Architecting Resilience

Early in the semester, Professor Kane shared the “knowing-doing gap,” where 87% of enterprises believe digital technologies will disrupt their business, but only half are adequately prepared for such disruptions[i]. One component contributing to this inaction may be related to concerns about cybersecurity.  These hesitations are likely only exacerbated by the nebulous and ever-changing digital landscape. It can be difficult to keep up with the dizzying array of cybersecurity threats, solutions and buzz words that crop up with ever more frequency.  And now, safeguarding the novel and unexplored realm of things like the “metaverse” further confound an already daunting undertaking.

For enterprise executives, choosing the best cybersecurity strategy is rife with uncertainty: what may be billed as the premiere solution today could be obsolete or proven to be riddled with unforeseen vulnerabilities by tomorrow. Not only are you tasked with protecting your company’s assets, but shifting to a digital and distributed infrastructure also introduces new vulnerabilities that could irreversibly damage the company’s reputation, destroy shareholder value and fracture consumer trust. Companies may also face fines and lawsuits if resulting investigations reveal that appropriate baseline security measures were out of compliance.

The global cybersecurity market is currently valued at a whopping $218 billion and projected to grow to $345.4 billion by 2026[ii]. That’s greater than the GDPs of nearly 80% of the world’s countries and territories! These staggering figures belie a trend of slowing growth in cybersecurity spend, even as the need for amped up defense becomes ever more imperative.  Gartner research indicates that CEO skepticism around years of heavy investments with unclear results may signal a broader disconnect between cybersecurity and “business decision making”[iii] contributing to stalling forecasted spend.

As the pandemic has illustrated, the need for digitization is undeniable. But does being nimble necessitate a tradeoff with being cyber secure? Are companies investing in the right strategies?  

Considerations & Solutions

From time immemorial, people have been devising ways to cleverly penetrate defense systems once deemed impenetrable (who can forget the story of the Trojan Horse, or – spoiler alert – Game of Thrones season 7, episode 7?? Actually, come to think of it, season 7 episode 1, season 6 episode 10, season 4 episode 4……well, you get the drift).

Naturally this quest for infiltration in pursuit of some gain, whether monetary, ideology, fame, etc., extends to the relatively nascent cyber/digital – and now “meta” – landscapes.  That is to say, breaches always have been a part of society and will be here to stay, regardless of the forum. Perhaps the best defense is to architect underlying systems and processes to be resilient in recovering from crises when being impervious is not an option. Gartner coined the term “architecting resilience”[iv] in reference to delivering a product or service to meet evolving customer preferences, but I find that expression to be apt here.

In The Transformation Myth, Professor Kane, et al, highlight what is a commonly-held but surprisingly undervalued tenet that one of the most critical aspects of cybersecurity is organizationally and individually driven[v]. As Lisa Rager, head of Risk Management at Tesla is quoted as saying in the book, “lack of awareness and lack of understanding about the appropriate way to do things is the number one cause of data loss.” Countless enterprise trainings emphasize this point, and yet we continue to see employee error as the gateway point for attacks or outages.

As executives redefine their cybersecurity strategies and where to invest accordingly, a combination of selecting the right systems, architecting those systems for resilience and equipping employees with different training (shifting the mindset) will generate the ROI that perhaps was evasive in previous iterations.

Breaking Down Buzzwords

A few of my favorite terms of late:

Zero Trust

This is really more of a strategic initiative rather than a solution or a tangible product. As the name implies, network security is designed out of the opinion that nothing can or should be trusted – this originates from cracks in previously held security beliefs that “everything inside an organization’s network should be trusted.”[vi]

SASE

(Pronounced “sassy”) Secure Access Service Edge, is among the latest in security offerings for distributed networks/ cloud computing. Designed specifically to address security concerns that come with moving further out towards the edge, SASE brings traditional security measures out of the centralized data center or enterprise location directly to the end device/end user.  This framework helps to mitigate exposure created by decentralization by effectively securing each edge node and device, and will be critical as edge computing becomes increasingly more prevalent.

Cybersecurity Mesh

Visualize a yard or field filled with a company’s devices and access points (“nodes”).  Current security measures are architected such that a perimeter is built around that yard/field, like a fence.  Cybersecurity Mesh is effectively encasing each individual device or node in its own perimeter.  As cyber-assets are increasingly located outside of traditional perimeters, enterprises will need to adapt to encode or enclose them in new ways.

Observability

Analysts at Forrester Research predict this term will be ubiquitous in the security realm in short order. A common terminology with developers, observability is about “understanding what code does in production, how it works, how it fails, and how it’s experienced by end users.”[vii]  This ultimately is adapting security measures and remediation based on observations.


[i] The Technology Fallacy, Kane, Phillips, Copulsky, Andrus. MIT Press, 2019. pp. 14-15

[ii] Statista • Global cybersecurity market forecast 2021-2026 | Statista

[iii] Gartner, “Cybersecurity Must Be Treated as a Business Decision”, Paul Proctor Cybersecurity Must Be Treated as a Business Decision (gartner.com) 7/14/2020

[iv] Gartner, “Top Strategic Technology Trends for 2021”; Cooney, Michael; 10/19/2020 Gartner: Top strategic technology trends for 2021: Cybersecurity mesh, AI engineering, and distributed cloud services are among the top trends that Gartner says will shape future enterprise IT operations. – ProQuest

[v] The Transformation Myth, Kane, Nanda, Phillips, Copulsky. MIT Press, 2021. pp. 125-126.

[vi] Palo Alto Networks “What is a Zero Trust Architecture?” What is a Zero Trust Architecture – Palo Alto Networks

[vii] Forrester Research “CISOs and the Next Era of Security Visibility: Observability” Pollard, Carielli & Mellen, CISOs And The Next Era Of Security Visibility: Observability (forrester.com) 10/18/2021


8 comments

  1. I work at VMware and we have seen seeing an explosion in SASE. I think its picking up really fast and a lot of companies are moving in that direction. The cybersecurity company is really competitive too, there are many mergers and acquisitions to build and acquire technology. Great Post!

  2. I am sure none of these solutions or recommendations are a one size fits all sort of venture, but I do wonder if the size and type of firm would indicate a better strategy. If you consider a smaller company, the zero trust method may seem like an over-response where it may be better fit for something with silos and larger audiences. I would also agree that observability will (and should?) be a part of most cybersecurity efforts at any company — it feels very common sense?

  3. I still confuse myself with day zero and zero trust…really cool blog post! I like that you keep going down the cyber route. Have you taken cyber security with Len? If not, you should look into it. We talk a lot about current events and why they are happening. I really liked your breakdown of the cyber vernacular. Great post!

  4. Even within the tech industry where I feel like I have a solid grasp on coding and architecture etc., cyber security has always seemed too daunting for me to really understand… but your blog does an incredible job of breaking down the problem and current state of affairs! I do believe that the highest levels of leadership in most companies still don’t even grasp the potential severity of a cyber attack on their systems. Hackers and malicious actors online in general are so advanced with their methods to find cracks in enterprise solutions, that it takes a really effective cyber sec team to mitigate those risks. As cyber security continues to become more important to company success, I think leadership will need to be very flexible in allowing the cyber security team make any live-time changes necessary to keep up with the new types of attacks being developed every day.

  5. Your article reminded me of a cryptographic technology called zk-SNARKs. This tech was first deployed to the Zcash blockchain (a hard fork of BTC) and is now being used throughout the industry. The technology enables a party to prove possession of certain information, e.g. a secret key, without revealing that information, and without any interaction between the prover and verifier. This results in transferring genuine data without revealing your identity to anyone including the individual you are transacting with. (https://z.cash/technology/zksnarks/)

  6. Nice post. Always enjoy some deep GOT references in tech blogs!

  7. Great post! I’m currently a TA for this Forensic Accounting class and in the lectures, we discussed the increasing prevalence of cyber attacks as society relies more and more on technology. As you described, cybersecurity is an “unforeseen vulnerability”. The only way to protect yourself against unforeseen vulnerabilities is preventative measures because lack of awareness and lack of understanding surely contribute to cyber attacks.

  8. Great post Christina! I should have talked about SASE during my presentation on the Edge. It would have been useful content so thanks for bringing it to the attention of the class. Like Kanal is seeing at VMware, I’m also seeing it being talked about a lot at Dell where I work.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: