Securing Tomorrow: Society Must Wake Up and Take Ownership of Identity

There are trends that have been on the industry’s radar for a while now; social, mobile, applications and cloud. However, within the next year, we’ll see more of an emphasis on one of the key underpinnings of these trends – identity. The issues with data management and security are often told and understood from an industry, business or sector perspective; but society as a whole is still arguably not at a point where it is fully awake to these issues and how they directly affect individuals. Next year, I believe we will begin to see people recognising the need to make big decisions around privacy. This is especially true when it comes to how much of their identity and data they are and should be willing to ‘give away’ or hold back, and balancing this with the convenience of their rapidly developing online lives.

Many of us recently updated to iOS 9 and downloaded it without hesitation. Today you can ask Siri or Cortana to access your holiday pictures in an instant, pay for your shopping with your phone or check your heart rate or symptoms on a health application if you’re unwell. Every time we use one of these conveniences, we are giving away more and more information about our lifestyles, and increasingly becoming owned by the ecosystems that we choose.

We are still largely unaware of where and how our data can be accessed; and the consequences can be potentially dangerous. A study published in BMC Medicine recently revealed that 20 percent of the health apps it looked at did not have a privacy policy, most of the apps communicated with one or more third party services, and four of the apps even sent identifying and confidential health information without encryption. The general invasion of privacy isn’t the only problem. The data could fall into the hands of parties who could be actively seeking it out (e.g., insurance companies).

While society as a whole isn’t in a state of security and privacy awareness that it needs to be, there are signs that this is beginning to change and industry is beginning to respond. Following its launch of iOS 9, Apple recently launched a new section of their website dedicated to explaining to customers its approach to privacy and how it manages data.

Society is still not catching up fast enough, and there is currently a fundamental disconnect between what motivates product and technology development and what is needed to truly secure it. Organisations are putting their efforts into protecting corporate reputation, rather than investing in prevention with a ‘security-by-design’ approach. The speed at which new applications and devices are brought to market is faster than ever before and we are dealing with more data than ever. A culture of making security a staple part of development processes and programming needs to be embedded within every organisation that has a service to offer involving storing or managing consumer data. Such requirements are too often considered down the line. As a body of certified cyber, information, software and infrastructure security professionals, (ISC)² recently took steps to promote such a culture by working with the government, the Council of Professors and Heads of Computing, BCS, the Institute for IT and other industry bodies to create course guidelines to enable cybersecurity to become a core component of UK computing degrees. The result was a set of guidelines that detail aspects of defensive programming to defend against basic risks, as well as having core modules such as secure systems and products, and cybersecurity management.

By taking steps like these, society can move to a culture of ‘security first’ over time.  The key is to start with future IT professionals before they enter the workforce to engrain security within them for any programming or development. This will ultimately enable the future workforce to respond to the needs of a more security aware general public (customer base) that will be ready to take control over their own data and identity.

Dr. Davis will be asking a panel of experts, including Oracle’s Director of Security for EMEA Georg Freundorfer; CISO for Deutsche Flugsicherung Dr. Sebastian Broecker; and former U.S. White House Advisor and current Executive Director at Safecode Prof. Howard Schmidt their visions looking forward in 2016 and beyond as he moderates the opening keynote, “How Can we Secure Tomorrow Today?” at (ISC)² Security Congress EMEA in Munich 20-21 October. — Dr. Adrian Davis, CISSP, Managing Director, (ISC)² EMEA

[(ISC)² Blog]