Throughout the entire month of January, The Fintech Times will be exploring every dimension of one of the industry’s most pressing topics: cybersecurity.
Having previously discussed the relationship between cybersecurity, remote working and personal safety, today we’ll be opening the next chapter into our coverage of this sector, to investigate the cybersecurity innovations that we can hope to see over the course of the next 12 months.
To answer this question, we sat down with a panel of industry experts, including representatives from Utimaco, Bores Consultancy, Performanta, Fusion Risk Management, Mambu and Drawbridge, to gain an on-the-ground understanding of where the technology is taking us, and how future innovations are working to secure the experience for consumers.
According to Utimaco’s Chief Technology Officer Nils Gerhardt, cybersecurity innovations in 2022 should seek to appease the immediate threat posed by quantum computers: “At the end of 2021, we have seen that post-quantum cryptography (PQC) has gone from a theoretical computer science problem to a matter of urgency. Within the space of a week, the US Department of Homeland Security announced that quantum-safe encryption was a priority and a Chinese laboratory demonstrated a quantum computer that is tens of millions of times more powerful than the fastest conventional supercomputer.
“What’s more, IBM announced its ‘Eagle’, a working quantum computer with 127 quantum bits (or ‘qubits’). This, and the developments that are going to follow, will hopefully spur more organisations to look into what post-quantum security means for them and develop plans around it.
“If your company hasn’t implemented quantum-resistant security yet, then how can you go about it? Because the threat is perceived to be at an indeterminate point in the future, and we still don’t know exactly what quantum computers will be capable of, it can be daunting to transition an organisation to quantum-resistance, and even more difficult for security professionals to persuade management that it is a priority when current cybercrime threats are so pervasive.
“However, what is often overlooked is that data that is encrypted today and needs to remain confidential could potentially be revealed in seconds, as soon as quantum computers are able to break today’s encryption. Threats to digital signatures are similar. Thus, there is a need to assess the risk and act now to prepare the organisation, using methods like crypto agility to protect against the looming threats to data security in a quantum computing age.
“We will see more discussion around this topic from within the security industry, and this will hopefully spread to our customer base and to companies around the world. Over the next year, we and our peers will be looking to push the conversation around PQC forward, showing how it’s something that needs to be addressed this year, not when quantum computers become a commercial reality. We are aiming to show how this is not an insurmountable problem, but that updating cryptography is a task that existing cybersecurity companies can address.”
Although James Bore, the founder of Bores Consultancy, somewhat agrees with Gerhardt’s concerns around the threat of quantum computers, he predicts that the structure around security responsibility is going to see the most change: We”’re going to see a lot of talk about new technology, a lot more on AI/ML and quantum encryption, but these are largely about marketing rather than genuine innovation.
“Where I’m really seeing the potential for innovation is around the approaches to training and ownership of security. During 2022 I’m expecting to see security responsibility moving more and more towards a distributed model where everyone in an organisation is taught to understand and own their own risk rather than being taught that security is a problem only for the security department.”
Reiterating James’s vision of a more holistic approach to the situation, Elad Sherf, Global Head of Defence at Performanta argues that companies should look to utilise their existing arsenal of tools in a pragmatic way to fight the growing number of cyberthreats: “Often most of an organisation’s security is fit for purpose, but not being utilised correctly. Innovation in 2022 lies in how tools are used rather than what they are. Security leaders need to be asking what their existing security tools and processes are and how they can best be used to protect their organisation.
“Innovation is too often associated with buying shiny, new tools. I would argue that organisations need to adopt a more creative stance in order to be innovative, rather than just buying the latest product to hit the market. While quality tools and technologies are important, they should be seen as a starting point.
“In 2022 and beyond, organisations need to look back at their existing infrastructure and bring tools together in a sensible, pragmatic way and where external help is needed look to find a partner that can work with their business to achieve their security goals. This is how businesses should innovate in 2022 and how they’ll stand apart from the rest.”
Interestingly, Fusion Risk Management’s Director of Cybersecurity Safi Raza echos the importance of company-wide responsibility and the capabilities of AI in stalling oncoming attacks: “In 2022, businesses will face a greater expectation of accountability in minimising risk as underwriters have grown a lot more aware of what kind of risk controls make effective cyber programmes. They will need to evidence to the cyber insurance provider that they have robust and structured processes and policies to prevent a breach as much as possible.
“To ensure businesses are secure, AI integration, machine, and deep learning systems will become more popular for businesses to protect their data. It is no secret that humans are the weakest link in the data security chain. AI has increasingly become a critical technology to filter out false-positive alerts, analyse user behaviour and examine the massive amount of data to discover anomalies. Zero trust access will likely become increasingly widespread as a secure option to control remote access to specific applications and network resources. The Zero-Trust security model assumes that a breach has probably already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.
“We will likely also see an increase in the adoption of next-generation firewalls. Utilising Firewall as a Service (FWaaS) has helped fortify the digital parameters and forced hackers to alter their attack methods. The truth is that most sophisticated IT security and anti-phishing tools are not 100 per cent effective. Annual security awareness training and periodic phishing campaigns are no longer enough. Creating a security-focused culture, frequent interactive cyber security exercises and games, security ambassador programmes, lunch and learn events, etc., helps spread awareness. It is essential that employees feel comfortable reaching out to the information security teams for any anomaly they have noticed without feeling embarrassed if the alert turns out to be false-positive.”
Although skill shortages are crippling the fintech industry, as Bronwyn Boyle, Chief Information Security Officer at Mambu points out, this could actually be a significant turning point for cybersecurity, and one of the main drivers behind the innovation we can expect to see this year: “The ‘Great Resignation’ and ‘War on Talent’ are particularly relevant to the cybersecurity industry. We’re facing a huge skills gap, with statistics suggesting a shortage of over four million cybersecurity professionals worldwide. As a result, we’re likely to see a shift toward greater automation of tasks in 2022 to reduce the burden on already stretched teams, increasingly being asked to do more with less.
“This skills shortage is encouraging innovative approaches to the recruitment and training of cyber professionals, especially in the development of technical expertise. Innovative learning platforms are helping accelerate the acquisition of new and transferable security skills, while changing attitudes to professional certifications are helping lower barriers to entry. The shrinking talent pool is having a positive effect, by encouraging the industry to be more welcoming of those from non-technical or non-traditional backgrounds. This includes being more open to considering candidates with transferable soft skills, experience in different sectors and, importantly, untapped talent in previously overlooked demographics – helping to stimulate diversity and equality. Over the next 12 months, we’re likely to see the most radical innovation yet in how we source, train, attract and retain talent.
“From a tech perspective, we’ll continue to see more aggressive strains of malware and viruses, and of ransomware-as-a-service which continues to lower barriers to entry for bad actors. Further innovation in cross-industry sharing of intelligence and collective organisational responses will help bolster defences. With cybercriminals now targeting managed service providers for maximum spread and impact, this heightened risk will necessitate a more coordinated global response in 2022. The pervasive impact of the recent Log4Shell vulnerability, threatening the entire internet, is a stark reminder of the risks associated with open source software; the extent of this meltdown is likely to drive further innovation in 2022.”
As Simon Eyre, CISO at Drawbridge points out, developers are increasingly adhering to the changing cybersecurity demands of increasingly remote workforces, and that this is set to be a major feature in the innovations of the coming year: “The monetisation of cyber-attacks will continue to drive attack execution in 2022. We’ll see additional data exfiltration and data leak threats as more sophisticated ransomware attacks garner sharp scrutiny from governments and concern from businesses.
“Aside from the reputational damage such attacks can create, businesses now realise these escalating incidents can also significantly impact privacy/and or intellectual property and have a cascading effect on their broader client and partner ecosystems. The key here will be extending traditional technology from a fixed perimeter environment (like the Office) out to hybrid working environments. We see this via more functional endpoint monitoring and vulnerability management that’s capable of extending itself out of the corporate network.
“As more businesses move their technology to public cloud platforms, SaaS, PaaS, and IaaS, the SOC teams are having to monitor an increasing footprint of logs and events that can be a challenge to reconcile. In order to correlate those events, SIEMs are becoming more ‘aware’ of these platforms and intelligently relating events from one SaaS application to others such as public cloud email and file services. These next-generation SIEM solutions in conjunction with Security Orchestration, Automation, and Response (SOAR) will become more mainstream for SME businesses too.
“Cyber Technology can extend itself outside of the traditional SOC team and into the hands of Compliance, HR, and Risk Assessment teams too. With supply chain attacks of vendors (particularly technology suppliers) becoming a real-world risk for businesses, systems and services that allow the monitoring of vendor and Internal risk management will be a key tool. Utilising a platform for risk management allows multiple departments to work in conjunction and tackle business risk efficiently.”