A look at recent headlines related to geopolitical tensions and cybersecurity will tell you that our world is becoming more precarious. With nation states possibly becoming more active in supporting cyberattacks, and with malicious actors having easy access to potentially crippling technology, vital infrastructure is increasingly at risk.
Think of the potential chaos and havoc that would be unleashed by attacks on energy grids, air traffic control, health care and financial systems, to cite just a few areas of vital infrastructure. How do we deal with this new reality?
I realize it’s a difficult argument to make, but one of the best ways to address this more challenging environment is to slow down. Most business leaders don’t want to hear that because of the rapid pace of technology innovation and the fear that falling behind could mean losing competitive edge.
But think of it another way: Is the risk of losing competitive advantage more perilous than the risk of suffering a catastrophic cybersecurity event?
When I suggest that organizations and governments slow down, I’m not advocating that we halt progress. Rather, I’m proposing we take the time to do a proper risk assessment before we rush headlong into the future with technology innovations that could place vital infrastructure at even greater risk. Collectively, we will all benefit if we strive to be more judicious and careful in how we move forward, taking the steps to mitigate risk by building in more robust cybersecurity protections and analyzing the potential threats when we make decisions about critical technology.
Here’s an example of what I mean. Many governments are evaluating providers of 5G networks. Do they make decisions based strictly on costs? Do they want to work with private companies only? Are they doing due diligence on full implications for vital infrastructure?
In my opinion, holding back and taking the time to assess the risks is a wise and prudent decision, potentially saving a lot of anguish in the future.
The rollout of 5G networks is a clear example of the necessity of doing an upfront risk assessment. Once the networks are up and running it may be too late. Another key area is the Internet of Things (IoT). According to one research report, the number of IoT devices will reach more than 38 billion in 2020. This is a staggering number.
My fear is that too many devices are being put in place without the organization having done the proper assessment of cybersecurity risk. Many IoT devices are deeply integrated into critical infrastructure and, unfortunately, they significantly increase the potential attack surface for those who seek to act with malicious intent. When you implement IoT, security—not speed—is the most important element.
The idea of slowing down in a fast-paced, rapidly changing world may be counter-intuitive to business and government leaders who are constantly being reminded that speed is a competitive differentiator. Cybersecurity leaders are accustomed to dealing with this push-pull between speed and security. At a recent CISO summit, attendees were asked to define their biggest challenge for 2020. The Number One response, cited by nearly 40% of attendees, was “keeping pace with business transformation.”
I’m not advocating that we stop transformation or limit its potential; just that we become more cyber aware, all of us. When I was a CISO, I had a team of about 60 developers, and they had to produce something every two weeks. At first, they viewed cybersecurity as a potential impediment. But they soon realized they could still go fast, but they had to do so in a secure way. We convinced them that security should never be an inhibitor – it should always be an enabler.
Let’s not put unnecessary risks to our vital infrastructure. Cybersecurity isn’t easy. If something malicious enters our environment, we must be able to detect it quickly. Not only must we have protection, we also have to do detection and remediation quickly. But when we choose to slow things down, even a little, it is to ensure that we have given enough thought to important issues, such as:
- How much control are we giving up in building and managing vital infrastructure? Could a foreign government take control of that infrastructure and, if so, what protections can we take to mitigate that risk?
- Are we designing security into our environment, particularly with innovations such as the IoT and 5G? When these networks and devices are operational, are they secured? If you have to do security after they are up and running, it will create additional potential problems and risks that will be much more difficult and expensive to address after a cybersecurity event takes place.
- What kind of testing should we do in order to mitigate risk? Most organizations and governments don’t do large-scale cybersecurity exercises to prepare if there is an attack on vital infrastructure. Governments in particular should consider large test scenarios. They may be expensive, but not as expensive as the costs of a real disaster. Think of these tests like insurance: You are paying for something you hope never to actually use.
In the future, the true leaders and pioneers will not be the ones that can go the fastest, but those that can do the best job of adapting to a more fraught and complex cybersecurity environment.
Fred Streefland is Chief Security Officer for North and Eastern Europe at Palo Alto Networks.