Our world is going through an evolutionary transformation. Societies, humans, and organizations have grown into a new substrate. Digital. The transformation is irreversible, the pace is faster than ever, and we are just at the beginning of this era. The pace will get even faster.
One of the reasons behind this prediction is that IoT, machine learning, quantum computing, AI, and other emerging technologies are still only in their early evolutionary cycles. The real power of these capabilities and technologies is far from fully realized. Progress in development and advancement are made every day. And the digital evolution, from a macro perspective, is still also in its early phases. This is just the beginning.
The digital substrate has enabled and provided our world with totally new forms and opportunities. For example, how we as individuals and organizations are communicating, interacting, integrating, exchanging data/information, and so forth. We are more connected than ever before and interrelated to each other. We are living in an amazing era where technology is a true value-adding asset in many different shapes and forms.
And without getting too philosophical we are, according to my personal opinion, already interacting and manifesting ourselves partly as cyborgs. It may sound like hippie sh*t but think about it for a second. Daily life, for many of us humans, is in one way or another strongly related to and dependent on devices and technologies that enhance our everyday life.
And many everyday life activities have moved into our devices, e.g. smartphones. The smartphone can today be seen as a digital manifestation of our physical selves or as a digital extension. And there will be more to come when technologies such as virtual reality (VR), augmented reality (AR), mixed reality (MR), and extended reality (XR) become more and more mature. And if we just think about the loss of a smartphone/smart device is something totally different today compared to losing a mobile phone 10-20 years back in time. And I also think that losing a smartphone today compared to an extrapolation of 10-20 years into the future will also be something different.
At the moment we are still only in the beginnings of this adventure, the digital substrate. The world we live in today is fascinating in so many ways! Technology has for example enabled certain kinds of surgeries can be conducted remotely. Cities can use smart technologies to optimize resources. Cars and trucks can drive themselves. Global environmental sustainability can be improved with the help of AI. Technology is used in schools to enhance and improve learning for our younger generations. Education and knowledge are shared more than ever before. These are just a few examples that we almost take for granted right now. But we shall also be aware of that this is not applicable to everyone living on our planet. All countries and societies do not have the same digital penetration, e.g. internet connectivity, infrastructure, communication coverage, knowledge, skills, etc.
THE ASYMMETRIC LANDSCAPE of security
Part of this evolutionary transformation and the opportunities it provides us with has also generated problematic and challenging scenarios. One of the fastest growing problems for our world is the explosion of cyber security threats and attacks. As digitalization grows into more and more horizontals and verticals, within our organizations and in society, cyber threats and attacks are today a true problem affecting us as humans. Critical infrastructure such as example, but not limited to, power plants, water pipelines, air traffic, hospitals, and medical devices are today many times connected to the internet. Critical infrastructure is today considered as highly valuable assets, by adversarial threat actors, due to (for example) the amplified negative impact cyber-attacks can cause on us as humans, on society, or on monetary effects on private organizations. We together need to help each other to develop sustainable and resilient defensive cyber security capabilities. Cyber security is not a one-man show.
In this blog, I will, from time to time, fall back on the wording “resilience”. There are many different descriptions out there of this word of what it means, and I will not argue against those. I am totally fine with that other look at resilience as something else or put another meaning into it. I see resilience as and will referee to the word as:
“Resilience is the product of the capabilities for how an organization or individual is prepared for any form of disturbing or harmful event and from that able return to an operational state.”
So why is resilience important and should be a highly prioritized subject in cyber security? The digital ecosystem and cyber security landscape are highly asymmetric, the scales are very unevenly balanced between those who carry out the attacks comparison to those defending against the attacks. Many societies and organizations are today struggling with keeping up the pace with digital enablement (e.g., realizing value to their organizations through digital capabilities) and at the same time protecting their assets (humans, intellectual properties, IT-landscape, patents, monetary assets, brands etcetera). Defending organizations have to defend against every kind of attack, while the attackers just need to identify one weakness to exploit.
Cyber security, as I see it, is not a discipline that shall be treated, concentrated, or focused only on technology. To achieve adequate protection an organization, need to understand its current cyber security posture and maturity from three perspectives: Humans, Processes, and Technologies.
security is about HUMANS, PROCESSES & TECHNOLOGIES
An organization’s defensive cyber security capabilities need to be adequately balanced between all three perspectives in relation to the organizational cyber security requirements. The term “adequately balanced” for me means that an organization needs to craft its cyber security posture according to its cyber security requirements. An organization’s cyber security requirements are dependent on for example industry, culture, market, history, internal/external security compliance, regulations, laws, asset (e.g. humans, intellectual properties, patents, business information, and data), threats, vulnerabilities, risks (+ tolerance, capacity, appetite). There is no silver bullet, no one size fits all solution. The solution needs to be adapted and built around three fundamentals: Humans, Processes, and Technologies. And the capabilities need to be continually managed and improved to reduce potential weaknesses and vulnerabilities.
I believe that we together, due to the fact that cyber security is something involving and concern for everyone, need to help each other to achieve a more resilient digital ecosystem against cyber security threats and attacks. There are so much information, knowledge, experiences, and wisdom available to be shared. This blog is my way for how I try to contribute to making the digital ecosystem and cyber security landscape a safer place.
The digital transformation will not solve down, it is here to stay and will only reach a higher penetration rate and pace. The creation of protection that is sustainable and resilient over time for our organizations and society needs to follow the digital transformation and evolution. And we need to start now and by doing so I think it is best to start from where we are.
Besides those threats and attacks that we are facing right now, there is a strong need of starting discussions around emerging risks related to cyber security. Personally, I think that this was something that was missed out on when it came to cloud services. Many organizations dived head-in-first without contemplating the risks. I truly believe in digital enablement, through the cloud or on-prem services, but investments need to be calculated and assessed from a risk and reward perspective. This does not only mean a business case needs to be developed rationalizing the monetary investments, but also that a sound risk assessment from a cyber security perspective needs to be conducted.
I think that the primary success factor for achieving this without a negative experience from a business perspective is to educate the involved stakeholders about “why” this exercise is important. And of course, don’t make things more complicated than needed. Keep things pragmatic and in relation to the value of the assets that are to be protected. Every asset in an organization is not as equally important from a business/regulatory/jurisdictional/etc. perspective and for this reason, all the assets do not need the same type of protective measures. There are several ways how to find out and identify which assets are most important and this is a topic of its own so I will leave you with this cliffhanger for now.
Doing the work TOGETHER!
Does your organization have a clear understanding of which assets are categorized as the most important for you? If yes, have for example an impact analysis or risk assessment been conducted to assess if those assets are damaged/harmed due to a negative impact from a confidentiality, integrity, availability, traceability, or regulatory perspective?
“Defending organizations have to defend against every kind of attack, while the attackers just need to identify one weakness to exploit.”
Start where you are. Start now. Help each other. Communicate. Educate. Lead and be led. Strive for increased resilience. Together.