Rounding up the latest trends from Infosecurity Europe 2023

Trade shows tend to divide the crowd. Many cybersecurity professionals will roll their eyes at the prospect of navigating hundreds of vendor stalls in an aircraft hangar-sized building miles from the office. But conference speaking programs are another matter. This is where Infosecurity Europe has value. For around a quarter of a century, thought leaders and industry practitioners alike have used the show to share their insights.

Although choosing who presents isn’t a democratic process, the conference program can still be a useful insight into which topics are generating most interest in the market. Interestingly, despite all the hype, the keynote stage eschewed AI in favor of more familiar topics: culture, compliance, skills, and strategy.

Here are my five takeaways from three days at the show:

1. Organizations need to think outside the box to overcome skills challenges

We all know the security industry is suffering from a shortfall of cybersecurity professionals. The UK has a shortage of nearly 57,000 cybersecurity professionals, and globally the figure is over 3.4 million, according to ISC2. But organizations also aren’t doing themselves any favors. There can be an overreliance on certifications in job descriptions, experts revealed, unnecessarily narrowing down the pool of potential applicants. Security teams should look to hire non-technical roles from within the business where possible. And when it’s an external interview, they may benefit from making the process more relaxing for the candidate, in order to see their true potential. Otherwise, only those able to ace interviews will end up in the plum jobs, and they may ultimately not be the best candidates.

2. Firms must do more on neuro-inclusion

There was an impassioned plea on day three of the show from Neurodiversity in Business CEO, Dan Harris, for security pros to lobby their boards for greater neuro-inclusion. Although as many as one in five of the workforce could be neurodivergent, organizations aren’t tapping their ability as best they could, he argued. In some cases, suitable candidates are unfairly screened out because of an over-reliance on specific certifications. Harris’s call to action was for industry professionals to use their power in the organization for good, by advocating for neurodiversity programs in their workplace. With some employers actively seeking neurodiverse candidates today, he warned that “if you aren’t doing it, your competitors are.”

3. We need to get to DevSecUserOps

After two years of pandemic-era digital transformation, you’d think plenty of lessons had been learned about the importance of building security into projects by design. Well, not so, according to experts on day two of the show. They claimed that firms are still moving fast and breaking things, but not necessarily learning from the experience. Insufficient staff training was highlighted a major fail in this regard, one which could potentially create cyber risk. In fact, the cost of an insider threat incident is now nearly $7 million.

Dave Cartwright of Santander International argued that even though DevSecOps is far from universal, organizations should be thinking about adding another element — the user. DevSecUserOps would involve getting end users into the development process early on, so that the end product is something they both want to and can use. It could save a lot of time and money on training down the line, he argued.

4. Compliance doesn’t mean security

This sounds like an obvious point but is still one worth making. That’s because of the number of organizations that still approach compliance with a tick-box mentality. As the regulatory landscape grows ever more complex, it pays to take a step back and remember that, while good security will support compliance programs, compliance will not guarantee effective security. Experts were agreed that the gap between compliance on paper and the underlying reality on the ground can be significant. When considering a particular framework or piece of legislation, security teams might be better off focusing on the spirit, rather than the letter of the law, and then thinking about how they can apply that intent in the context of their own organization.

5. IoT and APIs pose a growing threat

The show’s keynote speakers mercifully tend to stick to high-level strategy topics rather than in-the-weeds technology discussions. But two emerging threats stood out. The Internet of Things (IoT) is far from new, but according to experts from Forrester and Transport for London, its growing popularity among users has singled it out for attention among cybercriminals. Analyst Madelein van der Hout revealed that the share of businesses experiencing attacks trying to access networks via IoT devices increased from 41% to 54% during the first months of 2023. The popularity of home working will only accelerate the trend. APIs were also singled out as a nascent threat, especially as specialist security solutions aren’t being broadly adopted yet. Organizations may not yet appreciate the scale of the API cyber threat, but security by obscurity doesn’t work when the bad guys know how to compromise your key assets.