You are on page 1of 44

Information security

Revolution or evolution?
Information Security 2020

Prepared by

pwc
Revolution or evolution?

Contents
About this roadmap 01
Executive summary 02
1 Infrastructure revolution 08
2 Data explosion 12
3 An always-on, always-connected world 16
4 Future finance 20
5 Tougher regulation and standards 24
6 Multiple internets 28
7 New identity and trust models 32
What does this mean for my organisation? 36

About the Technology Strategy Board About PricewaterhouseCoopers LLP


The Technology Strategy Board is a business-led executive non-departmental public body, PricewaterhouseCoopers LLP provides industry-focused assurance, tax and advisory
established by the Government. Its role is to promote and support research into, and services to build public trust and enhance value for our clients and their stakeholders.
development and exploitation of, technology and innovation for the benefit of UK business, More than 163,000 people in 151 countries across our network share their thinking,
in order to increase economic growth and improve quality of life. experience and solutions to develop fresh perspectives and practical advice.
Revolution or evolution?

About this roadmap


This roadmap was commissioned by the Technology Strategy Board and jointly
prepared with PricewaterhouseCoopers LLP (UK).

The purpose of this roadmap is to set We subsequently held a workshop with Chatham House, Cisco, Credit Suisse,
out the drivers that will shape the future over 40 experts to validate the trends Cyveillance, De Montfort University,
Information Security environment to and explore them in further detail. Digital Systems Knowledge Transfer
2020 and beyond. This roadmap is to Network, European Information Society
The research focuses on the commercial
inform business leaders and security Group, Garlik, Hewlett Packard, IBM,
aspects of Information Security, but
professionals alike, and sets out potential IdenTrust, Information Commissioners
remains cognisant of trends in cyber 1
future scenarios and issues around Office, Information Security Forum,
security and warfare for military and
information security, allowing the reader Kaspersky Lab, Lloyds of London,
intelligence applications. Our research
to draw implications and conclusions that McAfee, Methods Consulting, National
primarily illustrates trends in the UK
apply to them. Grid, Ministry of Defence, Nokia,
Information Security market, but the
Office of Cyber Security, Oracle,
In preparing this roadmap we interviewed implications are relevant globally.
PGP Encryption, QinetiQ, Queens
over 35 leading Information Security
We would like to thank the following University, Royal Holloway University,
experts and business leaders across the
organisations for their participation RSA, Security Innovation & Technology
private sector, academia and government
in the research: AstraZeneca, BBC, Consortium, Skype, Symantec,
to determine the key trends that are likely
Birmingham University, British Technology Strategy Board, Travelex,
to impact Information Security to 2020.
Business Federation Authority, BT, Trend Micro, as well as several others
who would prefer to remain anonymous.
Revolution or evolution?

Executive summary
2

Information Security is a much broader concept than technology. It relates to


protecting information and information systems from unauthorised access, use,
disclosure, disruption, modification or destruction. As the volume of information
grows and continues to be increasingly stored and communicated in electronic
form, Information Security is rapidly becoming intertwined with technology, and
more specifically, the internet. This has given rise to the term Cyber Security and
for it to be used interchangeably with Information Security.

This roadmap is for business leaders and security professionals alike, and sets
out potential future scenarios and issues around Information Security, allowing the
reader to draw implications and conclusions that apply to them.
Revolution or evolution?
3

Information Security, whilst being a globalisation, climate change, regulation has been a key aspect of Information
very current and topical issue, is also and evolving demographics. These Security in recent years, but increasingly,
an emerging sector that is undergoing will present opportunities and risks for organisations are realising that processes
significant change. The main suppliers organisations in dealing with Information and people are overlooked components
shaping the Information Security industry Security issues, and also companies when developing holistic approaches
are a converging group of technology providing Information Security products to Information Security. By 2020, there
vendors, system integrators, consultants and services. There is likely to be a may be a reversion to technology being
and aerospace & defence companies. greater degree of segmentation within the the key strand to Information Security,
The available market research does not Information Security market in the future driven by significant increases in the
provide a consensus on the size of the as suppliers specialise to meet the needs volume of data, speed of processing
IT security market, the best proxy for the of specific groups. For example, the and communication technology, and
Information Security market. The range rising importance of Information Security the emergence of more complex and
of market research suggests that the IT in the healthcare sector as services are automated threats.
security market is worth approximately increasingly provided electronically is
4-5bn per year in the UK and is likely to drive specific regulatory and
growing strongly. technology requirements.

Over the next decade, Information Information Security is often considered


Security requirements will be driven by to have three components; technology,
various macro level factors, such as processes and people. Technology
Revolution or evolution?

The research identified seven interrelated and fibre optic cables and wireless Regulation and standards will be
key trends that are likely to drive change networks are enabling faster static and important drivers of Information Security
in Information Security through to 2020 mobile broadband access. By 2020, over the next decade, but will need to
and beyond see diagram overleaf. ubiquitous devices will seamlessly and keep pace and evolve as technology and
The first three trends relate to changes automatically interact with other devices its uses develop. There is likely to be
in technology, whilst the following three around them, adapting functionality to increasing pressure towards regulation
trends reflect changing patterns in how their local environment and other objects in information security, with privacy and
people use technology and the internet. in their proximity. consent being a key driver.
Finally, trust and identity are universal
The volume of private information being Proving identity and establishing trust are
themes which are intertwined with many
shared has escalated significantly over two of the greatest challenges identified
of the prior trends. These trends have
the last decade, particularly driven by in the research. In 2020 as people
implications for organisations of all
social networking, and this is likely to spend an increasing proportion of their
sizes, individuals, governments and the
continue. Additionally, the volume and time online, identity becomes a greater
Information Security industry.
value of transactions through electronic challenge because fewer interactions
The building blocks of modern channels is expected to continue to rise. will be face-to-face, a greater volume
communication technology are rapidly These trends suggest that cyber criminals of private information may be available
evolving and we see this change all will increasingly be willing to invest online and new technologies could make
around us. Televisions are blurring further resources in developing more it easier to impersonate individuals.
with computers, feature rich mobile sophisticated attacks.
devices are becoming more prevalent
5
Revolution or evolution?
Key trends impacting Information Security to 2020
Increase in penetration of high speed broadband and wireless networks
Centralisation of computing resources and widespread adoption of cloud computing

1
Proliferation of IP (internet protocol) connected devices and growth in functionality
Infrastructure
Improved global ICT (Information and Communications Technology) infrastructure enabling greater outsourcing
revolution Device convergence and increasing modularisation of software components
Blurring work/personal life divide and Bring Your Own approach to enterprise IT
Evolution in user interfaces and emergence of potentially disruptive technologies

Greater sharing of sensitive data between organisations and individuals

2
A significant increase in visual data
More people connected globally
Data explosion
Greater automated traffic from devices
Key longer term drivers A multiplication of devices and applications generating traffic
A greater need for the classification of data

Globalisation

3
An always-on, Greater connectivity between people driven by social networking and other platforms
Increasingly seamless connectivity between devices
always-connected
Increased focus on climate change Increasing information connectivity and data mining
world Increased Critical National Infrastructure and public services connectivity

Shifting global economic centres

4
Rising levels of electronic and mobile commerce and banking
Changing demographics Future Development of new banking models
finance Growth in new payment models
Emergence of digital cash
Increasing regulation / governance

Increasing reliance on technology

5
Tougher Increasing regulation relating to privacy
and information regulation
Increasing standards on Information Security
Globalisation and net neutrality as opposing forces to regulation and standardisation
and standards
Changing attitudes towards privacy

Evolving work / home balance Greater censorship

6
Political motivations driving new state/regional internets
Multiple internets New and more secure internets
Closed social networks
Growth in paid content

7
New identity The effectiveness of current identity concepts continues to decline
and trust Identity becomes increasingly important in the move from perimeter to information based security
models New models of trust develop for people, infrastructure, including devices, and data
Revolution or evolution?
6

The research indicated that there is effective Information Security in place the organisation in the form of increased
a need for a proactive approach to could increasingly attract consumers to spending on Information Security
Information Security from all stakeholders use their products/services. Information solutions, loss of intellectual property,
given the rising complexity and volume Security could also provide opportunities loss of market share and hence income,
of threats. to sell products/services through new and damage to its brand.
channels or interact with customers in
Organisations should ensure that In the second scenario, the organisation
new ways that are not possible today due
approaches to Information Security takes a more proactive approach
to concerns about privacy and consent.
are holistic and consider technology, to Information Security. It invests in
processes and people. Approaches need Organisations need to consider both Information Security solutions and
to adapt to rapidly changing threats the potential benefits and costs of benefits from greater trust from its
and technology, and also to changes in their approach to Information Security customers and gains in market share,
regulations and standards. However, it is with a holistic approach like the Total higher price points relative to its peers
important that organisations also focus Lifecycle Cost of Information Security and agility in adapting its Information
on aspects of Information Security that model shown overleaf. This illustration Security approach to market changes.
are not necessarily driven by regulation demonstrates the potential long term
In this example, the organisation could
and standards, for example, protecting impact of two different approaches to
be replaced with an industry, country or
commercially sensitive information or Information Security.
even a region.
intellectual property.
In the first scenario, the organisation
Increasing focus on Information does not have an appropriate approach
Security could also provide competitive to Information Security. It then suffers
advantage. Organisations that have from an event which causes cost to
Revolution or evolution?

There are many uncertainties with respect


Figure 1: The cost of inaction two illustrative scenarios for an organisations approach to Information Security
to how Information Security will evolve
over the next decade. However, it is
Total Lifecycle Cost of Information Security

certain that new Information Security


requirements will require businesses to
Reactive approach
innovate to develop new products and
services. This will provide opportunities
Cost of inaction both for businesses, to develop new
Proactive approach business models and generate competitive
advantage and for financial investors alike.
It will also stimulate economic growth
through consumption and exports, and
make the UK a safer place to do business.
Key event
Are you up to the challenge?

2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020

Definition Lifecycle costs


Total Lifecycle Cost of of deploying and Reputational Intellectual Operational Financial impact
Information Security = operating security + value + Property value + effectiveness + of incidents
solutions

Hardware / Brand volume R&D information Productivity Direct financial


software solutions Customer Customer Ability to service loss from attack
Training satisfaction/ databases customers
Consultancy costs confidence Competitive Cost to serve
People costs information customers
Revolution or evolution?

one
8

Infrastructure revolution
The changing building blocks of electronic communication

The research identified that by 2020, communication infrastructure is likely to evolve in a number
of ways:
Increase in penetration of high speed broadband and wireless networks
Centralisation of computing resources and widespread adoption of cloud computing
Proliferation of IP (internet protocol) connected devices and growth in functionality
Improved global ICT (Information and Communications Technology) infrastructure enabling
greater outsourcing
Device convergence and increasing modularisation of software components
Blurring work/personal life divide and Bring Your Own approach to enterprise IT
Evolution in user interfaces and emergence of potentially disruptive technologies
Revolution or evolution?

The building blocks of modern and reliability of services, data privacy, The proliferation of IP connected
communication technology are rapidly data classification and access, and devices, ubiquitous wireless high speed
evolving and we see this change all compliance with regulatory requirements. broadband and growth in automated
around us. Televisions are blurring connectivity between devices will
with computers, feature rich mobile increase the number of threat vectors and
The driving force behind the
devices are becoming more prevalent enable attacks from a greater range of
and fibre optic cables and wireless
cloud is economics. You simply devices. These devices include a diverse
networks are enabling faster static and
get better economics from one range of hardware, operating systems
mobile broadband access. This evolved
size fits all. Security concerns, and applications, potentially further
environment has significant implications however, are the key blocker. increasing the number of threats.
for Information Security. Tony Dyhouse, Digital Systems As global ICT infrastructure grows in scale
9 Knowledge Transfer Network
The centralisation of computing resources and performance, greater off-shoring of
is expected to grow significantly over the back office ICT infrastructure may occur
next decade, driven by the requirements The cloud computing concept is in effect, due to cost reduction requirements,
to reduce cost, reduce CO2 impact and the provision of IT as a service such that moving energy intensive equipment to
improve service levels and functionality. storage, processing, software and even regions with cheaper electricity (e.g.
Whilst our research suggested that cloud security are all provided as services. Egypt) or lower cooling requirements (e.g.
computing is overhyped, and it is already This has significant implications for Iceland). This could potentially lead to
here in Facebook, Amazon and Google organisations that adopt this model, greater threats.
for example, our interviews recognised but also for the IT and Information
that businesses have been slow to adopt Security industries which may need to
the cloud due to security concerns. adapt to this new ecosystem with new
These concerns include availability business models.
Revolution or evolution?
10

Continued globalisation driven by an is becoming more apparent in the Smart phones are basically
improved global ICT infrastructure workplace. Home working exemplifies small PCs now, so all the current
will enable collaborative working and the blurring work/personal life dynamic, threats on a PC are simply
provision of remote services through but arguably has been superseded by transferred to the phone.
video links. Virtual healthcare may be a mobile computing of which it is a subset.
reality by 2020 which would imply greater The Information Security challenges Cyber Security Expert
personal information being transmitted associated with mobile devices include
online. There are already examples of loss or theft of the mobile device resulting
Disruptive technologies may radically
X-rays from western hospitals being in exposure of data; interception of
change Information Security over
analysed by Indian radiographers and data that passes over the WiFi or 3G
the next decade. Some of the areas
it is even conceivable that by 2020, the network; capture of data via Bluetooth
identified include quantum computing,
medical practitioners providing virtual connections; and mobile viruses. Whilst
wireless electricity, new man-machine
care might be based outside the UK. these threats exist today, the proliferation
interfaces and the development of new
of mobile devices and how they are
The blurring of personal life and work communication protocols. The wide scale
used will undoubtedly be a key security
has been a trend that has been growing adoption of new collaborative productivity
consideration over the next decade.
in prominence. Already, a bring your tools may also introduce new threats.
own approach to ICT infrastructure
Revolution or evolution?

11
Revolution or evolution?

two
12

Data explosion

Not only is the volume of electronic data at rest and in transit expected to grow rapidly, the
nature of data itself will evolve. Over the next decade, there is likely to be:
Greater sharing of sensitive data between organisations and individuals
A significant increase in visual data
More people connected globally
Greater automated traffic from devices
A multiplication of devices and applications generating traffic
A greater need for the classification of data
Revolution or evolution?

Sharing of appropriate information with In the first scenario, current trends Social networking itself is also likely to
appropriate people or organisations continue and sharing information becomes evolve over the next decade. The user
provides opportunities for new the norm, to the extent that those with bases of Facebook and MSN are still
methods of social engagement, greater low online social presence are perceived growing, but many people, particularly
connectivity with customers and facilitates with suspicion. Alternatively, there may younger people, are increasingly using
collaborative working. However, through be a mass realisation about the threat Twitter and other emerging social
social networking sites, the volume of associated with sharing information which networking platforms. For example,
private information being shared has would drive a more cautious attitude to geolocation based social networks are
escalated significantly over the last decade sharing information. It is likely that if the already gaining traction and may present
and this is set to continue without a future follows the first scenario, social new threats and opportunities.
shock or government intervention through networks will become an even greater
As businesses increasingly work
education and/or awareness campaigns. target for fraudsters.
13 collaboratively, there will be a greater
need to share information electronically.
People are generally In the future we might see This will drive requirements to classify
relatively guarded when they more automated attacks. If you information in order to define what can
meet a new person face-to-face. have a machine that can data and cannot be shared in order to protect
But they seem to suspend this mine from social networking sites, commercially sensitive information and
caution when online. making highly customised, realistic to comply with regulations.
looking threats. There is also likely
Dean Turner, Symantec to be more targeting of high value
individuals or high value groups.
It is unclear how social networking and
peoples attitude towards privacy will Cyber Security Expert
evolve to 2020. In our research, two
potential future scenarios were identified.
Revolution or evolution?
14

Internet traffic and the volume of data


Figure 2: Dawn of the Zettabyte - IP Traffic forecast 2008-2013
stored has grown exponentially over the
last decade, and a recent report by Cisco 60
suggests global IP traffic will quintuple Forecast Mobile Business /
from 2008 to 2013, representing 667 Mobile
exabytes of traffic per year in 2013 (see Business traffic
50
figure 2). This trend is likely to continue Consumer non-IP traffic
to 2020, driven by strong growth in visual
40 Ambient Video
traffic, data exchanged between sensor
Exabytes per month

networks and the increasing penetration Internet Video to TV


of high speed internet globally. Streaming Internet Video to PC
30
visual media is expected to be the Consumer
Internet Video Communications
primary driver of internet traffic growth traffic
over the next decade, through TV, video 20 Internet Voice
on demand, and visual communications.
Internet Gaming
In parallel, increasing autonomous 10 File Sharing
connectivity between IP connected
Web/Email
devices, in combination with growth in the
volume of applications generating traffic 0
is likely to drive strong growth in machine 2008 2009 2010 2011 2012 2013
to machine (M2M) traffic to 2020.
Source: Cisco, 2009
Revolution or evolution?

15

The semantic associations required to


transform data into information, and
information into knowledge creates
additional data in itself, and therefore
greater IP traffic. Towards 2020,
significant growth in the volume of data
may drive requirements for automatic
classification or intelligent tagging.

There are approximately 1.7 billion users


connected through the internet in 2010,
from a global population of 6.7 billion.
The National Science Foundation (a US
agency) has forecast that there will be
almost 5 billion users online by 2020,
a penetration of nearly 70%. Growth
will primarily be driven by developing
regions such as Asia, South Africa
and South America moving online.
This trend coupled with a shift of the
global economic centres to the East
presents significant Information Security
challenges.
Revolution or evolution?

three
16

An always-on, always-connected world

Connectivity is set to increase significantly over the next decade in a number of ways:
Greater connectivity between people driven by social networking and other platforms
Increasingly seamless connectivity between devices
Increasing information connectivity and data mining
Increased Critical National Infrastructure and public services connectivity
Revolution or evolution?

The internet has enabled people to connected mobile devices and innovative Real time, viral communication channels
connect in ways never seen before and communication platforms like Twitter have made it possible for attackers
social networking has emerged as one of have given individuals the ability to to stage high impact attacks against
the defining trends of the current decade communicate, share views and canvass organisations and individuals, or draw
(see Figure 3). opinion in real-time. traffic or media attention through
relatively simple attacks, for example
The internet has given users the means Social networks have created new threat
creating malicious hype around a brand.
to interact with like-minded individuals, vectors including business reputation /
while the combination of always brand damage and social engineering.

Figure 3: Socially Networking Growth in Facebook user base versus population of the UK in 2010
17 700
600
500
Millions

400
300
200
100
0
Aug 2008 Jan 2009 Apr 2009 Jul 2009 Sept 2009 Dec 2009 Feb 2010 2011 2010
Forecast

Facebook UK
Source: Pingdom (2010)
Note: The chart is illustrative of the growth of social networking platforms. It is possible that a new form of social networking may have emerged by 2020.
Revolution or evolution?
18

In 2020, ubiquitous devices will


Figure 4: Proliferation of devices growth of global IP connected devices, 2009-2020
seamlessly and automatically interact
with other devices around them, adapting
functionality to their local environment
50,000
and other objects in their proximity. This Forecast
has been driven by consumer pull to Other Niche Connected Devices, not M2M
45,000
use technology as an enabler to make Machine to Machine (M2M)
everyday tasks easier. 40,000
Broadband Modems
Millions of devices

35,000 WiFi Home Connected Devices


Technology is becoming 30,000 Enterprise DSL Subscriptions
more pervasive and by 2020, Enterprise Switched Access Connections
we will have body area networks, 25,000
Consumer Switched Access Connections
and sensor networks in the house 20,000
and people will be monitored Consumer PC Connections
for health reasons. Everything is 15,000 Digital TV Connections
connecting in a more automated Mobile Consumer Electronics
10,000
manner and in the future you
Cellular Wireless Modems
may have a house that detects a 5,000
Ultra-Mobile Devices
pacemaker in the vicinity, which
doesnt allow the microwave to Wireless Handsets
2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020
be activated!

Tim Watson, De Montfort University

Source: Ericsson, ABI, Yankee Group, Strategy Analytics, Berg Insight


Revolution or evolution?

19

The seamless nature of communication Security will become the As ICT permeates into new domains, to have sustainable economic
is likely to be founded on open principles enabler. It will allow individuals including Critical National Infrastructure development for our societies.
to reduce user involvement in managing living in tomorrows collaborative (vital infrastructure assets including We must continue to evolve
connections. It is also likely that world to use any device they communications, energy, finance, etc), security technologies that can
innovation in artificial intelligence will want for all personal or business there is greater potential that Consumer address these realities more
enable devices to make autonomous uses. Virtual business applications Off-The-Shelf (COTS) devices will effectively as well as ensure
decisions on trust when connecting will run on these devices, using interact with bespoke mission critical increased investment in private
and exchanging data with devices and federated security services systems developed specifically for and trusted networks for our
applications. This creates an opportunity provided through the cloud. controlling power plants, cooling systems most critical systems.
for attackers to infiltrate a device by and other industrial equipment.
exploiting the devices trust mechanisms Jason Creasey, Daniel Thanos
without the user being aware. Information Security Forum
Common IT devices
Information is increasingly being used in a with their associated risks will The networked nature of Smart Grids
more connected manner. In the business The emergence of geolocation data increasingly come into contact makes it potentially possible to attack
environment, collaborative working tools presents new marketing opportunities (both directly or indirectly) with the grid itself without the need to target
are increasingly prevalent, while data for businesses, but also raises privacy critical control systems found in power stations, for example.
mining algorithms have been developed issues. This capability is already currently national infrastructures, with a
being used in fields as diverse as national In 2020 it is likely that peoples ability
which correlate data from a growing greater range of communications
security and marketing, and the number to withdraw from the connected world
range of sources to identify patterns and protocols over more readily
of application areas is likely to expand will be reduced and being connected
trends, or to develop detailed profiles on accessible networks both wired
by 2020. will become increasingly necessary to
individuals and groups. and wireless. This is a necessary maintain an active role in society.
reality in order to increase the
capabilities and efficiency of
all of our smart infrastructures
Revolution or evolution?

four
20

Future finance

A significant proportion of cyber crime is financially motivated and key developments in


e-finance over the next decade could include:
Rising levels of electronic and mobile commerce and banking
Development of new banking models
Growth in new payment models
Emergence of digital cash
Revolution or evolution?

E-commerce and m-commerce (mobile By 2020, the degree of physical one example, in which companies like
commerce) have continued to grow interaction between banks and Zopa are bringing together lenders and
despite the impact of the economic their customers may have declined borrowers to transform the borrowing
downturn as consumers have been drawn significantly and new banks may emerge industry. If dominant social networking
to the lower prices and the convenience without any customer facing physical platforms like Facebook were to move
of shopping online. In fact, recessions presence, building on the success of into the financial services industry by
can accelerate this trend as we saw companies like Egg and First Direct. leveraging their growing user base, it
media companies like Zavvi go into Increased e-banking and m-banking could revolutionise the industry because
administration during 2008. will enhance the need for strong identity the traditional banking system has been
management and authentication. shaped by the underlying need for trust,
As the volume and value of transactions
and the need for a third party to evaluate
through these channels continues to Internet growth and social networking
and price risk.
21 rise, it is likely that cyber criminals will has enabled greater connectivity
be willing to invest further resources in between individuals, which is bringing
developing increasingly sophisticated innovative new e-commerce and banking
attacks. models. Peer-to-peer social lending is
Revolution or evolution?
22

The concept of a cashless society has


Figure 5: Dash from Cash Consumer payments by value, 2003-2013
been discussed for some time and the
emergence of contactless payment Forecast
systems like the Visa Paywave and 100% 3% 3% 3% 2% 2% 2% 2% 2% 1% 1%
4%
Mastercard Paypass may accelerate 11% 11% 12% 12% 12% 13% 13% 14% 14% 14%
90% 10%
the trend, particularly given the Electronic direct/
phasing out of cheques by 2018 in the 80% Automated Clearing
UK. Many experts believe that these House transactions
70% 33% 32% 31% 30% 29%
technologies are merely the forerunner 39% 38% 36% 34%
Paper Cash
44% 42%
to mobile phone wallets with Near Field 60%
Communication capability. This could Card payment
50%
%

give rise to a range of new security risks transactions


as it becomes possible to steal money (excluding commercial)
40%
without the target even being aware of
the attack. 30%
56%
52% 53% 53% 54% 55%
46% 48% 50%
42% 44%
20%

10%

0%
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Source: Euromonitor
Revolution or evolution?

23

Cash remains a popular choice for


consumers (see figure 5) and by 2020,
there is the possibility that digital cash
will have been developed, with the
benefits of electronic payments, but with
the privacy of cash.

There is demand for


anonymous electronic payments.
There is no current equivalent to
cash and even the new contactless
payment cards leave a paper trail.
Cyber Security Expert

Interestingly, the advantages associated


with the non-traceability of digital cash
also create new challenges. For example,
by reducing the traceability of cash
and making it more difficult to prove
theft, it reduces the risk associated
with an attack.
Revolution or evolution?

five
24

Tougher regulation and standards

Regulation and standards will be important drivers of Information Security over the next
decade, but will need to keep pace and evolve as technology and its uses develop. There
appear to be three key themes that could impact Information Security over the next decade:
Increasing regulation relating to privacy
Increasing standards on Information Security
Globalisation and net neutrality as opposing forces to regulation and standardisation
Revolution or evolution?

Over the next decade, it is likely there will Commission today said it wants to create Privacy will be profoundly
be increasing pressure towards regulation a clear, modern set of rules for the whole shaped by companies desires
in Information Security, with privacy being EU guaranteeing a high level of personal to share information for business
a key driver. The European Commission data protection and privacy, starting with intelligence and derive revenue
highlighted the challenges succinctly in a a reform of the 1995 EU Data Protection from direct and interactive
recent statement: Directive. marketing, the increasing inclusion
Our privacy faces new challenges: This trend is also apparent in the US of specific security controls in
behavioural advertising can use your where the State of Massachusetts privacy laws, and the changes
internet history to better market recently enacted a new law on Data and investment in healthcare
products; social networking sites used Breach Notification, mandating that local information used and the advent
by 41.7 million Europeans allow personal businesses be proactive in protecting of electronic health records.
25 information like photos to be seen by residents personal information.
Jim Koenig,
others; and the 6 billion smart chips used PricewaterhouseCoopers LLP (US)
In terms of focus areas, the future
today can trace your movements.
challenges around privacy may well
It also indicated that regulatory form be defined by corporate organisations
would be required: and increased marketing sophistication
as well as developments in health
With the Lisbon Treaty and the Charter
information technology.
of Fundamental Rights now in force, the
Revolution or evolution?
26

Regulation is likely to be a key driver to be homogeneously applied across authority to require broadband providers
for ensuring security of Critical National all jurisdictions. By 2020, the volume to give equal treatment to all Internet
Infrastructure (CNI) given that in many of internet users will be greater in Asia traffic flowing over their networks. This
countries, this is either part or entirely than any other region on Earth. It is not was considered a big victory for Comcast
privately owned and operated. clear whether the West is going to be a Corp., the USs largest cable company,
leader or follower on Information Security although advocates of an open internet
In addition to developments around
and what the implications will be for consider this to be a major setback.
privacy, there is also a parallel drive
Information Security in 2020.
towards standardisation of Information One potential consequence of removing
Security in areas such as reporting of A second adverse factor is the concept net neutrality would be that network
threats and threat levels, software patch of net neutrality, the broad principle that carriers would be able to charge websites
management and software development all traffic must be treated equally by depending on traffic volumes and traffic
processes and testing. network carriers, without any restrictions priorities. However, there remains a large
or priorities being placed on content. community that supports the concept of
However, there are likely to be opposing
net neutrality and whilst it is not yet clear
forces to these mechanisms of adding In a very recent high profile case, the
how this area will develop going forward,
control and structure to information and U.S. Court of Appeals for the District of
it is likely to have implications
the internet. Globalisation will make it Columbia ruled that the FCC (Federal
for Information Security.
difficult for standards and regulation Communications Commission) lacked the
Revolution or evolution?

27
Revolution or evolution?

six
28

Multiple internets
Will one size fit all?

The internet may multiply over the next decade. There are a number of trends that could
potentially lead to segmentation of the web:
Greater censorship
Political motivations driving new state/regional internets
New more secure internets
Closed social networks
Growth in paid content
Revolution or evolution?

In some respects, the internet has There is potential for a future divide The secure web may require users to
already divided, with the global open around a secure and non-secure internet. be running specific secure software, to
internet and then the censored internet The secure zone is likely to be established have firewalls and other security in place,
in countries like China, Cuba, Iran, by enterprises as they become frustrated and to encrypt traffic to predetermined
Saudi Arabia and North Korea. In Saudi with the volume of extraneous data and standards. This would primarily be
Arabia for example, all international threats online, particularly if it limits the driven by the need for secure financial
internet traffic is directed through a ability to do business effectively with transactions and to facilitate secure
proxy farm which filters immoral and customers. Businesses may be willing to mobile working. In many ways this is
political content. Another example is the pay a premium for guaranteed availability an extension of the approach many
Golden Shield Project in China which and security. businesses already adopt, which forces
blocks predefined IP addresses, thereby users to identify themselves to the
controlling viewable content. enterprise network and apply security
29 In the future, there may be a
standards like encryption and multi-factor
The politically motivated development centralised agency overseeing the authentication.
of parallel networks is an emerging internet law enforcement function.
challenge and there has been speculation There may even be two levels of However, this goes against the founding
recently about China and Russia the internet the policed bit and principles of openness for the internet
developing alternate internet routes the anarchic bit. and many of the benefits of the internet
that bypass the ICANN (Internet are derived from its ability to connect
Corporation for Assigned Names and Julia Harris, BBC everyone, so there is a strong case
Numbers) system the webs global against this divide.
address book.
Revolution or evolution?
30

I dont think the multi-zone within social groups may increasingly requiring premium access. This drives a
internet will happen because most define our lives and online experience, divide between those who can afford to
people dont care about privacy resulting in a societal divide. This has the pay for trusted sources and those who
or secure networks, they want an potential to drive targeted attacks against revert to free, potentially non-trusted
omnipresent one. A secure web specific social groups. sources. Increased media hacking
would also create a bigger target and social media hacking, if targeted
The internet provides individuals with
at certain groups, could in effect be a
Tony Dyhouse, Digital Systems access to a wealth of information of
disguised form of censorship.
Knowledge Transfer Network differing qualities through providers
ranging from online broadsheet
newspapers through to Wikipedia
Social networks are by definition and Tweets. Trusted, quality providers
exclusionary, and given the defining typically have higher costs and although
role social networks play in shaping the many have provided information for free
development of the internet, participation to date, quality content is increasingly
Revolution or evolution?

31
Revolution or evolution?

seven
32

New identity and trust models

Identity and trust are key concepts to all aspects of Information Security and will be
increasingly important over the next decade as:
The effectiveness of current identity concepts continues to decline
Identity becomes increasingly important in the move from perimeter to information
based security
New models of trust develop for people, infrastructure, including devices, and data
Revolution or evolution?

The concept of proving digital identity is accessed today using usernames You cant just assume
one of the greatest challenges identified and passwords, secret questions and that an eye scan offers better
in our research. In 2020 as people personal information. However, personal protection than a username and
spend an increasing proportion of their information that has traditionally been password. The scan can still be
time online, identity becomes a greater used for identification purposes is no manipulated by a hacker, who may
challenge because fewer interactions longer personal. Social networking try to switch out the master scan
will be face-to-face, a greater volume websites abound with personal data and with their own. If you go to DNA
of private information may be available social engineering is increasingly being identification, then people will get
online and new technologies could make used to steal identities. blood samples from hospitals.
it easier to impersonate individuals.
Systems likely to proliferate in the future Every lock has a key.
Typical mechanisms for authenticating will demand multi-factor authentication.
James Carnell, Cyveillance
33 and verifying identity include passports, These solutions may raise the security
birth certificates, driving licences and hurdle but are unlikely to solve the
biometrics (such as finger print and problem entirely and need to take
iris recognition). Electronic systems account of the privacy and consent of
and personal accounts are generally the user in their design.
Revolution or evolution?
34

The research suggests that over the next Cloud Computing as an likely to be the model of choice over People are naturally very
decade, the concept of identity and its enabler for business will live or the next decade as it avoids putting all good at making judgements
usage will evolve. With the increasing die by identity management. the eggs in one basket, providing an about trust from visual cues,
adoption of cloud computing, security attractive target to criminals. This model voice, background information
increasingly becomes data centric as Bruce Elton, Oracle provides convenience, but does not etc. But its not easy to adapt
opposed to perimeter based. address the issue of identity. these to make trust judgements
So who will hold peoples identities in An interrelated concept to identity is when interacting with people
Historically the approach the future? The OpenID concept is an trust. Various mechanisms have been over technology or about
has been outside in with example of how identity management developed to provide trust online devices themselves.
multiple layers of security. This may evolve over the next decade. The including the eBay feedback model,
service is free and acts as an aggregator Cyber Security Expert
model does not work in the the friend-of-a-friend concept and the
virtualised environment and so of information enabling a user to access VeriSign seals of approval. These models
a new inside out approach is multiple websites that support the service are primarily for human-to-human trust, New models of trust are needed. There
using a single username and password. are two likely approaches to this; either
emerging. The machine must be but with increasing connectivity, there
The concept relies on the user trusting the system will need to present the user
self-defending. is an increasing need for humans to
the provider of the OpenID service. trust technology, technology to trust with a statement about the level of trust,
Rik Ferguson, Trend Micro Example providers of OpenID include technology, and even technology to trust or it will present the user with the cues to
Google, Yahoo, Orange and Myspace. humans as devices increasingly act on make the trust judgement themselves.
A federated model of trust appears more behalf of individuals.
Revolution or evolution?
35
Revolution or evolution?

What does this mean for my organisation?


36

The developments in Information Security over the next decade are likely to have
far reaching impact on organisations. There are some key questions to consider
about how change in Information Security over the next decade could impact
your organisation.
Revolution or evolution?
37

The world has changed and will Organisations should ensure that use their products/services. Information
continue to change. UK organisations approaches to Information Security Security could also provide opportunities
depend upon reliable and accurate are holistic and consider technology, to sell products/services through new
information provided by electronic processes and people. Approaches need channels or interact with customers in
systems to make critical decisions about to adapt to rapidly changing threats new ways that are not possible today due
almost every aspect of their business. and technology, and also to changes in to concerns about privacy.
The dependence upon these systems regulations and standards. However, it is
There are some key questions to consider
which deliver services to UK business important that organisations also focus
about how changes in Information
and society is greater than it has ever on aspects of Information Security that
Security over the next decade could
been and is set to increase in the coming are not necessarily driven by regulation
impact your organisation.
years. What we do to increase either and standards, for example, protecting
Information Security and resilience of commercially sensitive information or
these systems is down to us. intellectual property.

The research indicated that there is Increasing focus on Information


a need for a proactive approach to Security could also provide competitive
Information Security from all stakeholders advantage. Organisations that have
given the rising complexity and volume effective Information Security in place
of threats. could increasingly attract consumers to
Revolution or evolution?
38
Revolution or evolution?
39

Key questions on how the trends in this roadmap could impact my organisation

Have you clearly identified what information is most valuable to your business and which
Information Security issues

How do you identify and measure Information Security


Organisations dealing with

information is most at risk?


related risks and compare them with other business risks?
Have you effectively embedded good Information Security behaviours into your
How will your organisations business model evolve in the organisations culture?
future, and what Information Security opportunities and
risks will this present? Are you aware of what events may cause your business to lose its trusted status?
How are these being mitigated?
How will you ensure compliance with Information Security
regulations and standards, whilst not losing sight of other
important Information Security issues? ive
ut
1 Ch
ief
Do you understand the dependency you have on trading partners and do
you have measures in place to ensure the security of information flows?

ec rs T Will any of the issues identified in this roadmap impact your


Of ech
Does Information Security present opportunities to x
E e fic no
immediate Information Security strategy, and your plans for the
gain competitive advantage? ef ic
C hi Off er log
s
next 5-10 years?
y

2
Are there opportunities and risks relating to
Information Security for the businesses in your
5 Where should R&D spending be prioritised?
What is likely to be the greatest threat to customers over
the next decade?
current investment portfolio?
Inve How will your organisations business model evolve in the
How will the trends identified in this roadmap

rs
future, and what Information Security opportunities and

plie
change the technology and Information Security
risks will this present?
stor
industries value chains?

Sup
Where should the line be drawn between user education
Other key stakeholders

How will business models across all industries


s

and automated security solutions?


evolve due to the trends in this roadmap? What
does this mean for future investments? Are attitudes to security likely to change, placing a greater
What are the right technologies to invest in and
when is the right time to invest? 4 Governments
3 emphasis on secure development over speed to market?
How will security solutions need to change over the next
decade to respond to trends identified in this research?

Is there a need for greater Information Security regulation? If so, what is the best approach and
what is the right time for change?
How can the Government ensure Information Security regulation is consistent with other countries?
Is greater investment required in the Information Security industry or in Information Security skills?
What are the medium term risks to the UK and the UKs wider interests of not taking a leading position
in Information Security?
Is regulation effective given the pace of change in technology and peoples use of technology?
Revolution or evolution?
40

We would like to thank the following people for their support with the research:

Name Organisation Name Organisation


Paul Simmonds AstraZeneca Marcus Alldrick Lloyds of London
Stephen Bonner Barclays William Cole McAfee
Julia Harris BBC Greg Day McAfee
Mark Ryan Birmingham University Luke Forsyth McAfee
Patrick Curry British Business Federation Authority Julia George Methods Consulting
Robert Nowill BT David Ferbrache MoD (Cyber & Influence Science & Technology Centre)
Dr Robert Ghanea-Hercock BT Labs Mr Jessaji Odedra MoD (Development Concepts and Doctrine Centre)
David Livingstone Chatham House Dr Robert Coles National Grid
Dr Paul Cornish Chatham House Jussi Jaakonaho Nokia
Paul King Cisco Steve Marsh Office of Cyber Security, Cabinet Office
Neil Todd Credit Suisse Bruce Elton Oracle
James Carnell Cyveillance Jamie Cowper PGP Encryption
Dr Tim Watson De Montfort University Jim Koenig PricewaterhouseCoopers LLP (US)
Roy Isbell De Montfort University / PragmaticDefence Andy Hodgson QinetiQ
Tony Dyhouse Digital Systems Knowledge Transfer Network Dr Godfrey Gaston Queens University
Philip Virgo European Information Society Group (EURIM) Fred Piper Royal Holloway, University of London
Steve Harris Garlik Andrew Moloney RSA
Daniel Thanos GE Digital Energy Paul Osborne Security Innovation and Technology Consortium
David Pym Hewlett Packard Adrian Asher Skype
Martin Borrett IBM Dean Turner Symantec
Stephen McCartney Information Commissioners Office James Gay Travelex
John Bullard IdenTrust Paul Little Trend Micro
Andy Jones Information Security Forum Rik Ferguson Trend Micro
Jason Creasey Information Security Forum Neil Morgan Technology Strategy Board
David Emm Kaspersky Lab
And several others who prefer to remain anonymous.
Revolution or evolution?
41
For further information about this roadmap contact:

Andrew Tyrer Neil Hampson


Leader, Network Security Innovation Platform Partner, Strategy
Technology Strategy Board PricewaterhouseCoopers LLP (UK)

andrew.tyrer@tsb.gov.uk neil.r.hampson@uk.pwc.com

Paul Lewis Barry Jaber


Lead Technologist, Network Security Innovation Platform Assistant Director, Strategy
Technology Strategy Board PricewaterhouseCoopers LLP (UK)

paul.lewis@tsb.gov.uk barry.n.jaber@uk.pwc.com

William Beer
Director, OneSecurity
PricewaterhouseCoopers LLP (UK)

william.m.beer@uk.pwc.com

We would also like to acknowledge the contribution of Greg Bacon (PwC),


Jason Creasey (ISF) and Andrew Wilson (PwC).

This report has been prepared by the Technology Strategy Board together with PricewaterhouseCoopers LLP, UK (PwC) for Technology Strategy Board under the terms of the
engagement contract with PwC dated 31st March 2010 (the Engagement). This report is for general guidance on matters of interest only, and does not constitute professional
advice. You should not act upon the information contained in this report without obtaining specific professional advice.

This report contains information obtained or derived from a variety of sources (as indicated within the report). PwC has not sought to establish the reliability of those sources or
verified the information so provided. Accordingly no representation or warranty of any kind (whether express or implied) is given by PwC to any person (except to the Technology
Strategy Board under the relevant terms of the Engagement) as to the accuracy or completeness of the information in this report.

PwC accepts no duty of care to any person (except to the Technology Strategy Board under the relevant terms of the Engagement) for the preparation of the report. Accordingly,
regardless of the form of action, whether in contract, tort or otherwise, and to the extent permitted by applicable law, PwC accepts no liability of any kind and disclaims all
responsibility for the consequences of any person (other than the Technology Strategy Board on the above basis) acting or refraining to act in reliance on the report or any
information contained in the report or for any decisions made or not made which are based upon this report or information therein.

The quotes in this report reflect the views of the individuals and are not necessarily the views of their organisations.
For information on the Technology Strategy Board: www.innovateuk.org
For information on PricewaterhouseCoopers LLP: www.pwc.co.uk

Technology Strategy Board, 2010. Publication: T10/037