We certainly live in interesting times. One might argue we have seen better ones, but the point I wish to make is different. All throughout history, times of change have given rise to new ideas, models, and paradigms in society and business alike. We are now witnessing the transition from a fully analogue world to one that is heavily digital, and likely to become more and more biased on the latter side in business and government practices.
As it goes, whenever a new paradigm sets in, the natural reaction is to adapt existing strategies, policies and techniques. When the automobile was first introduced, the rules and experience governing the design of horse-drawn carriages where inherited by the new horse-less device and stuck for quite a while. In IT we have observed a similar phenomenon. Throughout decades, when the focus was on supporting operations and helping win improved efficiency, IT was secluded to the room of the technician, a sort of unwanted cost and necessary component made unpleasant and oftentimes non-intelligible by the arcane jargon of those who ran it. Anyway, most of the time, IT was kept afar from the board room. Few CIOs reported into their CEOs, and limited epiphanies of the strategic appreciation of the value of IT in the organisation could be reported.
In those early days, one upside was that threats were relatively modest and limited. The enterprise was sufficiently monolithic and capable of fencing out potential attackers and associated damages. A perimeter of defence was sufficiently well shaped and its monitoring and control was simply good enough. In a recent article, The importance of zero-trust and an adaptive perimeter in cyber fortifications, my friend and colleague Nick Evans has compared this situation to a medieval castle and how cyber defences need to adapt in the same way as castle defences have adapted over time. In fact, that is a good analogy. However, history tells us that very few castles have been able to bounce back well-driven attacks. There is always a small window of opportunity: perhaps someone within the walls willing to let someone in from the outside … Anyway, the perimeter-based security strategy has paid out handsomely over a long period of time.
Enter the digital revolution. When everything is digital, IT is no longer a mere support to operations as the essence of business itself is based on data, information, communications, exchange of knowledge and transactions anywhere, anytime and with any device. In such context, things start changing dramatically. For one, the previously defined “perimeters” no longer hold. Going digital implies extending the reach, engaging in new co-operative models, partaking of someone else’s technology and business processes. Data no longer resides in one vault. It is scattered all throughout the cyber world, partly hosted within one’s control, partly residing on employee’s devices – oftentimes not owned or controlled by the employer – and partly dispersed somewhere in a cyber-cloud.
So, how does a perimeter-based approach to security change when the perimeter is no longer evident or existent at all? This simple, straightforward question is apparently still largely ignored or neglected by the vast majority or organisations. We see old defence models applied, oftentimes patchy and sort of following problems as they come to evidence. This situation is the result of three major problems:
1) As said above, the disconnect between IT and the business – and worse still, the Board – is difficult to reconcile by pure act of will. Incidentally, senior members of the board have often made statements of pride about their neglect of anything IT, as if business and IT were separate worlds. Now that the digital economy has made them one, the ignorance at the board level about all matters IT is still relevant and largely non-addressed;
2) IT staff has rarely been able to speak the language of business. In business presentations, most messages delivered by IT staff come across as complex, vague and non-transparent. The inability of addressing in simple terms the needs of the business has on average made the CIO a sort of necessary burden, a painful element one has to accept, but hardly influential on business decisions even at operational level;
3) The culture of risk management is limited, often missing or non-pervasive, addressing business-specific themes but often omitting to consider business as a whole, a result of many factors. Risk-adverse companies tend to over-rule, often missing the point of what risk management is about, and inducing rigidity in the fabric of the organisation. The growing pace of cyber-attacks, their increasing sophistication and complexity, should worry the organisation at top level about governance models and a comprehensive approach to risk management. The latter, however, is not made up of artificial segments. For instance, we still see in virtually all enterprises a traditional separation between physical and digital security. This situation is counter-intuitive, as if the organisation would not span across both worlds – physical and digital – at any given time and location. Old rules tend to separate, say, physical access control reporting into the facility management functions, from the logical access control overseen by IT. Traditionally, a gap exists between the two situations, resulting in weakness and separation of responsibilities, non-coherent and integrated solutions and uncertain accountability.
Governance is key, but what governance is meaningful in today’s digital economy without a sound understanding of cyber-threats and, therefore, applicable, viable and effective cyber-security measures? In fact, one has to juggle three balls constantly in the air: enough security, acceptable costs and appropriate agility. Striking a balance that is good enough for one organisation is not art or magic. It descends from sound, methodology-based consideration on the nature of the business, the possible risks and the assessment of their possible consequences, the adaptation of the system of investments, rewards and control throughout the organisation. Cyber-security is not a piece of technology, or a sophisticated solution. It’s a state of mind and a cultural element interwoven in the fabric of the organisation, at all levels.
In the following weeks we’ll review in more detail what this means in terms of commitment, decisions, defence models and priority investments in view of a better-suited digital business environment – safer, more agile and boasting a winning edge.