Building Resilience Against Evolving Technology: An Interview With a Cyber Risk Expert
Emerging technologies are rife with opportunities for organizations of all shapes and sizes. Self-driving cars may be some ways into the future still, but connected devices in hospitals, factories and homes are already sharing troves of data for better analytics and decision-making. Workloads are moving to the cloud, and digital personal assistants are becoming commonplace for both enterprises and consumers.
Despite their exciting potential, security and business leaders must balance the benefits of these new technologies against the threats that subsequently emerge. As cybersecurity professionals prepare to convene at IBM’s Think 2018 conference, conversations about cyber risk are front and center. To address them, many organizations are conscious that they will need to transform their security programs to keep their business, customers and employees secure.
A Cyber Risk Expert Weighs In on Emerging Threats
With these concerns in mind, I asked Tim Roberts, vice president, partner and global leader for IBM’s Security Strategy, Risk and Compliance practice, to share his views on this security transformation.
Question: What types of risks are introduced with new and emerging technologies today?
Roberts: New and recent technologies bring a complex set of risks with them specific to each technology, but they also bring a macro risk all new technologies bring — the risk that they are adopted before they are properly understood and, as a result, are not managed effectively. If the risk management isn’t as advanced as the technology, the business will fail — it is just a matter of time.
There is an analogy with the financial crisis here. The ability of financial institutions to make money from originating, repackaging and trading credit risk far outran their ability to understand and manage the risks from this new liquid credit market. As a result, the credit market crashed and banks failed. In the same way, if firms rush ahead with big data, new digital channels and the Internet of Things (IoT) and cannot manage the risks to their customers, their data and their systems, they will fail, — or be fined hugely under regulations like GDPR.
If you rush out a self-driving car to the market without having protected it adequately from hacking or disruption by third parties, people are going to get killed. We’ve got to address the risk issues at the same time as we pursue commercial opportunities from these technologies. Security cannot be an afterthought.
What about these new risks is most worrisome to you?
I think a big concern is the sheer scale of the risks that are introduced when we begin to leverage technologies that connect more things and people together. These technology breakthroughs are intended for the public good, but they’re also openings for malicious action. Mass digitization of data, proliferation of connections and even artificial intelligence will stress security like nothing we’ve seen.
So this interconnectedness you are describing means the impacts of these risks will be much greater. Will this interconnectedness make the risks harder to address too?
Absolutely. Risks associated with big data, advanced analytics, cloud, the IoT, changing compliance mandates and artificial intelligence such as personal assistants and bots are not just individual items to be addressed in silos — they add and combine in unhelpful ways to multiply the total risk exposure.
For example, if you combine the complexity of a digital business model with regulatory change, you get greater regulatory risk. A big data strategy coming to life on cloud operating models means greater problems to localize and map data. And finally, if you compound the IoT with critical infrastructures and regulations not keeping up, you get major national challenges and, potentially, critical infrastructure that isn’t resilient. Operators of critical infrastructure are entering a period of sharply escalated risk.
Are organizations prepared today to manage these risks?
The reality is that many firms are still not starting in a strong place as they seek to understand and manage these new risks. In other words, they still don’t have the basics right, so they are not in a good position to protect themselves against new, escalating risks.
Even before new risks are considered, security leaders are still working hard to get their organizations to a strong level of security and resilience. Just as it is said that generals tend to prepare to fight the last war again, rather than prepare for the next war, we need security leaders to look ahead to new risks at the same time as fixing the existing deficit in security capabilities. This will require strong support from the board and the C-level executive team.
What is getting in the way of good cybersecurity and risk management programs?
There are multiple, long-standing challenges. First, in many firms, there is a disconnect between business strategy and risk management. Business strategy is at the forefront of the board’s thinking, and risk management, while important, is often addressed as an afterthought. It’s a cost of doing business, not a strategic initiative in the minds of most board members.
Many clients we talk to understand this disconnect between the board and the technical functions of technology and security, but it’s not trivial to try to connect the two, partly because many boards don’t speak the language of security. It’s a technical language. It’s full of jargon and it’s difficult to bring to the board and ask them to engage with it.
But it’s not just about the disconnect between risk and strategy. There is also a disconnect within most firms between the risk function, the technology function and the security function. Again, they all speak different types of jargon. As a result, it is difficult to incorporate information security in your risk appetite, and it’s difficult to incorporate information security and regulatory compliance in your business strategy, but this is what has to happen if firms are going to be able to protect their customers properly.
Considering these challenges, how can organizations effectively set up risk management and cybersecurity practices that will keep them secure as they take advantage of these emerging technologies?
We’ve described it in three steps.
For many, step one is to fix the basics and handle yesterday’s risks adequately. That’s a given, but it’s not easy, and every time we see a major breach in the newspaper headlines, it reminds us of the basic vulnerabilities all around us.
The second step is then to develop a risk-based, integrated security strategy. If you have a business strategy, you need a security strategy to go with it. That involves making sure that the different parts of the organization work together to put in place the technologies, the processes and the behaviors among their people that protect the company. It’s no good investing in the IT department to spend on security if you are not training your people as well. Many of the biggest breaches have happened because of careless or negligent behavior by individuals, as opposed to the failure of a system or a technology-based control. So firms need to have a holistic security strategy that touches on people, processes and technology.
Finally, the third thing firms need to do is make sure they are forward-looking. You can’t act on today’s risk environment by saying “2018 is the year of security. We’re going to clean the house, put in place the right monitoring, tools and training, and then we’re in good shape.” Sadly, that’s not enough. That would be a great start, but you cannot rest with cyber risk. The adversary is constantly looking to find new ways to get past your controls and to get into your network. Because you are facing a well-organized, well-funded opponent that keeps trying new approaches and techniques to break in, you need to be prepared to meet these new attempts with new defenses.
This needs to be a progressive program that develops each year in line with new threats, takes in new information about new threats on the outside and examines new technologies in order to protect the firm.
And this better connection with the board happens during which of these three steps?
The board needs to engage with all of these steps. Unless employees are led on this journey by top management, it won’t come across as serious. If they don’t see the board acting on it and top management focusing on it, the actions don’t fit with the words. We want to help make sure boards are involved every step of the way, particularly if they are trying to get people to change their attitude and behavior toward security.
You lead the Security Strategy, Risk and Compliance practice here at IBM Security. How do you help clients transform their security programs to meet these new challenges?
We are on a mission to help boards and top management teams to understand the risk and security implications of their digital strategies and to help them put these strategies into practice: mapping out what top management needs to do, as we have described above, what an integrated strategy looks like and how to get people across the firm to change their behaviors. Those are all initiatives that we help our clients with.
Learn More at Think 2018
With so many new technologies emerging and evolving before our eyes, it’s an exciting time to be a security professional. However, with each shift in the technology landscape comes new challenges and threats, and your enterprise must be savvy and flexible enough to adapt.
Join us at Think 2018 to learn more about ways to transform your security program to meet the evolving needs of your organization.