By Alvin Rodrigues, Chief Security Strategist, Asia Pacific at Fortinet
The World Economic Forum and other business analysts increasingly recognize that the world is currently undergoing its fourth industrial revolution. The first industrial revolution kicked off in the 18th and 19th centuries with the harnessing of steam and waterpower to replace human labor and mechanize transportation. In the second industrial revolution, assembly line and conveyor belt manufacturing methods enabled mass production, radically increasing the quantities and lowering the price of goods available in the marketplace. From the 1970s to the year 2000, the third industrial revolution’s proliferation of computers and automation technologies revolutionized almost every economic process—from manufacturing, to management, to mass media and entertainment.
The fourth industrial revolution arrived with the advent of the 21st century. Even as I write, it is transforming information technology into an artificially intelligent, pervasive, and autonomous source of economic value creation in its own right. In other words, information technology no longer supports the business, it is the business.
Your Business Transformed, Ready or Not
As with all previous industrial revolutions, no public or private organization will be immune from the fourth industrial revolution. Organizations that ignore it will end their existence, bewildered in bankruptcy court. If you don’t radically transform your business, you will find yourself choking in the dust left behind by your competitors or completely unexpected market disruptor organizations (e.g., the Apples, Googles, Amazons, and Craigslists of the world.)
Digital transformation is inevitable. Resistance is futile. The mindset of if it is not broken, do not fix it does not apply in this new era. Digital transformation is revamping and changing the way we do business, the way we operate, the way we engage with our customers, the way we deliver value, and in so many other ways and areas. Existing IT infrastructure and a legacy security mindset are heavily challenged as a business evolves.
Existing companies are burdened with legacy infrastructure, and they must find a way to marry it as harmoniously as possible with new technologies, increasing the already complex environment that is integrated across every part of the business.
Organizations face three main species of risk. The biggest risk involves not moving fast enough to seize new opportunities and adopt new, hyper-automated processes. The second risk involves making bad investment decisions regarding which technologies to acquire or develop, which people to hire, and which firms to establish ecosystem partnerships with. The third risk, and the one I will discuss in more depth in this blog post, revolves around cybersecurity.
Dissecting Cybersecurity Risk Factors
Cybersecurity business risks can take several forms:
- Operational Risk. Exploits such as ransomware, denial-of-service (DDoS), data theft, site hijacking, and resource theft can seriously disrupt business operations. Some disruptions might only interfere with internal operations and processes. Others, such as DDoS attacks and site hijacking, can become sources of brand damaging public embarrassment.
- Reputation Risk. Customers, investors, and partners will avoid doing business with any organization that exposes them to potential harm. Some incidents are directly visible to stakeholders when they interact with your organizations. And reputational damage can mushroom when incidents become public news events, either through journalistic reporting or regulation compliance-triggered public disclosure.
- Investment Risk. This consists of overinvesting in security products that either do not work, don’t integrate with other products in the environment, or protect assets and processes that really don’t matter to the business. Remember, every dollar squandered on subsidizing inefficiencies or defending non-essential value generation factors is a dollar that could be invested more productively elsewhere.
Not all security products are created equal. Companies must be aware of issues relevant to their new, extended and complex infrastructures, such most siloed products cannot communicate with other security devices, making collecting and correlating threat intelligence to detect advanced threats hiding in your extended attack surface difficult if not impossible. Likewise, poor documentation, lack of skilled resources, and limited budgets, combined with intense pressure from management to stay in step with business changes, often seduce technology professionals into taking shortcuts and not conducting proper evaluation on what products to retire and what products to extend.
Strategic Focus on Vulnerabilities
The first step in overcoming these risks is to realize that attempting to defend against every contingency is to defend against none of them. Effectively managing cybersecurity risks requires shrewd assessment of what’s important to your business, determining how and where “crown jewels” are vulnerable to attack, and what means should be deployed to protect them. Two sets of questions pertain to this process.
- Where is your enterprise vulnerable to cybersecurity disruption across its value chain? By building up an inventory of vulnerabilities, enterprises gain a picture of what cybersecurity professionals call an “attack surface.” One of the interesting aspects of the attack surface concept is that it is really about how potential adversaries see your enterprise as a potential target, both in terms of what’s worth misappropriating and how to get their hands on it.
- What are priorities for investment to shore up vulnerabilities against attack? Setting priorities is a question of timing and involves questions such as, “Which vulnerabilities does one address first?” Investment is a business decision revolving around what are the most cost-effective ways and means to address value chain-critical vulnerabilities.
Prioritizing investments to address vulnerabilities hinges on developing a heat map depicting the probabilities of attack and potential impacts to the business. Vulnerabilities can manifest themselves in people, process, and technology. However, identifying where these vulnerabilities are located within the entire spectrum of business operation, ranging from very critical to non-critical, is just as critical, as this can serve as a guide for organizations in deciding what needs to be addressed first. Correlating vulnerabilities to a company’s attitudes towards risk provides additional clarity on priority setting. These sorts of exercises not only help organizations effectively factor security into their overall risk management strategy, but often also result in the realization that cybersecurity is not a technology discussion, but a business risk/reward/investment calculation.
What to Do Now
Whatever you do, do NOT skip ahead to ask, “What should we buy to solve our problems?” At this point, the question is, “How do we quickly and decisively come to grips with evaluating our organization’s security posture and set course for needed changes?” As every company is at a different stage in its security maturity, each needs to take a step back and evaluate what tools and processes are currently in place, what your business goals and strategies are, and then understand what are you protecting and why.
At this point, I highly recommend taking a business-focused approach to cybersecurity by first understanding your company: how it is structured, what its business model is, and what its business operations include. From there, you can begin to identify the critical “crown jewels” components and activities that deliver your company’s unique value proposition.
These considerations will guide where to prioritize spending. In parallel with this business strategy exercise, examine what is going on in your company’s network. This should provide visibility into processes and workflows, and help you gain a sense of what constitutes normal behavior in your network. By identifying the normal, abnormalities are much easier to see, allowing organizations to discover potential new threats lurking in the network. Such measures enable an organization to build an effective and comprehensive security strategy and deploy appropriate solutions – designed around critical functions such as integration, collaboration, adaptability, and automation – that lead to effectively protecting those business processes essential to the success of the business.
To begin the process of aligning cybersecurity investments with an enterprise’s overall business strategies, I strongly recommend a couple of Fortinet-published whitepapers on strategic cybersecurity decision-making—A Security Leaders Guide to the Threat Landscape and Rethinking Your Approach to Cybersecurity.