Early in the semester, Professor Kane shared the “knowing-doing gap,” where 87% of enterprises believe digital technologies will disrupt their business, but only half are adequately prepared for such disruptions[i]. One component contributing to this inaction may be related to concerns about cybersecurity. These hesitations are likely only exacerbated by the nebulous and ever-changing digital landscape. It can be difficult to keep up with the dizzying array of cybersecurity threats, solutions and buzz words that crop up with ever more frequency. And now, safeguarding the novel and unexplored realm of things like the “metaverse” further confound an already daunting undertaking.
For enterprise executives, choosing the best cybersecurity strategy is rife with uncertainty: what may be billed as the premiere solution today could be obsolete or proven to be riddled with unforeseen vulnerabilities by tomorrow. Not only are you tasked with protecting your company’s assets, but shifting to a digital and distributed infrastructure also introduces new vulnerabilities that could irreversibly damage the company’s reputation, destroy shareholder value and fracture consumer trust. Companies may also face fines and lawsuits if resulting investigations reveal that appropriate baseline security measures were out of compliance.
The global cybersecurity market is currently valued at a whopping $218 billion and projected to grow to $345.4 billion by 2026[ii]. That’s greater than the GDPs of nearly 80% of the world’s countries and territories! These staggering figures belie a trend of slowing growth in cybersecurity spend, even as the need for amped up defense becomes ever more imperative. Gartner research indicates that CEO skepticism around years of heavy investments with unclear results may signal a broader disconnect between cybersecurity and “business decision making”[iii] contributing to stalling forecasted spend.
As the pandemic has illustrated, the need for digitization is undeniable. But does being nimble necessitate a tradeoff with being cyber secure? Are companies investing in the right strategies?
Considerations & Solutions
From time immemorial, people have been devising ways to cleverly penetrate defense systems once deemed impenetrable (who can forget the story of the Trojan Horse, or – spoiler alert – Game of Thrones season 7, episode 7?? Actually, come to think of it, season 7 episode 1, season 6 episode 10, season 4 episode 4……well, you get the drift).
Naturally this quest for infiltration in pursuit of some gain, whether monetary, ideology, fame, etc., extends to the relatively nascent cyber/digital – and now “meta” – landscapes. That is to say, breaches always have been a part of society and will be here to stay, regardless of the forum. Perhaps the best defense is to architect underlying systems and processes to be resilient in recovering from crises when being impervious is not an option. Gartner coined the term “architecting resilience”[iv] in reference to delivering a product or service to meet evolving customer preferences, but I find that expression to be apt here.
In The Transformation Myth, Professor Kane, et al, highlight what is a commonly-held but surprisingly undervalued tenet that one of the most critical aspects of cybersecurity is organizationally and individually driven[v]. As Lisa Rager, head of Risk Management at Tesla is quoted as saying in the book, “lack of awareness and lack of understanding about the appropriate way to do things is the number one cause of data loss.” Countless enterprise trainings emphasize this point, and yet we continue to see employee error as the gateway point for attacks or outages.
As executives redefine their cybersecurity strategies and where to invest accordingly, a combination of selecting the right systems, architecting those systems for resilience and equipping employees with different training (shifting the mindset) will generate the ROI that perhaps was evasive in previous iterations.
Breaking Down Buzzwords
A few of my favorite terms of late:
This is really more of a strategic initiative rather than a solution or a tangible product. As the name implies, network security is designed out of the opinion that nothing can or should be trusted – this originates from cracks in previously held security beliefs that “everything inside an organization’s network should be trusted.”[vi]
(Pronounced “sassy”) Secure Access Service Edge, is among the latest in security offerings for distributed networks/ cloud computing. Designed specifically to address security concerns that come with moving further out towards the edge, SASE brings traditional security measures out of the centralized data center or enterprise location directly to the end device/end user. This framework helps to mitigate exposure created by decentralization by effectively securing each edge node and device, and will be critical as edge computing becomes increasingly more prevalent.
Visualize a yard or field filled with a company’s devices and access points (“nodes”). Current security measures are architected such that a perimeter is built around that yard/field, like a fence. Cybersecurity Mesh is effectively encasing each individual device or node in its own perimeter. As cyber-assets are increasingly located outside of traditional perimeters, enterprises will need to adapt to encode or enclose them in new ways.
Analysts at Forrester Research predict this term will be ubiquitous in the security realm in short order. A common terminology with developers, observability is about “understanding what code does in production, how it works, how it fails, and how it’s experienced by end users.”[vii] This ultimately is adapting security measures and remediation based on observations.
[i] The Technology Fallacy, Kane, Phillips, Copulsky, Andrus. MIT Press, 2019. pp. 14-15
[iii] Gartner, “Cybersecurity Must Be Treated as a Business Decision”, Paul Proctor Cybersecurity Must Be Treated as a Business Decision (gartner.com) 7/14/2020
[iv] Gartner, “Top Strategic Technology Trends for 2021”; Cooney, Michael; 10/19/2020 Gartner: Top strategic technology trends for 2021: Cybersecurity mesh, AI engineering, and distributed cloud services are among the top trends that Gartner says will shape future enterprise IT operations. – ProQuest
[v] The Transformation Myth, Kane, Nanda, Phillips, Copulsky. MIT Press, 2021. pp. 125-126.
[vi] Palo Alto Networks “What is a Zero Trust Architecture?” What is a Zero Trust Architecture – Palo Alto Networks
[vii] Forrester Research “CISOs and the Next Era of Security Visibility: Observability” Pollard, Carielli & Mellen, CISOs And The Next Era Of Security Visibility: Observability (forrester.com) 10/18/2021