TREND: Increasing relevance of privacy and privacy-enforcing technology within PACs

Overview: Until recent times privacy was not a primary concern for mass-market consumers or security and risk teams in the commercial context, representing mostly a complex regulatory environment that had to be supported by the latter. However due to a number of high-profile privacy abuses and infringements (e.g. the Snowden revelations of the NSA mass-surveillance programs in June 2013, as well as massive security breaches of credit card and other financial information), B2B and B2C customers have become increasingly sensitive to how enterprises collect, use, store, secure and transmit their personal information. In particular, the IoT trend raises many new privacy and security risks and societal implications which must be thoroughly analysed and potential impacts understood.  

Impact: A new market is emerging for innovative products and ideas for B2B (e.g. cloud encryption gateways) and B2C (i.e. smart wearables, smart kitchen appliances etc.), and new privacy research opportunities exist, creating new agendas and challenges within the overall PACs context.

TREND: Notions of online identity changing

Overview: The increased availability of online personal information and technology “hyper-connectivity” is removing distinctions between online and offline identities, while also blurring the notion of “public” and “private” identities. This trend is also expected to lead to more dynamic, changeable notions of identity in the future [BIS13].

Hence there are opportunities for PACS innovators to develop new solutions that support such new evolving notions of identity while also ensuring protection of online and offline identities in line with new privacy threats.

Impact: Driving new PACs innovation and R&D landscape in the Identity and Access Management space, as well as the overall PACs domain generally.

TREND: Consumers increasingly aware of security/privacy issues, but less willing to pay for security technology

Overview: Various emerging vendors are seeking ways to sell privacy and security technologies to the mass consumer market - anti-virus software has been a traditional consumer play, but emerging vendors are actively experimenting and seeking other opportunities. Solutions that protect online privacy and identity are emerging (e.g. private proxy and personal VPN solutions) but are not yet widely purchased. Solutions for protecting online fraud are another B2C target, as well as personal online reputation support (e.g. reputation.com).

One possible trend Is that such solutions will first mature in the corporate market, and familiarity with them in a working context will allow them to be adopted for personal use.  

Impact: Increased adoption of security products directly targeted at consumers (and consumer willingness to pay for them) will improve security and privacy awareness, supporting the achievements of societal objectives around security over time. It would also lead to an expanded PACs marketplace geared at both corporates in consumers in tandem, increasing security expectations among individuals in both personal and professional contexts. However policy-makers need to support increased influencing and awareness among “security challenged agnosts”, who either ignore security or privacy challenges as the problem is too big to handle – a growing attitude among the babyboomer generation in particular. 

TREND: Bring-Your-Own-Device (BYOD)

Overview: Employees increasingly want to converge personal and professional use of technologies, hence creating a trade-off between security/privacy and the increased advantages and efficiencies afforded by BYOD.

While organisations recognise the trend and aim to facilitate it, it is creating new security/privacy challenges that need to be addressed. BYOD trend also creates new legal risks that need to be addressed, both from the company and employee viewpoint.

Impact: Is driving new PACs innovative technologies and services to deal with such technology use convergence among individuals, as well as challenging existing notions of organisational security architectures.

TREND: Increasing trust being placed on ICT vendors in relation to security

Overview: Increased service based models based on vendor-controlled platforms (e.g. Google Docs, Salesforce, Facebook, Gmail etc.) mean that end-users are increasingly passing control to service providers in relation to the security and privacy of their data.

A related dimension is that new internet devices are also increasingly closed and controlled by vendors, also limiting the ability of end users to configure and control their own security and privacy.

Handing over security to these service providers (coined as “feudalists” by key industry commentator Bruce Schneier) facilitates security/privacy improvements, but also implies new risks [SCH13] . For example automatic backups and updates facilitated by service platforms have enhanced security considerably. On the other hand, issues around vendor lock in, and vendor’s increased ability to act arbitrarily (e.g. changing user defaults, sharing data with government agencies, usually putting their own corporate interests above those of users.)

Impact: Delegation of responsibility for security and privacy of data will lead to demands for improved means of ensuring transparency over third party data use. Sceptics at the other end believe this is an unattainable goal however, and individuals will have to acknowledge that technology benefits cannot be achieved without compromising personal privacy to a significant extent. 

TREND: Movement from “offensive security” to “active defence”

Overview: Increasing pervasiveness and openness of IT systems mean that a perimeter-based approach to security is no longer deemed sufficient. It is now assumed that a more complete security approach is achieved if it is assumed that security threats will always exist within the perimeter of the IT network.

Some analysts use the analogy of coconuts and mangoes to compare this development [PAC13] – coconuts representing older fortress-style security, fruit that is hard on the outside but softer inside. Mango represents the new cyber-age approach, being soft outside (at least relative to increased threats) but harder inside. This means that organisations are working harder to secure the core of their IT – i.e. their important data, products, clients and contracts, key processes like R&D, critical applications, and vital infrastructure and systems. Proactive security monitoring is a core part of this level of defence.

To extend this analogy further, the most secure solution would be a coconut shell + mango core, but this would not be “edible”, i.e. in IT terms it is not cost-effective or practical for most organisations.

Impact: Trend is broadening the security remit and widening the necessary security technologies and measures needed to address organisational PACs issues – in turn driving demand for third party security managed services in the form of Security Operations Centre (SOC) supports among other PACs service categories.A next level desire is to move from active defence towards offence, having instant capabilities in counter striking as part of increasing cyber resilience capabilities, particularly around critical infrastructures.