What should we worry about?
The near future will see shelter-in-place restrictions being lifted, people returning to work in various configurations, and normal operations resuming.
CISOs need to anticipate that:
- Some employees will be reluctant to return and continue to work remotely
- Shortages and supply chain risks will continue to disrupt normal business
- Insider threats remain high as staff members’ futures remain unclear
- Nation-states will continue to exploit the persistence obtained previously
- InfoSec will continue to uncover historical breaches while managing ongoing significant ransomware risks
- Companies will invest in infrastructure as emphasis on resiliency and contingency planning is renewed
In the longer term, certain macro trends may also be adding to the CISO’s agenda:
To address the crisis and protect their constituencies, governments and even some large companies are rolling out AI-driven applications which leverage cameras, drones, thermal imaging, location trackers, and facial tracking software. An IAPP report suggests that “civil society and private companies have advocated for a clear regulatory framework of facial recognition technology … Possible measures could include a binding requirement to involve data protection experts and human rights specialists in the teams working on the development of the technology, to ensure fundamental rights compliance by design.” CISOs should fully expect the emergence of new compliance requirements as regulatory agencies balance the need for surveillance powers with the democratic push for privacy rights.
Physicality of cash use may make digital payment platforms a competitive differentiator. From a security perspective, this shift will require CISOs to rethink the role of technologies, such as identity and access management (IAM), morphing it from a tool of control to a tool which enables client interaction. For example, contactless IAM will see they deliver technologies into bricks-and-mortar facilities that allow for facial or voice authentication. CISOs need to be particularly wary of fraudulent exploitation of these platforms – compromised credentials represent 80% of breaches.
The COVID-19 crisis has accelerated the trend toward ecommerce, with 44% of consumers expecting to do more grocery shopping online and 39% expecting to do more durables shopping online over the next one to two years, according to the EY Future Consumer Index. With this shift to online retail comes a push to increase omnichannel marketing capabilities. Collecting more information about consumers, as their activities are tracked, helps create new opportunities for marketers, and for CISOs to identify and prevent fraud. But this also introduces new privacy risks, and potential negative perception from customers. There is a growing “techlash” against technology companies motivated by privacy concerns and what companies do with their data. CISOs need to make sure that customer-data collection not only complies with the relevant laws, but is also justified and provides useful benefits in consumers’ eyes.