1) Information security is undergoing significant change driven by evolving technology trends and how people use technology. Key trends include the growth of cloud computing, connected devices, data sharing, and new identity and trust models.
2) Over the next decade, information security requirements will be shaped by factors like globalization, regulation, and demographics. Suppliers will need to specialize to meet diverse needs.
3) Organizations require holistic information security approaches considering technology, processes, and people to adapt to threats and remain compliant with changing rules. Proactive strategies can provide competitive advantages over reactive ones.
2. Revolution or evolution?
About the Technology Strategy Board About PricewaterhouseCoopers LLP
The Technology Strategy Board is a business-led executive non- PricewaterhouseCoopers LLP provides industry-focused assurance,
departmental public body, established by the Government. Its role tax and advisory services to build public trust and enhance value for
is to promote and support research into, and development and our clients and their stakeholders. More than 163,000 people in 151
exploitation of, technology and innovation for the benefit of UK countries across our network share their thinking, experience and
business, in order to increase economic growth and improve solutions to develop fresh perspectives and practical advice.
quality of life.
3. Revolution or evolution?
About this roadmap
This roadmap was commissioned by the Technology Strategy Board and jointly
prepared with PricewaterhouseCoopers LLP (UK).
The purpose of this roadmap is to set We subsequently held a workshop with Chatham House, Cisco, Credit Suisse,
out the drivers that will shape the future over 40 experts to validate the trends Cyveillance, De Montfort University,
Information Security environment to and explore them in further detail. Digital Systems Knowledge Transfer
2020 and beyond. This roadmap is to Network, European Information Society
The research focuses on the commercial
inform business leaders and security Group, Garlik, Hewlett Packard, IBM,
aspects of Information Security, but
professionals alike, and sets out potential IdenTrust, Information Commissioner’s
remains cognisant of trends in cyber 1
future scenarios and issues around Office, Information Security Forum,
security and warfare for military and
information security, allowing the reader Kaspersky Lab, Lloyd’s of London,
intelligence applications. Our research
to draw implications and conclusions that McAfee, Methods Consulting, National
primarily illustrates trends in the UK
apply to them. Grid, Ministry of Defence, Nokia,
Information Security market, but the
Office of Cyber Security, Oracle,
In preparing this roadmap we interviewed implications are relevant globally.
PGP Encryption, QinetiQ, Queens
over 35 leading Information Security
We would like to thank the following University, Royal Holloway University,
experts and business leaders across the
organisations for their participation RSA, Security Innovation & Technology
private sector, academia and government
in the research: AstraZeneca, BBC, Consortium, Skype, Symantec,
to determine the key trends that are likely
Birmingham University, British Technology Strategy Board, Travelex,
to impact Information Security to 2020.
Business Federation Authority, BT, Trend Micro, as well as several others
who would prefer to remain anonymous.
4. Revolution or evolution?
Executive summary
2
Information Security is a much broader concept than technology. It relates to
protecting information and information systems from unauthorised access, use,
disclosure, disruption, modification or destruction. As the volume of information
grows and continues to be increasingly stored and communicated in electronic
form, Information Security is rapidly becoming intertwined with technology, and
more specifically, the internet. This has given rise to the term Cyber Security and
for it to be used interchangeably with Information Security.
This roadmap is for business leaders and security professionals alike, and sets
out potential future scenarios and issues around Information Security, allowing the
reader to draw implications and conclusions that apply to them.
5. Revolution or evolution?
3
Information Security, whilst being a globalisation, climate change, regulation has been a key aspect of Information
very current and topical issue, is also and evolving demographics. These Security in recent years, but increasingly,
an emerging sector that is undergoing will present opportunities and risks for organisations are realising that processes
significant change. The main suppliers organisations in dealing with Information and people are overlooked components
shaping the Information Security industry Security issues, and also companies when developing holistic approaches
are a converging group of technology providing Information Security products to Information Security. By 2020, there
vendors, system integrators, consultants and services. There is likely to be a may be a reversion to technology being
and aerospace & defence companies. greater degree of segmentation within the the key strand to Information Security,
The available market research does not Information Security market in the future driven by significant increases in the
provide a consensus on the size of the as suppliers specialise to meet the needs volume of data, speed of processing
IT security market, the best proxy for the of specific groups. For example, the and communication technology, and
Information Security market. The range rising importance of Information Security the emergence of more complex and
of market research suggests that the IT in the healthcare sector as services are automated threats.
security market is worth approximately increasingly provided electronically is
£4-5bn per year in the UK and is likely to drive specific regulatory and
growing strongly. technology requirements.
Over the next decade, Information Information Security is often considered
Security requirements will be driven by to have three components; technology,
various macro level factors, such as processes and people. Technology
6. Revolution or evolution?
4
The research identified seven interrelated networks are enabling faster static and Regulation and standards will be
key trends that are likely to drive change mobile broadband access. By 2020, important drivers of Information Security
in Information Security through to 2020 ubiquitous devices will seamlessly and over the next decade, but will need to
and beyond – see diagram overleaf. automatically interact with other devices keep pace and evolve as technology and
The first three trends relate to changes around them, adapting functionality to its uses develop. There is likely to be
in technology, whilst the following three their local environment and other objects increasing pressure towards regulation
trends reflect changing patterns in how in their proximity. in information security, with privacy and
people use technology and the internet. consent being a key driver.
The volume of private information being
Finally, trust and identity are universal
shared has escalated significantly over Proving identity and establishing trust are
themes which are intertwined with many
the last decade, particularly driven by two of the greatest challenges identified
of the prior trends. These trends have
social networking, and this is likely to in the research. In 2020 as people
implications for organisations of all
continue. Additionally, the volume and spend an increasing proportion of their
sizes, individuals, governments and the
value of transactions through electronic time online, identity becomes a greater
Information Security industry.
channels is expected to continue to rise. challenge because fewer interactions
The building blocks of modern These trends suggest that cyber criminals will be face-to-face, a greater volume
communication technology are rapidly will increasingly be willing to invest of private information may be available
evolving and we see this change all further resources in developing more online and new technologies could make
around us. Televisions are blurring sophisticated attacks. it easier to impersonate individuals.
with computers, feature rich mobile
devices are becoming more prevalent
and fibre optic cables and wireless
7. 5
Revolution or evolution?
Key trends impacting Information Security to 2020
• Increase in penetration of high speed broadband and wireless networks
• Centralisation of computing resources and widespread adoption of cloud computing
1
• Proliferation of IP (internet protocol) connected devices and growth in functionality
Infrastructure
• Improved global ICT (Information and Communications Technology) infrastructure enabling greater outsourcing
revolution • Device convergence and increasing modularisation of software components
• Blurring work/personal life divide and ‘Bring Your Own’ approach to enterprise IT
• Evolution in user interfaces and emergence of potentially disruptive technologies
• Greater sharing of sensitive data between organisations and individuals
2
• A significant increase in visual data
• More people connected globally
Data explosion
• Greater automated traffic from devices
Key longer term drivers • A multiplication of devices and applications generating traffic
• A greater need for the classification of data
Globalisation
3
An always-on, • Greater connectivity between people driven by social networking and other platforms
• Increasingly seamless connectivity between devices
always-connected
Increased focus on climate change • Increasing information connectivity and data mining
world • Increased Critical National Infrastructure and public services connectivity
Shifting global economic centres
4
• Rising levels of electronic and mobile commerce and banking
Changing demographics Future • Development of new banking models
finance • Growth in new payment models
• Emergence of digital cash
Increasing regulation / governance
Increasing reliance on technology
5
Tougher • Increasing regulation relating to privacy
and information regulation
• Increasing standards on Information Security
• Globalisation and net neutrality as opposing forces to regulation and standardisation
and standards
Changing attitudes towards privacy
Evolving work / home balance • Greater censorship
6
• Political motivations driving new state/regional internets
Multiple internets • New and more secure internets
• Closed social networks
• Growth in paid content
7
New identity • The effectiveness of current identity concepts continues to decline
and trust • Identity becomes increasingly important in the move from perimeter to information based security
models • New models of trust develop for people, infrastructure, including devices, and data
8. Revolution or evolution?
6
The research indicated that there is effective Information Security in place the organisation in the form of increased
a need for a proactive approach to could increasingly attract consumers to spending on Information Security
Information Security from all stakeholders use their products/services. Information solutions, loss of intellectual property,
given the rising complexity and volume Security could also provide opportunities loss of market share and hence income,
of threats. to sell products/services through new and damage to its brand.
channels or interact with customers in
Organisations should ensure that In the second scenario, the organisation
new ways that are not possible today due
approaches to Information Security takes a more proactive approach
to concerns about privacy and consent.
are holistic and consider technology, to Information Security. It invests in
processes and people. Approaches need Organisations need to consider both Information Security solutions and
to adapt to rapidly changing threats the potential benefits and costs of benefits from greater trust from its
and technology, and also to changes in their approach to Information Security customers and gains in market share,
regulations and standards. However, it is with a holistic approach like the ‘Total higher price points relative to its peers
important that organisations also focus Lifecycle Cost of Information Security’ and agility in adapting its Information
on aspects of Information Security that model shown overleaf. This illustration Security approach to market changes.
are not necessarily driven by regulation demonstrates the potential long term
In this example, the organisation could
and standards, for example, protecting impact of two different approaches to
be replaced with an industry, country or
commercially sensitive information or Information Security.
even a region.
intellectual property.
In the first scenario, the organisation
Increasing focus on Information does not have an appropriate approach
Security could also provide competitive to Information Security. It then suffers
advantage. Organisations that have from an ‘event’ which causes cost to
9. Revolution or evolution?
7
There are many uncertainties with respect
Figure 1: The cost of inaction – two illustrative scenarios for an organisation’s approach to Information Security
to how Information Security will evolve
over the next decade. However, it is
Total Lifecycle Cost of Information Security
certain that new Information Security
requirements will require businesses to
‘Reactive’ approach
innovate to develop new products and
services. This will provide opportunities
Cost of inaction both for businesses, to develop new
‘Proactive’ approach business models and generate competitive
advantage and for financial investors alike.
It will also stimulate economic growth
through consumption and exports, and
make the UK a safer place to do business.
Key event
Are you up to the challenge?
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
Definition Lifecycle costs
Total Lifecycle Cost of of deploying and Reputational Intellectual Operational Financial impact
Information Security = operating security + value + Property value + effectiveness + of incidents
solutions
• Hardware / • Brand volume • R&D information • Productivity • Direct financial
software solutions • Customer • Customer • Ability to service loss from attack
• Training satisfaction/ databases customers
• Consultancy costs confidence • Competitive • Cost to serve
• People costs information customers