Cybersecurity Innovation – Transforming the Enterprise

Impressive technology innovation in cybersecurity is significantly improving network and information protection. It is essential in an increasingly complex threat environment characterized as an unending cat-and-mouse game with malicious actors.

However, as technology becomes more ubiquitous and easy to manipulate even for non-experts, cybersecurity risks to our information will continue to grow. This is happening at an accelerated rate that can feel overwhelming to cyber defenders.  To be effective, cybersecurity innovation and its accompanying defensive strategy must address the four key pillars of technology, people, process, and policy.

The Cyber Threat as a Capability Leveler

The threats are real and pervasive.  For an adversary targeting the military, commercial industry or individuals, the internet and cyberspace present a great capability leveler to achieve a desired effect with very little investment in money or time.  For comparison and perspective, building an aircraft carrier costs upwards of $13 billion, “building” a capable hacker can cost less than $100 with tools easily available for purchase on the internet and dark web today.

The ability to execute increasingly sophisticated attacks with automated tools is becoming easier for anyone to exploit. The sad reality is those sophisticated tools  aren’t even needed when old school-approaches like phishing remain effective in allowing an adversary in. Artificial Intelligence (AI) and machine learning (ML) can be forces for good and help with cyber defenses, but we must acknowledge that they will also be used by hackers and nation state actors for offensive actions, automating and obfuscating attacks. The enemy gets a vote and we cannot “wish away” their ability to do so by being overconfident in our defenses.

An Evolving Cybersecurity Paradigm

That rapidly evolving threat coupled with exponentially accelerating and converging technologies presents a new cybersecurity paradigm. The rate of change in capability development and fielding presents both opportunities and risk. That risk can take many forms from degradation or denial of access to infrastructure or information, destruction of data, or even more insidiously changing information to achieve a desired effect.

The emergence of “deep fakes” in digital media to change data and making the most nuanced changes difficult to detect,  can induce “fog” on battlefield for the military or miscalculation among decision makers in organizations. People need to be able to trust their data and many do today without hesitation, but should they?  How do they know their data have not been changed which could lead to bad decision making or ineffective operations?

Technology like AI and ML will drive many cybersecurity solutions, operations and capabilities, but future cybersecurity innovation is not just about technology.  In the future, AI and ML will help identify even the smallest anomalies or changes in data but organizations must look at their security strategy implementation holistically to determine if they have the right framework, policy and training in place to leverage those technologies to best secure their information.

Designing a Comprehensive Organisational Cybersecurity Strategy

This requires a frequent re-examination of an organization’s comprehensive cybersecurity strategy and how that is aligned to the organization’s “no fail” missions. This analysis should include technology choices, procedures and policies for handling data and information and how people are trained  and held accountable to meet a high standard for cyber hygiene in their daily activities. From system administrators and network defenders to the average users- all have a responsibility to be proactively engaged in protecting the network.

This reaches far beyond the Information technology specialists and involves all users knowing their key mission areas and lines of effort, and what data need to be protected for those “no fail” missions to continue even if faced with a cyber attack. 

No longer is a Defense in Depth model with only end-point signature based detection and network/perimeter defenses sufficient. Attempting to protect data solely from a perimeter defense perspective is a fool’s errand and an outdated cybersecurity model, particularly when faced with new innovative technologies for data access and storage.

Information can now be dispersed across a wide range of on-premise and off-premise cloud-based networks, and infrastructure and software are increasingly purchased as a service as are the cybersecurity defenses to protect data in those operating environments. Data should be tagged and protected at the lowest possible layer (data elements) so no matter where data resides, it can be best secured using a Zero Trust model. Even the Zero Trust strategy must be re-examined and reconsidered in the evolution of robust cybersecurity as capabilities and threats rapidly change.

Standards bodies like the National Institute for Standards and Technology are a good resource for cybersecurity professionals to obtain advice and standards for implementing existing and emerging cybersecurity frameworks and strategies. 

However, implementation of an innovative cybersecurity strategy that incorporates the four key pillars cannot be slowed down by the bureaucracy of awaiting an industry standard, and cybersecurity professionals need to be lockstep with their leadership on where mission risk is accepted.

Baking In Cybersecurity from Product Design to Delivery

Cybersecurity needs to be a key design criteria for all emerging technology like Internet of Things (IoT) devices, robotics and autonomous vehicles, cloud capabilities, and 5G.  It must be “baked in” not “sprinkled on” as an afterthought.  Innovation in cybersecurity for those emerging technologies should address the art of the possible in terms of potential adversary creativity and address worst case scenarios. This means the team identifying those potential exploits cannot just be traditional cyber defenders or network engineers.

Teams need to think like an adversary and include those with experience in ethical hacking or actual offensive operations.  Opening up capabilities in a system of systems approach to scrutiny early in the design and fielding process through Bug Bounty type programs can also provide exceptional insight on vulnerabilities that the design team may miss and can result in a more secure operating environment.

Techonolgical Cybersecurity Enablers

We can use the commercial cloud to illustrate a practical example of applying the four key pillars of technology, people, process and policy for cybersecurity innovation. On the technology front, procuring platform, infrastructure and software as a service through the use of commercial cloud technologies is an attractive alternative to buying, installing and operating one’s own hardware and software.  Commercial cloud providers can also provide flexibility to scale capacity more quickly and the potential for improved data protection through speed of implementation of cybersecurity measures.

Application of AI and ML to large cybersecurity data sets and infrastructure will discover nuanced anomalous behavior over a large platform with disparate data and is essential to realize a proactive cyber defensive posture. While the cybersecurity benefits of using the commercial cloud are significant, it cannot be understated that cybersecurity responsibilities for data in a commercial cloud are shared between the commercial cloud vendor and the data owner.

Cybersecurity Process and Policy

So moving beyond technology, we need to have process and policy in place for protecting the data wherever they reside. Fully understanding the cybersecurity posture, processes and procedures of the provider and having those unambiguously defined in contracts is essential to avoid miscalculations particularly during a cybersecurity incident.

The ability to “command and control” information in the commercial cloud must be clearly understood- what does the vendor do specifically to detect, react and restore from malicious activity and on what pieces of the infrastructure or data do they do that?  What is the data or application owner responsible for and how do they continue to detect, react, and restore from an incident when the intrusion may be on their improperly configured application riding the vendor’s secured infrastructure? This relationship needs to be fully articulated and understood.

For the data owner, understanding the cybersecurity defensive model and specifics of execution used by the vendor (i.e., defense in depth, zero-trust, hybrid model) is imperative. In all cases the data owner should assume a zero-trust model for their data which may be virtualized or horizontally partitioned out across a global infrastructure.

Fostering a Cybersecurity Culture

Finally, people need to be trained on how their data are secured in the cloud and their individual responsibilities as application owners, data/content providers, or simply data users. As noted, data should be prioritized and that critical, “no fail mission” data should be protected above other non-mission critical data.

Individual users and application owners responsibilities should also be clearly defined in organizational policy documents and those that violate data protection policies should be held accountable. Creating and sustaining a culture of high standards for data protection and cyber hygiene, where everyone  understands their role, is critical to the survival of the organization and an emphasis on this being an all hands responsibility is imperative.

This message should be repeatedly reinforced in words and action by all leadership throughout the organization and not simply relegated to the Chief Information Officer or Information Technology department.

The trend of technology accelerating and converging at unprecedented speed will continue, and so must cybersecurity innovation. Organizations that incorporate a comprehensive cybersecurity approach that aligns technology with innovative processes, policy and people elements and understand where risk can be accepted will continually transform their enterprise and be best positioned for success.