Cyber security is a set of people, process and technical practices aimed at protecting critical infrastructures, digital business and sensitive information from internal and external threats or negligence. It is a field that is continuously in motion, perhaps even more than IT itself. Still, the essence remains to guard the qualities of IT that make it the reliable resource that business and society has come to depend on: confidentiality, integrity and availability. But what are these changes that the industry is experiencing today? What matters now? The themes that we discuss can be categorized in these grand questions:
1. Can we trust the system?
The biggest discussion of today is a fundamental question about the reliability and security of the Internet and perhaps technology as a whole. The Internet was never designed with security in mind and today it is very clear that it’s possible to compromise almost anything a dedicated hacker sets his mind to. Security and trust are now center stage in the public debate. This is triggering new research and innovation to make the Internet a more secure infrastructure.
2. Can we make the organizations more secure?
The next level down is about creating a secure organization that can survive and thrive in the midst of imperfect technologies. To achieve this, to build a security culture in the company, the conversation has to pivot from fear to value. As threats become more sophisticated and targeted, and their associated impact on organizations becomes increasingly significant, security must evolve from focusing on fear and risk to an understanding that establishing and maintaining trust and confidence can, and will be, a competitive differentiator across industry and government. Security is no longer an IT risk, but an enterprise business risk, so it must be managed accordingly. In addition, it has become both accepted and widely understood that attacks and incidents are
questions of “if” not “when,” and as a result, practices associated with detection and response must be an essential, multi-disciplinary part of any organization’s security strategy.
3. Can our people win the game?
Right now, the reality is that sophisticated attackers are breaking through conventional safeguards every day. They have a number of strategic advantages over those tasked with defending networks, namely the element of surprise, the ability to research and target specific, unsuspecting individuals, infrastructure complexity and a global cyber security workforce that is already stretched thin. The general population is not composed of security experts and the imbalance of expertise on each end of a spear phishing email is a significant strategic and tactical advantage for attackers. For security professionals to address these concerns involves a combination of more robust skills develop programs, infrastructure simplification, more advanced analysis and response capabilities as well as user education and empowerment.
4. What will technology bring next?
In one study, 70% of security executives expressed concern about cloud and mobile security. These IT shifts challenge conventional security models and require not only new technology, processes and policy, but significant culture change associated with the nature of control. However, these changes also provide new opportunities as well. Secure-by-design principles, which have been developed from years of experience, can be applied at the onset of new projects and deployments. Cloud offers new delivery models for security and threat intelligence, big data and analytics offer the promise of changing the IT security industry in the same way that business and industry now rely on data and the associated analysis to understand trends and make decisions. Ultimately, the cyber security game will not have an end, and there will be no definite winners and losers, but that end can be replaced with the persistent pursuit of strategic advantage, a rebalancing of the equation between attacker and defender. By combining forces, by taking time to reflect and consider what is really happening and by diligently applying what we have and know, organizations can get ahead, which is as close to winning as exists in this industry.