It’s that time of year where we, in the industry, attempt to be cyber soothsayers. A tall order – even more so when you’re trying to look ahead to 2030.
The cyber security landscape is in a state of flux, and the past five years has kept us on our toes. As I do my best to peer into the crystal ball of the late 2020s, it’s clear that the challenges facing CISOs and their teams will become even more complex. From the persistent threat of ransomware to the rise of cyber sabotage, the threat landscape is undergoing a big transformation. And the implications go beyond just the technical – the potential for personal liability for security leaders is also a looming issue that could reshape our roles.
Here are my thoughts on the exciting and chaotic opportunities that we might see emerging in the next five years.
Sabotage on the rise
Ransomware will persist, but a blurring of cyber and physical sabotage attacks targeting critical infrastructure specifically may become more prevalent. This is due to the blurred lines between state-sponsored and criminal activities.
Sabotage in cyber security means intentionally causing damage to, or manipulation of, digital data or systems, with the intent to disrupt operations, cause damage, or compromise security. Cyber attackers may aim to disrupt operations and compromise the integrity of computer systems and networks. This malicious activity can have severe consequences ranging from temporary disruption to serious long-term issues, financial losses, and data breaches.
Sabotage is interesting as it represents a departure from where we were five to 10 years ago in the cyber security landscape. Previously, cyber security professionals didn’t have to consider sabotage as a primary threat – but that’s changing. The interesting thing here is that cyber sabotage isn’t new, but the impact that it can have is increasing and will continue to do so.
Recent incidents that suggest sabotage is more of a concern, exemplified by the Nord Stream gas pipeline attacks and a recent fibre optic cable incident in the Baltic Sea. These types of physical attacks on critical infrastructure are being viewed as potential acts of sabotage. Sabotage is quite a political issue, which means cyber security professionals may need to be careful in the coming years to avoid getting involved in sensitive geopolitical matters.
Risky business
The advent of new technologies like artificial intelligence (AI) will introduce new risks and unintended consequences that organisations will need to manage, such as data ownership and privacy issues. This is alongside the fact that if we start to make key decisions using AI, we need to ensure that they have robust and explainable safeguards around them. One exciting area is the UK’s AI Safety Institute and the way they are looking at the safe usage of Frontier AI models.
AI is a powerful technology that can be used both beneficially and maliciously. While it can enable efficiency gains and help defend against threats, it also has the potential for misuse. The growth of these technologies will introduce new – and accidental – risks and consequences that organisations will need to manage.
What if an organisation puts all their data into an AI-enabled system, and then the system fails or the company goes bankrupt? There could be issues around who owns the data and what happens to it, such as it being sold off to the highest bidder. Take 23andMe – who owns that data now?
We need to carefully consider the ethical implications of adopting AI and other emerging technologies to avoid negative outcomes like these.
Time to take out insurance
Cyber security is something people are talking about at the dinner table. I can’t decide whether it’s good or sobering that my mum now talks about it. This increased awareness and attention on cyber security is leading to a situation where CISOs are held to a higher standard and face greater pressure to make the “right” decisions.
The decisions a CISO makes are reflective of risks – and usually we’re just trying to stop someone from making an accidental problem. If we make the wrong call, are CISOs accountable and responsible from a legal perspective?
There is an ongoing discussion around whether CISOs should have personal liability insurance, like how company directors do. This is because the decisions made by CISOs on behalf of the organisation can be seen as risk decisions, and if those decisions turn out to be wrong, the CISO could potentially be held accountable.
We might start to see CISOs held legally accountable, either in a civil suit or even a criminal case, if they make a decision that leads to a security incident or breach – much like the Uber case.
While my crystal ball might be a bit hazy for the next five years, one thing is clear: CISOs and security teams will face a variety of challenges. With more regulations, a heightened threat environment, and the potential for cyber sabotage, we’ll need to strike a careful balance.
But it’s not all doom and gloom! There’s plenty to be optimistic about. The growing awareness of cybersecurity opens doors to attract diverse talent and foster greater industry collaboration. Plus, AI promises more efficient and better defences against threats. By tackling potential risks head-on, we can embrace the positives of these trends and be well-prepared for the future.