We gather industry experts to discuss what’s on the horizon for identity in 2022 and beyond.
“The bad guys only have to get it right once.” KPMG’s Danny Flint, ForgeRock’s James Ross and Daltrey’s own Michael Warnock peer into the crystal ball and discuss their predictions for the identity sector in 2022.
In the context of things like myGovID and accessing particular services throughout the pandemic, is some of what we’re seeing underpinned by enough regulation and legislation? Is that the next step, or should it have come before we started to see what we’re seeing?
Danny: That’s a good question. The identity world is still dominated by regulation and the efforts to comply for various organisations. There’s been a big focus on consumer data and how that’s affected the financial services sector. But there’s a lack of clarity in that ecosystem still. Who has the liability when things go wrong? If you’re looking through to some of the learnings from GDPR, it needs to be very specific and it needs to be very defined. I’m not sure we’re at that point yet.
James: We’re used to dealing with different levels of government for different types of services – federal, state and local. It’ll be interesting to see how this evolves with using a common identity to interact with those different levels of government. I don’t think we’re anywhere near close to having a ubiquitous identity that we use across all of that; federal and state are probably a little bit closer, but even then there are different laws and regulations in the different states.
We’re doing a lot of work with Service Victoria on their citizen identity. They’ve got peculiar laws and restrictions about what data they collect on citizens. So as well as a technology framework, there’s also a legal framework and homogenisation that needs to happen before this can really take off.
What do you think next year will bring in relation to breaches, the role that government will play in identity, and the types of breaches that we’ll see?
James: I think overall we’ll see a reduction. The trend has been heading downwards and I think that will continue. This might be a segue into another topic, but I think with the introduction of technology like MFA, where we’re not just relying on usernames and passwords but we’ve actually got another form of identifying the individual who is performing that transaction – that’s going to take it to the next step.
If we have ubiquitous MFA across nearly all systems, internal and customer-facing, then we should be able to get that compromised figure of identities down to a very, very low level. The fact that the industry hasn’t done that yet is a little surprising because MFA is not new. But I think we’re going to see a continued investment and focus on driving MFA throughout the whole industry.
Danny: I agree that MFA is an important part of this. I think 2022 is going to be the start of the death of the password, which I absolutely welcome. I think we’re going to be adding many, many factors. It’s not just a push notification or an email. The reliance on device is going to be significant. A known device in a known location at a known time and in a known environment – there are many factors we can add in.
Obviously we’re invested in biometrics as well. There’s an additional factor – when I log into my ANZ account in Australia, my voice identifies me, but there are additional biometrics that you can use. I think these are going to become more and more effective and more and more widespread throughout 2022.
We’re pretty bullish on biometrics in the work that we do, Michael, but what are you seeing for next year based on what James and Danny have said?
Michael: It’s a couple of things. First, I’d say there will be a greater focus around ACSC Essential Eight which is being pushed out now, not only in government but also into enterprise. I think there’ll be a natural adoption of that to become the standard.
The second observation for next year has been really driven through COVID – it’s this notion of: How do I bring a new employee into my organisation? How do I actually onboard somebody effectively and ensure they come with the right identity? We have seen situations in the market before where staff have come into a new organisation during the pandemic. They haven’t gone into the workplace physically, and they’ve left four or six weeks later with some critical assets and basically ghosted.
So for me next year I want to see how organisations will robustly identify their staff as they enter their new workforce.
Organisations are investing a ton of money in cyber, but are they investing in the right places? Where will we see the money go in the next year?
Danny: I’m not sure we are investing in the right places. There is a significant amount of focus in the enterprise world on ransomware – that threat is tangible and it’s at the board level. So there’s money going into that to combat or mitigate some of those risks. A lot of it is around tooling, but not necessarily about education in the workforce. The two go hand in hand; you’ve got to have both as a foundation.
The investment the government is making in systems like myGov, the legislation and the enforcement of that – it’s all well and good, and I think it’s moving towards the correct end point. But there’s a critical lack of investment in the population around cyber. I know last year, a number of organisations globally did Cyber Awareness Day, and I found it really quite shocking to see the lack of understanding about these threats, not just in schools but in parents and in organisations as well.
For me, that’s where a lot more focus needs to be. What are we doing about growing the next cyber professionals and cyber experts? It’s falling on business to do that. We are somewhat doing it, but I’m not seeing the level of investment in creating the courses, in increasing the syllabus and curriculum that will educate students and the next population.
So Danny predicts there’s going to be more money into cyber awareness education. What do you think, James?
James: If you look at malicious cyber breaches that occur today, there’s very few that wouldn’t have been stopped with technology that already exists. There’s very few zero-day threats; it’s taking advantage of weaknesses in systems. As we’ve said before, it’s hard to protect and cover everything.
I think Danny is right that there will be continued investment in cyber awareness and training, but also in technology and platforms, in systems and processes. Because the technology exists to protect these, but the investment isn’t always there for organisations to actually implement these technologies, and then maintain and operationalise them.
We need to do this because it’s very sensitive data that we’re protecting from malicious foreign state actors. There needs to be a big ramp-up of investment in our cyber defence.
What do you think from a lessons-learnt perspective we can take into next year?
Michael: For me, it’s not a set-and-forget mentality. Organisations and government need to make sure they’ve got a regular cadence reviewing what their cyber risk posture really looks like. They need to ensure they’ve got the ability, the technologies and the processes in place now to support the hybrid workforce. That’s already here. It’s not going anywhere.
If not, it’s going to increase as we go into 2022. The ability to be able to shift to a new way of working and secure it – pretty much overnight – that’s going to be a critical factor for success in the year ahead.
Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.