Digital moats and cybernetic barricades: the CISO’s role in 2040
22 03 2018
Confined, at the emergence of the Internet, to a computer and a few antivirus programmes, the Chief Information Security Officers (CISO) has steadily become more important over the decades. Although their watchwords have remained the same - Confidentiality, Integrity, Availability & Traceability of information - the ramifications and implications of their choices have multiplied with companies’ digitalisation and ‘over-connection’. From being the person who always says no to now facilitating and promoting security as a creator of value, today they are on the board of directors, in the legal department and the communications department... And where will they be in 2040?
It may be difficult to project 20 years ahead when we know the amount of change that has taken place in the last 15 years alone. One thing is however certain: hackers, viruses and malicious users will still exist in the future. Someone will always need to explain how these risks can be kept in check and ensure that the data, irrespective of its nature or quantity, is processed in total security. And the CISO's responsibility is still increasing: The General Data Protection Regulation (GDPR) issued by the European Commission, which becomes compulsory at the end of May 2018 in the Union, should give a completely different face to the legal issues involved in the role.
A new legal responsibility
There is nothing new in terms of security obligations, but the GDPR, as a European regulation, will soon involve stronger sanctions for companies if they fail in their duties. The importance now placed on users’ right to withdraw information makes controlling personal data and its processing more necessary than ever: in case of non-compliance, the GDPR provides for a penalty of up to 4% of a company's turnover - indicating that the CISO holds their company's future in their hands, and that security breaches could become as serious as personal accidents or major IT bugs...
In 2040, the CISO will luckily not be alone any more. Established with the Data Protection law of 6 January 1978, the role of the Correspondant Informatique & Liberté (CIL) has evolved gradually with the legal texts. They oversee that the requirements of French law are met (CNIL - French data protection agency). The latest legal developments, which are optional for the time being, should make this role compulsory. Another compulsory role in most companies is the Data Protection Officer (DPO). Their role is to monitor the application of legal requirements in terms of personal data security. Alongside a Security Manager who will continue to deal with potential threats relating to stock files or price files, the DPO will only focus on customer files and their security, and consequently be much more focused on legal and financial issues.
Responding to technological developments
Legal developments and change in organisational flow charts should go hand-in-hand with the technological developments that we are only just starting to imagine. Artificial Intelligence and machine learning are already among the concerns of CISOs today, but what will the situation be in 20 years? Their unavoidable spreading should add a lot to the plate of those who must ensure that not only people, but robots too, must access information in total confidentiality, within the framework of the security policy defined by the CISO. The risks will result not only from outside, but also potentially from within systems: how do we ensure information is sound and available at any time, with AI programmes that are currently neither mastered nor explained from A to Z?
Although twenty years ago, the CISO's scope of responsibility did not go beyond computers and their Internet connection, it has not stopped growing and now concerns IT processing in the cloud and the Internet of Things. Fundamentally, the occupation will not change much: it's the scope of action that will be extended. With the cloud, information leaves the boundaries of the company and is in the hands of partners. Although designing and controlling the security policy should remain the pillars of the future CISO, the communication and implementation of this policy should be overriding. The more partners there are, the more security should be delegated to each of the members concerned, instead of remaining the concern of a few managers who are unable to control all the operations.
To a ministers’ round table?
Continuing to control everything, like in the era of the solitary computer and its antivirus programmes, evokes the utopia of a period when people will be permanently connected. And although the task is tough even for the many CISOs, the responsibility will go beyond the question of the company’s compliance with the GDPR. In the event of a breach, in the era of biometrics and cloning - by 2040, we must expect these terms to sound much less exotic that today - there will be much more at stake than companies’ turnover: hardly exaggerating the dystopian image, we can imagine clones of ourselves generated at the other side of the world from biometric data that has been hacked...
The fight against these future hackers already looks staggering. At the time of the solitary CISO, the company was a fort at the top of a hill that had to be defended against external attacks with moats and other cybernetic barricades. Today, the company has become an airport, a real information transfer hub of which only certain zones can be fully secure - it is impossible to monitor all the exits constantly. To mitigate this, honeypots are being developed: a system of virtual traps to attract malicious individuals or programmes. In time, there could even be more traps than real information centres in the cloud.
By 2040, the online company will no longer be a castle on a hill - but a needle in a haystack. As for the CISO, far from their original role, they will doubtless have gone beyond the company's board of directors: responsible for governments’ security, they may find their place on round tables for preventing the cyber conflicts of the future.
Thanks to Joseph Graceffa, chairman of CLUSIR Nord de France, for his precious help in writing this article, in collaboration with Usbek & Rica.