2020-2030: Our predictions on the main trends in cybersecurity and data compliance

11 February 2020

After our review of the 2010-2020 decade on the most defining cybersecurity events, we are following up to project ourselves in the future and predict the dominant trends for the 2020-2030 decade.

Rise of cybersecurity and data compliance roles in organisations

IT/OT security to the management board.

Shortage of talents and increase in responsibilities will propel the value of having Information Technology and Operational Technology security professionals in any data-driven organisation.

Every stage of an organisation is now affected by cybersecurity: HR with personal information and sensitive personal information (bank info, medical records, ID copies) ; business development with CRMs hoarding client info ; production with ERPs ; finance with strategic projections ; legal with contracts shared online with revision control.

Cybersecurity and data privacy are no longer just the job of the IT team, secluded from the rest of the operations. The last decade revealed that in the event of a breach, risks are spread across all company departments.

The cybersecurity team needs to safeguard the entirety of an organisation, so the upcoming challenge will be how to integrate it and oversee it: at executive level? Under the CTO, CISO, CDO? With a dedicated budget or shared with IT?

Data protection and data privacy by design

Less naysayers, more value creators.

“Policies”, “notices” and “compliance” have most of us raise our eyes to the sky, because they appear as market entry barriers, business hurdles, excessive costs, project development delays, and scrutinous interference from lawyers and consultants.

The next decade will see the negative role of data protection and privacy decrease and its positive impact rise: on ethics, business, employee welfare, and user acquisition and satisfaction.

As the regulatory and consumer requirements will grow towards stronger cybersecurity and data compliance, successful organisations will embrace this shift and integrate it from the very beginning of any project. Just like UI/UX or accessibility were brought to the design board, cybersecurity and data privacy will have a seat at the design table. With policies defined all together with other functionalities, compliance will be naturally reached without overextending budget and timeline. Consumers will lean more towards such solutions and good practices will organically establish themselves.

SaaS and PaaS assistance

Less single-tasked, more co-piloting.

When raising their cybersecurity and data compliance maturity, organisations face the challenge of information overload from multiple feeds: compliance intelligence, security monitoring, regulation updates, solution provider input, internal documentation, etc.

A myriad of tools is available to help guide an actor through each, however without a comprehensive alignment of those tools, following them resembles the flight path of a headless chicken more than a diving eagle.

Two things will happen in the cybersecurity and data compliance SaaS world:

1. SaaS will not simply provide passive assistance, they will detect threats — including regulatory, prioritise them and advise on a course of action. Machine learning will be instrumental towards SaaS becoming a co-pilot for cybersecurity and data compliance professionals.

2. Multiple SaaS solutions will be integrated on platforms — PaaS, to benefit from one another and cover the full spectrum of cybersecurity and data compliance in one place: from data inventory, privacy policies, regulatory monitoring, employee training, patch management, to risk intelligence, etc. Modular adaptation will be key to tailor systems to internal operations, as per Conway’s Law. Several champions will emerge in parallel: one in the US and one in China for compartmentalisation reasons, and a third one — although my bet is not in the EU or a Five Eyes member State, but rather a challenger tech country such as Israel or India.

Internet sovereignty

Regional Internets as physical spaces.

The Internet World Wide Web was built as an open space, mostly in the loose culture of the US, and specifically in the looser culture state of California, by minds from the even looser Silicon Valley counter-culture. Simply put, Internet was a reflection of a free and open construct of space.

Most major western digital spaces are being criticised as lacking integrity or simply being untrustworthy. This symptom of the absence of structures pushed other world powers to build their versions of the Internet closer to their conception of physical spaces, including the notion of sovereignty and borders. China and Russia obviously lead this trend.

Regional Internets will present the following traits:

1. Cross-border data transfer legal requirements,

2. The ability to operate in a vacuum from the outside world,

3. Strong localisation requirements: not just the usual front-end UX/UI but back-end cybersecurity and compliance, namely with regional security impact assessment and inspections from authorities,

4. Required physical establishment for organisation operating there — already in place in China and Vietnam.

Ultimately, international treaties will be signed to cover cross-border data transfers, like any other commodities.

Mobile breaches

Gen Z + 5G + Asian mobile-first culture = mobile breaches.

With more Gen Z coming to work age and the rise of 5G, remote working will democratise, with all the associated risks of unsecured phones, travel laptops, USB keys, public hotspots, charging stations. The ‘mobile-first’ culture from Asia-Pacific will transfer gradually work from desktop to mobile.

Most data breaches will come from mobile devices.

Successful organisations will embrace such trends to attract and retain talents, by enabling secure remote working through corporate 5G hotspots, VPNs, cryptographic identities, USB condoms (yes you read that right), multiple factor hardware authentication devices, disk encryption, encrypted backups, connection log monitoring, remote work security policies, training, training and training.

Sanctions

Jail time.

Biggest fines will come from China: not only on a financial level but also with detention sanctions for responsible personnel: CTO, CISO, Data Protection Officer, etc.

In 2012, business intelligence firm Dun & Bradstreet was sanctioned for illegally obtaining personal information from 150 million Chinese citizens, with a corporate fine of RMB 1 million and 2 years detention for 4 employees.

Considering the decision was given prior the much stronger Cybersecurity Law (2017), especially regarding sensitive personal information and critical information endangering national safety or public order, it appears a safe bet to anticipate yet unheard of sanctions in the next decade: detention for legal representative and lifetime ban from security-related positions for personnel in charge.

Insurances will include cybersecurity threats – as any other risks – to cover not only the fines and ransoms but also the loss due to business disruption and the reputational damages.

Passwords

Rise and fall of biometrics.

Guidelines to create a secure password — such as 12 characters, with upper- and lower-case characters, numbers and special characters — are as spread as disregarded by the lambda user.

Two-factor authentication (2FA) still has a hard time being adopted, despite major players offering it, such as Gmail, Twitter or Steam.

Biometrics — fingerprint, face — were supposed to be the silver bullet to solve this issue, but constitute a bigger problem: they are subject to stringent regulation regarding protection of sensitive personal information and cannot be replaced when hacked.

Alternative solutions such as multiple factor hardware authentication device (think “password in USB key”) have been around since the 2000s with a high price tag and yet never filled the immense gaps of loony passwords. Corporations pushing hardware authenticators in the workplace could be the key to unlocking a safer work environment still ruled by “password123”.

Finally, authentication will be shaken by the democratisation of quantum computing and its brute-forcing capabilities.

Tech and regulatory have always been playing an asymmetrical game of cat and mouse: benefiting from Moore’s Law, the former has always moved faster than the latter, with less constraint. The next decade will witness two alternative directions: tech breaking from tech by sheer speed and power or integrating gracefully data protection and privacy as part of its value proposition.

Either way, tech businesses will continue to move fast and break things.

To know more, please contact

Gregory Louvel g.louvel@leaf-legal.com

Bruno Grangier b.grangier@leaf-legal.com

Nicolas Bahmanyar n.bahmanyar@leaf-legal.com

The TL Group is a team providing tech and legal services.

The alliance between Leaf, a law firm, and TekID, a Data intelligence firm, is providing a comprehensive cyber security and data management offering which will help you enhance your security with a holistic approach. This team of cyber / data experts and lawyers can offer services to companies and managers such as compliance audits and programs in cybersecurity, structuring deals involving data assets, understanding and managing the life cycle of data and the associated risks, forensic investigations, among others.