The future of information security

In this guest post, John Thornton of the Digital Government Security Forum explains why now is the time to consider how information security could — and should — develop in the future.

Cyber is in the news nearly every day and is a high priority for the public services.  In the Autumn Statement, for example, the government committed to investing £1.9bn  in the UK’s cyber defences, almost doubling the spending commitments made in the previous Spending Review. This is therefore an opportune time to consider how information security could or should develop in the future.

A new report from the Digital Government Security Forum (DGSF) looks at the Future of Information Security.  It concludes that Government, public services and the NHS will all be revolutionised over the next decade by an explosion of data, a greater focus on individuals and changes in working practices.  Plus, the computing power of tomorrow’s toys and gadgets will likely be equivalent to that used by research establishments in the not too distant past.

In this fast changing digital world, information security becomes even more important.  The report says that we need to be thinking now about the security and data sharing implications of the ways that we will work in the future.  This includes not just near term issues like cloud computing and social media, but also longer-term developments such as automated systems for enquiry handling and even driverless vehicles.

Based on interviews and desk research, the study concludes that at present information security tends to be very fragmented as it has been developed and implemented on a tactical basis, reacting to new developments and changes in types of threats.   As a result, it is generally silo-based and this creates opportunities for threat actors to exploit the gaps and overlaps between the silos.  Technology and threats are changing faster than many security policies and controls.

The report calls for a change of mind-set from ‘incident response’ to ‘continuous detection and response’, from ‘fire brigade’ to ‘detectives’. It identifies five key issues for the future of information security:   Combatting Sophisticated Attackers; Speed of Response; Responding to the increasing complexity of the modern IT Estate; Addressing Skills and People Issues; and, Reacting to the Internet of Things. It provides advice and comment on each. The Report then identifies and comments on seven key components that are needed to build the functional capability required for the future.

Minimising the impact of cyber-attacks, the report concludes is a business objective that must be owned and implemented corporately.  ‘People’ and ‘skills’ must be seen as essential components in the security mix, which is why they sit at the heart of the report’s proposals for Building Function Capability.

The Report is published as a ‘discussion draft’ designed to stimulate and inform a debate about the Future of Information Security across the Public Services. It draws on a wide range of expertise and experiences including Chatham House, Intel Security and Cabinet Office.  The Digital Government Security Forum brings together senior individuals from across government and the wider public sector to explore the cyber risks confronting the public services.

Download the Executive Summary here.

Related reading