We're going to be looking at the future landscape of cybersecurity, and so I'm going to hand over to my colleague, a fellow senior analyst, Anne Bailey, and to SAMI Consulting Director and fellow Jonathan Blanchard Smith to explain to us how we're going to do this and to guide us through the process. So please give them a warm welcome. So we've just heard, if you ask 10 people what matters most, you get 11 answers. We're going to give you the opportunity to give us the 11 answers.
Well, actually, how many of you are there? We'll probably get 50. First thing, reach for your mobile phones. Make sure that your mobile phones are engaged, because we are going to be interactive, but we're going to be interactive using mobile, so that's easy.
Anne, over to you. Thank you. Just in time. So here we are. We're going to be looking a tiny bit backwards at some research we did over the last year, and with those results, we'll then be able to look forward. And so what we'll do today is to first start at the results of that work. It was a foresight study done with three different workshops with three different types of people with different perspectives.
Group of analysts, group of CISOs, many of whom you've met today, and actually the participants of last year's cyber evolution, working with different scenarios to derive eight different recommendations for how to prepare your organizations for the next 10 years. We'll then gather your responses and your reactions, and we'll figure out what's next. So let's all get on the same page. We need a few assumptions to make sure we have the same understanding. So first is the present is not static, and neither is the future. We're all aware of this, but what should we do with this information?
We could just throw up our hands and do nothing about it. Surprise, surprise, we don't recommend that. A good first step is to think about it, engage with the future. What would advantages of this future be, or risks of that? Gather some information about what could be approaching towards us.
Again, we could just leave it there. We don't recommend that.
Surprise, surprise. But we could take some action on it. Form some plan, gather more information where there are unknowns, and move towards the future with intention. So please intentionally take out your phone. Give your best attempt to scan this QR code. This is the full report of our recommendations, all the pre-work there, all the trends on the different futures we discussed, the different possibilities, the recommendations themselves, and of course even more detail on what to do with that information.
While you're trying to do that, we heard in our last presentation, if things fail, resort to paper. I have some, if anybody would like. Any words to share here?
No, we're doing fine. If you can make this work, make this work. This will take you to the full report behind the Kupinga Coal firewall. It rather assumes that you are members of Kupinga Coal, and if you aren't, join it, so that you can read the report. We are going to go through, so these sort of exercises produce a recommendation set by and large. We looked at four different futures.
I was delighted when I came here this year, having been here last year, that people remembered the titles of these futures, and from looking at those futures and what they mean for cybersecurity, we then derived a set of recommendations. Those recommendations are good for all of those futures, depending on what the future looks like. What we do know about the future is it isn't what we think it's going to be, and it isn't going to be a forward forecast. We can't turn around today and say the future is X.
The future is going to be a range of A, B, C, D, and probably something way over there, like a Q, which we hadn't expected. So what we need to do is understand a range of futures, and looking at those range of futures, see what's common to all of them that we can prepare for that's common. So we came up with a number of recommendations, and our first recommendation was that in any of those futures, CISOs need to become advocates for resilience and recovery. We were really struck by and concerned by the lack of power that CISOs assume, bearing in mind how much power they actually have.
So we want them to become advocates for resilience and recovery. I do wish we could go into more detail on each of these recommendations, but that's why you have the paper here in the interest of time. We're going to give you a brief overview of these so that we can move into some other interesting activities. The next recommendation is do not neglect the basic cyber hygiene. We spent quite a bit of time on this in the last few days. So don't neglect what we know is good.
One of the reasons why we're rushing is what we've got down here is a countdown clock in red, so we know how much time we've got. Know the opposition. Always know who you're facing, as we've just heard. They change over time.
Know them, understand them, and survey them. This is not a new recommendation, but it's one that has still yet to be solved, and so we really have to dig in. The cybersecurity industry must collaborate to bring transparency and security to its supply chains. And it's a good point. The fact that some of these recommendations are recommendations that you will have heard before doesn't make them less valid because they've come out of this process as well. AI is a risk and a tool for risk mitigation. Take a holistic approach to user-centric security.
This is maybe using more words than our previous speaker, who ended with the message of protect people. Security is about people, by people, supported by tools, of course, but keep people as part of the process, take care of them, and equip them. And that means watch after their mental health as well. We had a session on mental health, this cyber revolution, which was fantastic because the idea of us actually focusing on the mental health of our own teams really makes a difference. Make identity security a central part of the organization's security architecture.
This is a basic, related to the cyber hygiene question, but really down to identity security, who you are and what you are is going to matter and change over the next 5, 10, 15, 20 years as we have AIs that can model your face, AIs that can model your voice, people who can use, bad actors who can use those things. Identity security becomes central to an organization's security architecture.
And we have some bookend recommendations here, particularly for the CISOs, calling out here the need to play a more active role in shaping international and national regulations, making voices heard or coming together for action where it needs to happen. And that's one of the, again, this relates to recommendation one. We were very struck by the amount of power CISOs were going to have in these future worlds and how much power they weren't assuming in them. This is not something you can leave behind you. This is something you will need to be part of making decisions in.
So these recommendations are one through eight for a reason. But as we acknowledged earlier, the present is not static, neither is the future. Is this still valid? Are these in the priority that you would give them when it relates to yourself, your organization, the challenges that you have to face? So pull out your phones again, please. Take a look at this QR code. Maybe it's a little more successful.
If not, you can always go to Slido.com and enter in the code here for a ranking exercise. So what we would love you to do here is to look at those eight recommendations, identify the three or four that are most relevant to you, and please rank them. When everything goes well, we'll be able to see the results live on screen and be able to discuss it a little bit before we move on. So take a few minutes here to do that. The question is really what resonates with you. You may well have learned something over the last three days that changes your view than what you had before.
Bear in mind this was last year's study. We will be continuing to revise them, and that's why we're asking you to do these sort of exercises now. We're only showing the top six at the moment. There we go. All right. That's nice. We need somebody who's practiced in calling horse races. Up here. Great. This is really interesting. As these things start to move, dynamically understanding prioritization gives us an opportunity to really understand the impact of what we've been talking about and also the priority structures that we've been putting in place.
It's very interesting that the ones that we had as key, our ones were lower down than where we've actually got. Basic cyber hygiene, yep, this is the COVID wash your hands is the most important thing you can do exercise. Washing your hands in COVID was critical, and basic cyber hygiene is critical. Happy with that. Identity security, I take your point. I may have swayed you. I regret that.
Well, that does fit very well with Kabir Kohl's DNA, in a sense, so we could also be playing to a biased audience. Yeah. We should acknowledge that. And we're very reluctant to take charge, aren't we? CISO's becoming advocates and CISO's playing a more active part down there in four and five. You're the people who know about this. But they're not seven and eight. So seven and eight, what we've got dropping down, then, is AI being both a risk and a tool. AI's dropped. And? I need my own list. Okay.
Well, we can, I believe, move on. That's great. Because now we've, thank you. Is somebody taking a photograph of that? I have a record of this, but please. Cool.
No, no, that's great. This is a really useful prioritization that we intend, I'm talking about this on behalf of Kabir Kohl, but we, Sammy, intend to be looking at this on a regular, ongoing basis. I hope Casey will do as well. And this is a very good start for us. Thank you. So to move on, this is just a small example of the additional detail that the report goes into. We don't just stop at the recommendation one through eight, but each of those have more concrete steps, what you can do to address that recommendation in the ways that perhaps fit your needs. So this is just another plug.
Please go read the report. This is another aspect of these sort of exercises. We don't just make eight recommendations. We make something like 45, 40 in total, but prioritizing them, as you've just proved to us, our prioritization is different to yours. Go read the report, and you may well find something buried in there that you think is more important that you need to be getting on with. Bear in mind you're preparing your organization for the challenges of the next 10 years, and some of those recommendations may be buried as sub-recommendations of the main ones. Get in there. Dig it out.
Tell us what you think. Move on. So we need more of your brain power. It's very possible that we missed something, that on that recommendation list, you didn't see what actually is top priority for you. So we'll consider this from two different angles.
First, the risks. What is the biggest risk impacting cybersecurity in the next 10 years, from your opinion? So you know the drill. Everybody looks very busy. Thank you for your help here.
Again, you can scan the QR code or join at slido.com. So we'll give you a chance, provided this ticking clock doesn't tick too fast, to do opportunities as well, because, yeah, thank you. In every risk is an opportunity, and in every opportunity is a risk. Okay. That's either the same anonymous person three times typing AI, or we have great. So okay. Can I ask you to do one thing? If you're typing in AI, can you say why? Because AI is now so massive that, you know, were I a teacher, I would say that everyone's using AI to write essays with, but that's not what you mean.
So tell us what you mean here. Thank you for fragility of the digital system. That comes up particularly in the more unpleasant scenarios. Those scenarios where you can't guarantee globalized worlds, that's particularly relevant. Integrating all sources of risk is actually extremely difficult.
There are, I know for a fact, because we're working on it, one major government project to attempt to do this. They slightly ran out when they hit 105 different scenarios, trying to integrate this through.
Trump 2.0, can I ask who said that, but what they meant by when they said it? Trump 2.0 is really interesting. A lot of us, a lot of futurists are currently using that as a shorthand for multipolar world with substantial tariffs, collapse of established systems of cooperation, and not really knowing who your mates are. Other people are using it as a China invades Taiwan, Trump gives Putin Russia, a geopolitical sense. And so thinking about where those work with you, deep fakes and advanced phishing, thank you. Yes. Yes. Okay. So AI breaking down our logical defense. Logical defense logic. Yep.
Great. Root of trust failures, yes. Digital illiteracy, really important. We know that people who don't understand things, fear them. We have seen an awful lot of that in the last few electoral cycles, but we've also seen it in technologies and technology adaptations. So digital illiteracy, yeah, big risk. Thank you. Okay. And thanks for unknown unknowns.
That's a, it's a great, we have teams of people trying to work out unknown unknowns at the moment as far as AI is concerned. Okay. So if you've worried about it, what are you looking forward to? You've got opportunities. Every single one of those risks had an opportunity in it. What are they? What are you going to capitalize on within the structure of being a CISO? Not within the structure of being a human being, a person, but within the structure of your industry. What are you going to capitalize on in the next 10 years that are the big opportunities that impact cybersecurity?
It's interesting how much more difficult this is. This is cyber, cybersecurity is a risk focused industry. You're attempting to moderate risk, but you're also attempting to go out there and take advantage of opportunities in front of you, at least I hope you are. Don't worry about this incidentally, we always find that people look to the future with fear as opposed to an eager anticipation. Thank you. This is really important. Our primary recommendation. You're going to be regulated to bits by people who don't understand you, unless you start taking active parts of the regulation yourself.
Berthold, your cybersecurity council is trying to do part of this. And this is something we need to actually really, really get to grips with. Increased dangers of state actors. There are some extraordinarily sophisticated countries out there in cyber who are not extraordinarily sophisticated in the rest of the world, and they want what you've got, because they can leapfrog stuff that way. Weaponizing compliance is such a lovely expression. How do we weaponize compliance? You're going to do this or we're going to stamp you. Are you going to be able to use these technologies?
Right at the beginning they said using AI to fight AI. What technologies are you going to be able to use to develop, to increase cybersecurity? Really interesting how much cooperation is coming up as well. International cooperation, international standardization is part of three of our four scenarios. In our bad scenario, it rather breaks down. But it's really good to see here that you see that as an opportunity. I see it as an opportunity provided CISOs get their act together and start working together to promote that international cooperation and standardization.
It's interesting, the avoiding a fear-driven approach. We heard just now how many things can go wrong if security goes wrong, and whether it's a push factor or a pull factor. Turning around and saying cybersecurity is good relies on turning over all of the joint cybersecurity center in the UK, basically markets, if you don't do this you're going to be impoverished or potentially die or explode or something. Turning this into a positive is a really interesting aspect of what the next 10 years looks like.
And in the interest of time, I think we do need to wrap up, but it's hard to put a lid on this once we start thinking about the future, wondering, imagining. It's fascinating. Absolutely. And so that leads us to what can we do with this sort of thinking? How can we put a framework around it, put a methodology around it, so that we can use this with confidence to really guide planning, decision-making, all of it? The first is to look for those proven methodologies, look for toolkits that are available.
The Futures Toolkit is one of those, so when the slides are available online, you can use these links to access those. I'm going to give a quick promo on that. The Futures Toolkit is the UK government's standard toolkit of tools. It's been designed to be, this is the second version, and the reason why I'm promoting it is because we wrote it. And it is used throughout UK government. It is the only one of the six toolkits around the world, and this one is widely regarded as being the best, that's us.
You've got 12 tools in there, but best you also have 12 templates, facilitation templates and sets of case studies. It's designed so you can pick it up and take it and go and use it yourself, and it's on a Creative Commons licence, so you can just nick it off the UK government website, we've given you the link, and go ahead and use it yourself. Not everybody who's looking at the future is thinking about cybersecurity. We are. So if you're interested in being part of shaping the vision of the future of cybersecurity, let's do it together.
You can register your interest with info.com, be part of future workshops, contribute ideas, be part of our growing membership with access to research, the results of these studies, as well as the whole host of other research we do in the space. We hardly invite you to join us on this. Because the future's changing, we need to know about it so that we can act on it.
With that, thank you for being here this week, and safe journeys home. We look forward to seeing you next time. Thank you very much.
Thank you, Annie and Jonathan. A nice call to arms to end off with. I just add to what Annie said, hope you've had a great couple of weeks, and a safe journey home.
