitude of showcases by various exhibitors across the three days, the skills gap was firmly on everyone’s minds. At the Cyber Innovation Showcase on Wednesday, James Hadley, CEO of Immersive Labs and former GCHQ security researcher, highlighted the problem of certifications and qualifications which don’t deliver the hands-on experience needed to meet the challenges of modern cybersecurity. Again, this calls into question the agility of an industry constantly in motion, trying to keep up with new technological advances, and how the industry reacts to this ongoing challenge. Will the students of today have the right skill sets to deal with the technical problems of tomorrow? The debate rages on.
And finally, not really a takeaway, more of a giveaway: I came home with about eight pairs of socks from businesses promoting SOCs. While there are huge challenges for the industry, I would say avoiding terrible puns in promo merchandise is right up there with GDPR. Still, they should tide me over until Christmas.
The cyber skills shortage is very real, and often candidates are put off by the requirements from employers looking for people who can do it all. If you want advice or guidance on prepping for interviews, applying for roles or anything else, get in touch. Or scan our jobs board for the latest available roles.