Government (and other bodies such as financial regulators and the PCI) are likely to have a major influence on what business can and must do in 2014. Adrian Culley, global technical consultant at Damballa, notes, "The Prudential Regulation Authority’s more exacting requirements around cyber resilience, coupled with an increased awareness of these matters from the Bank of England itself, will change the landscape for Banks and Financial Bodies throughout the year."
Stephen Boyer, co-founder and CTO at BitSight sees continuing growth in financial compliance requirements in 2014, especially "around third-party data sharing." This is already happening "within the financial industry, as banking institutions are preparing for the Office of the Comptroller of the Currency (OCC) to enact more stringent guidelines for vendor management programs. Additionally, HIPAA enacted the Omnibus Rule during 2013, which directly holds business associates and their subcontractors directly liable for HIPAA compliance."
Kurt Hagerman, director of information security at FireHost, adds PCI-DSS to the financial mix. "The arrival of the updated 3.0 standard in 2014 [it was released in November 2013 and is due to come into effect on 1 January 2014] is undoubtedly making the process of achieving compliance a growing challenge for businesses, and there is no denying that the new standards will mean an increase in time and costs for organizations to remain compliant. However, the changes made for the latest version of the PCI standards will go a long way to improving the quality of assessments and reducing overall risk. As such it’s a change that the security industry should fully support.”
Governments are also forcing change directly; potentially the greatest of which will come from the EU's General Data Protection Regulation. "The biggest change to government security we will see in 2014," comments Lior Arbel, CTO of Performanta Ltd, "is the planned introduction of privacy regulations across the EU." This will drive greater requirements for user privacy; but although it was intended to come into force early 2014, it is not clear that it will do so. Nevertheless, prudent companies will be preparing for it throughout 2014.
"Most governments," explains Steve Durbin, global vice president at the Information Security Forum, "have already created, or are in the process of creating, regulations that impose conditions on the safeguard and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions."
Privacy legislation in Europe has long been planned, but "We can thank Edward Snowden’s leaks, even more than stricter legislation, for making the public more aware of how organizations handle their private data," comments Eddie Sheehy, CEO of Nuix. Jim Hietala, VP security at the The Open Group agrees: "In 2014 we can expect to see more regulation aimed at ensuring data security and privacy as a result of the Snowden breach revelations."
But there are others who believe that the EU's GDPR – and indeed improved privacy for users generally – is a storm in a teacup that will soon blow over. The 'one-stop-shop' is central to the GDPR. "However," notes Richard Walters, CTO of SaaSID, "the head of the European Council’s own legal service has challenged the ‘one-stop-shop’, arguing that citizens must be able to bring privacy cases in their own country. This legal delay, coupled with the low level of investment behind the GDPR, indicates that this regulation will never actually be enforced."
Catherine Pearce, security consultant at Neohapsis, also predicts security legislation problems in the US. "Privacy will continue to lose out to opposing parties in US Legislature," she predicts. "In response to public awareness and outcry, we will see a failed attempt to pass electronic privacy protection regulation in the USA, attempting to follow the lead of countries such as Germany. This will target private companies under the guise of protecting teenagers, and will exclude government programs. However, irrespective of voter support, market forces and lobbying by interested parties will quash this."
Nevertheless, "Whether the proposed EU Data Protection Regulation is introduced in 2014 or not, privacy will be an increasingly important consideration for businesses next year," says Ken Parnham, managing director, EMEA for TRUSTe.
Apart from privacy concerns (where governments are torn between wanting to provide it for users, but eliminating it for national security purposes), encryption will also become more important in 2014. "The extent to which the NSA has penetrated companies’ networks has been staggering," says Jason Fredrickson, senior director of application development at Guidance Software. "The NSA and PRISM will be a driver for companies tightening up security and developing ways to protect their data from decryption. In the coming months, more companies will ask, ‘How can we prevent the NSA from looking at data on our employees and customers?’"
"The heightened awareness of, and revelations on surveillance will be a driver for companies to tighten up security and develop ways to protect their data from decryption," says Sam Maccherola, general manager EMEA & APAC at Guidance Software. "I expect the global repercussions of the Snowden leak to lead to increased encryption and as a result, we’re highly likely to see new encryption standards emerge and new methods developed next year," adds Matt Middleton-Leal, regional director, UK & Ireland at CyberArk.
But encryption is also a means of complying with the privacy requirements. "In the case of the forgetful employee, government entities [and any business] can mitigate user error by enabling encryption capabilities on all of their employee-issued devices," explains Garry McCracken, VP technology partnerships at WinMagic. "As a result, exposed (but encrypted) critical data will be NOT be deemed a security breach."
Away from Snowden, Catherine Pearce has the inevitable prediction: cyberwar and government response to it. "Details on nation-state cyber capabilities and activities of countries other than the known big players will begin to be revealed. Geopolitics has many fronts, and it’s to your advantage to play in every event. So, it’s fair to assume there are players as yet unknown – whether smaller countries or larger ones that haven’t been exposed yet. In addition to political battles over the internet's fate [that's a separate prediction – that the battle over internet governance will also continue], countries will continue to covertly gain advantage over each other via the internet. We will begin to see more details on the activities of countries other than the USA (and allies), China, Russia or Iran."
And, of course, governments will continue to defend their countries and their economies from the effects of that cyberwar by increasing security regulations. Ron Gula, CEO of Tenable Network Security, explains: "National cyber security will remain high on the agenda next year. Over 2013 and 2014, the UK cabinet office will invest £180 million in cyber security, increasing this amount to £210 million in 2014–2015. The US Department of Homeland Security’s $6 billion procurement of IT security tools, known as Continuous Diagnostic Monitoring, will be watched closely by other countries, causing more governments to invest in similar monitoring strategies. Furthermore, while 2013 saw the height of investment in threat solutions, 2014 will see this start to swing back to a more balanced spend between threat and compliance software, with the development of new sets of real-time and scalable technology."
But it will not be a smooth passage. "Expect continued movement towards more controls implemented in regulations/compliance in general. Security best practices such as SANS Critical Security Controls will gain traction as they begin to deliver tangible cost savings and meaningful improvements in security posture/visibility. Government contractors, consultants and third parties will become the major sources of IT Security infiltration in the government. While DHS CDM (Continuous Detection and Mitigation) project implementation starts, most agencies will not implement it in time to prevent uber attacks and data loss," warns Vijay Basani, co-founder, president and CEO at EiQ Networks.
The overall view for 2014 is one of increasingly severe and intrusive government regulations, with increasingly severe sanctions. Encryption is emerging as the best solution, both to provide compliance with those government regulations, and to deter the intrusions of both friendly and unfriendly governments. But here's one final thought, if not for 2014 in the UK, then certainly for 2015 (and for other years in other countries). It's all about elections. The year 2015 "will arguably be the first election swayed, not by that morning’s headline, but by that day’s Twitter and Facebook. This makes it highly vulnerable to coercion. Much blood, sweat and tears will be shed over this," suggests Damballa's Culley. Whether it will lead to new regulations on social networks is perhaps something for next year's predictions.