I recently attended a panel interview for a potential new member of staff. Towards the end of the interview, the host asked the candidate if he had any questions, one of which was directed my way. I readied myself for what I hoped would be a fairly standard question such as ‘Where do I see the company going over the next 5 years?” or ‘What specific qualities are important in a new recruit”. In fact, what I got was a question that was ultimately more general but one that has had me pondering ever since.
So, what was the question? “How did I expect the Cyber Security Market to develop and mature over the next ten years?” Not even five years - ten years! It struck me right there and then that I wasn’t certain I could give him anything credible for the next 12 months, let alone ten years. So much for an easy one huh?
There may well be two elements to this. The way we would like things to evolve and the way that they in fact will evolve. What do I think? Well, since you asked. Over the course of the next few years (I have reduced it from ten) there will be three dominant factors that will shape and drive the way cybersecurity evolves.
The first is the nature of the threats themselves. Up until this year, the most valuable commodity on earth was oil. However, in 2018 for the first time ever, oil was eclipsed by data, which according to various sources including The Economist, estimates the total global value of data to be close to $100 trillion.
That said, this article is not really to explore the growing threat profiles but instead how we ‘The Good Guys’ will respond. Two ways: ‘Innovation and Frameworks.’
Nothing solves the technical challenges of this world more competently than innovation. Innovation will ultimately shape and define the way we protect cyber assets.
However, like it or not, the reality is that as long as we leverage interconnecting computer technology, there is, and always will be, an opportunity for a breach. On any given day you may be an innocent bystander, a jump point to get to someone or something else, collateral damage or even the specific and intended victim. The vector is broad and while we can expect innovation to assist us, magic and pervasive innovation to solve all security exposures is simply not realistic – for now at least.
So, the final thread is the simple but widescale adoption of a ‘Best Practice Framework’, such as the CIS Controls on offer from the Center for Internet Security.
I am old enough to remember a time when it was legal to drive a car while not wearing your seatbelt. Everyone at the time knew that they really should, but since there was no legal requirement to do so and since it was mildly inconvenient, roughly 40% of drivers would do so without a seatbelt.
In 1989 it became a legal requirement here in the US. The result? Deaths from car accidents have dropped 45% and serious injury by 50%. Our hand was forced, we adopted the known sensible option and the situation improved.
A similar dynamic exists in our industry. It is hard to find a discerning security executive who disagrees that the adoption of an established framework would not significantly improve their cyber defenses. Yet there is still reluctance (more convenient to drive without having to belt up) along with a worrying propensity to listen to security vendors, rather than following a solid framework approach.
Recent high-profile fines could have been avoided had these organizations been able to show evidence that the critical controls were in place. It is not an offense in itself to suffer a breach, but get breached and found not to be operating security controls? Big trouble.
There are a few to choose from including NIST 800 and the CIS Controls. The CIS makes it really easy by providing only six Basic (essential) controls that underpin every cybersecurity initiative with a further 14 recommended based on an organization’s risk profile. Simply adopting the first six CIS Controls will not only make you more secure, it will safeguard you from what may just be a business-threatening fine.
So, don’t wait for either legislation or a breach to get your organization operating securely – buckle up now and enjoy the ride.