Chuck's Blog

The Big Picture

Information is the life blood of so many business models, and it shows no signs of slowing down: more information, from more sources, used in more places, with more unpleasant potential consequences than ever before.  Indeed, there's a new mandate to accelerate the transition to "digital business models" -- ones almost entirely based on information.

People very close to the action appear to have a good understanding of the situation at hand; but the executive ranks appear to only have a modest awareness regarding the serious challenges (and opportunities) at hand: what's at stake, and what needs to be done.

RSA's Art Coviello wrote a great piece for Forbes magazine, essentially capturing the "state of the state" with regards to information security, at the non-specialist level.  Personally, I like the fact that he points out that -- at one time we appeared to have matters reasonably in hand, but that no longer is the case.

His suggested agenda for closing the gap is simple yet effective, yet doesn't require a PhD in cybersecurity to understand.

1.  Make Security A Board-Level Priority

I know, this might sound somewhat trite -- but, in this case, the recommendation appears to be merited.  A major change in strategy is indicated -- one that goes far outside conventional approaches.  

When big changes are warranted, the Big Kahunas need to be engaged.

For me, the most powerful analogies are those between information systems and financial systems.  If you couldn't trust the integrity of your financial systems, that would justifiably be a very serious board-level concern.  

What if you couldn't trust the integrity of your information systems?  Certainly, the consequences could be at least as severe as a breach of integrity in financial systems -- maybe even much more severe.

But the latest research isn't particularly encouraging.  As part of the RSA Conference activities, CMU's CyLab (Carnegie Mellon University) released its third survey on how boards and senior executives are governing the privacy and security of their organizations’ digital assets.  The tone of the findings is, well, rather dark.

But, as you read through, you'll see some signs of progress.  For example, the creation of Risk Committees at the board level, completely independent of the more familiar audit functions is a positive step.  

And a quarter of the respondents stated that they had someone on the board with a cybersecurity background.  Most encouragingly, 94% of the responses indicated a formal ERM (enterprise risk management program), virtually all of which had a strong cyber component.

One of the recommendations made particular sense to me:  review annual IT budgets for privacy and security, separate from the CIO’s budget.

2.  Continue to Evolve our Thinking About Security

Art's being polite here.  What I think he really meant to say is "don't fall into the trap of thinking that yesterday's approaches will solve today's challenges".

Personally, I put it much stronger: the game has quickly and fundamentally changed, and the new patterns required for success are not like the old ones.  Business leaders, IT leaders and security leaders should be arguing for rapid change in approach, and not pursuing a path of incremental evolution.

When I feel like being controversial, I offer up that, when it comes to security, there are two kinds of organizations: those that recognize and understand that they are breached, and those that are still in denial.  

Put differently, you'll never be able to eliminate risk -- but you can invest in managing it better.

Use Big Data To Stay Ahead Of Big Threats

The modern security organization (and modern security professional) bears a striking resemblance to big data analytics and data scientists.  

The ultimate goal of both endeavors is to come up with better and better predictive models around what's likely to happen next, and not target the entire organization around what happened in the past.

Modern cybersecurity appears to require as many relevant data sources as can be reasonably inhaled -- both internal and external.  

Context is as important as content.

In this world, the "cloud" ironically becomes an enabling technology for modern security practitioners.  

For example, consider this announcement by RSA's NetWitness group, essentially augmenting internal cyberthreat security with a vast amount of external resources.  

And I think we'll see much, much of this sort of thing going forward.  The days of doing it all by yourself, solely with internal resources -- well, that's not going to be around for much longer.

Educate and Share

New world == new skills and new collaboration models.  

The "new curriculum" for advanced security professionals is still a work in progress, I believe.  We know what the key topics and concepts should be, but there's a lot of work to do in formalizing the new certifications that will likely be required.

In the meantime, a dizzying array of new forums for collaboration and sharing of advanced security knowledge have sprung up recently, industry by industry, with more undoubtedly coming.  Natural competitors have started to realize that sharing insights into advanced security can be a positive-sum game: everyone wins.

No Silver Bullet

What I find particularly refreshing about the current security discussion is that it's largely open and transparent.  It hasn't been hijacked (yet) by a bunch of vendors who naturally default in making it all about this product or that technology.  

Sure, we'll need new tools for this new world -- but the discussion doesn't start there.

As a student of business, I can point to multiple existential challenges that business leaders have learned to grapple with successfully.  Globalization.  Sustainability.  The Internet.  Compliance.  Diversity.  And much, much more.

In that context, the mandate to close the current gap on cybersecurity is very achievable.  

We just have to recognize that the answer won't be cheap, quick, or easy ...