Situational Drivers of Cyber-Risk
Many years ago I wrote down a list of the drivers that create information / cyber-risk or that otherwise compel the need to mitigate this risk. They all, perhaps unsurprisingly, remain consistent. I don’t think it is necessarily disappointing that this is the case. In many respects a lot of them are just a fact of life that we need to keep dealing with (a lot like the more fundamental drivers). As such many seem obvious. This, of course, begs the question for some of them whether the world is investing enough in either adjusting that driver or innovating enough to deal with its consequences. Here’s the list:
Threat actors and their capability / motivation will continue to increase and methods of exploitation will increase in sophistication and, especially, stealth.
Scale will drive increasing intolerance even for very low rates of error / incidents (even 6 sigma on a massive scale is still a large number).
Inherent risk will increase as more services and markets are digitized / connected. Customers and supply chains will be more deeply targeted - both will need assistance.
Supply chains will be more inherently digital (software and services) and vulnerable to attack, which will also impact physical supply chains (directly or through "digital twins").
Regulatory and legislative expectations will continue to increase, continuous evidencing of conformance to multiple standards will be expected.
The perception of security will matter as much as real security. Security visibility efforts will be ever more important as real transparency will continue to be hard: Risk = Hazard + Outrage.
Creating and adopting secure products not just layering on security products will remain increasingly important as talent will remain scarce. As a result more secure (or perceived to be secure) services will attract more use.
Cyber-workforce challenges (skills and scarcity) will be better addressed by 10X improvements in productivity vs. only 10% improvements in the numbers of professionals.
Central IT functions will be replaced or augmented by a more complex eco-system of platforms. The enterprise becomes ever more like the consumer market and is heavily influenced by customers and employees expecting that degree of function and convenience.
Commercial and open sourced technologies will continue to be inadequately protected by default and will require post-engineering work to increase their security level for specific use cases.
Continued investment / adjustment of defenses will be the norm as threats, vulnerabilities and risk change. Complexity will always need to be tamed.
Cyber resilience, rapid response / recovery and the ability to operate occasionally in degraded states will be necessary. Continued investment in protective and detective controls working together is critical. Organizations will be differentiated by the speed of their threat —> defense OODA loop.
The most valuable security telemetry will come from the “digital exhaust” of all your other instrumentation, not just from dedicated security sensors.
The world has made progress across all of these. But, the interplay between some of the drivers means it often doesn’t feel like that. For example, threats continue to increase as does the digitization of life which creates a bigger attack surface (in its most general sense). So, even though many vendors and open source projects are producing more secure and reliable solutions they are still occasionally shown or perceived to be vulnerable. However, to strike a note of optimism in a sea of a lot of short-term pessimism I think our collected feedback loop of finding and correcting vulnerabilities as well as detecting and responding to threats is improving - despite the occasional one-step back before the two-steps forward. I am optimistic as more product vendors and service providers are shifting to mitigate whole classes of attacks with well-architected defensive frameworks not just product specific control.
Bottom line: to paraphrase Churchill, we are perhaps not at the beginning of the end, but I think we very well may be at the end of the beginning. Secure products and services are gradually displacing after-the-fact bolted on security products and services. This, and the articulation of more secure defaults, blueprints, architecture, better corrective feedback loops, and closer partnership to thwart adversaries has me remaining long-term optimistic.