There is absolutely no absolute security. Nature is designed in a way that things can and eventually will go wrong. This is true both for pandemics and cybersecurity incidents. The world wasn't fully prepared for a pandemic like COVID-19. We didn't know COVID-19 would strike the way it did or the extent to which it would affect the world and our society.
That's also true for security incidents and cyberattacks. There are cyber threats out there that we know exist. We prepare for those and implement security controls to protect our business and society from these known inevitable threats. Then there are unknowns. These unknowns are typically of three types:
Challenges Common to a Pandemic and Cybersecurity
When a crisis hits, it's usually late in the investigation that we discover the unknowns that we didn't know about. For example, when COVID-19 initially became known, experts assumed it had spread to only a few Asian countries. As a result, many countries outside of Asia immediately set in motion preventive measures and travel bans for people traveling from those countries, while still keeping open borders for other nations. It was discovered later how coronavirus spread to rest of the world and that cases in Italy had escalated drastically in just a few days, thereby revealing the true extent of spread and risk exposure.
Similarly, when a cyberattack happens, it is mostly during the ongoing investigation, and often later rather than earlier, that one finds out about the true extent of infiltration, risk exposure, and the effects on an organization's infrastructure and business.
It's this meta-ignorance that poses a challenge and prevents us from being immune to these unknown threats that we don't know.
The other aspect that connects the challenges of a pandemic to the challenges we face today in cybersecurity is the extensive globalization, digitalization, and interconnections. Both the digital landscape and the threat landscape are continuously evolving. A virus can hop onto planes, travel, and spread to the world way faster than ever before. It was on December 31, 2019, that the World Health Organization (WHO) identified a novel coronavirus based on the reports from Wuhan, China. And from December 31, 2019, to March 11, 2020, it took WHO only 71 days to declare this novel virus crisis a pandemic.
Similarly, today's organizations have a higher risk exposure due to their more complex and global digital footprint. It has become more profitable to attack service providers and let the malware spread across multiple customer networks across the world. The interconnections and digital supply chains are more complex and continuously evolving. We have seen notable attacks on services providers (including managed services providers and cloud services providers) over the last few years, and we will continue to see them grow. Examples include the Cloud Hopper (attributed to Chinese group APT10) cyberattack that managed to affect both the service provider and its customers worldwide, as well as the recent attack on Cognizant, a service provider giant.
In this ever-changing, evolving, and increasingly complex digital landscape, how do we protect ourselves, not only from the knowns but also from the cyber unknowns? How do we prepare ourselves and build immunity and defenses against the ever-evolving threat landscape?
The key to being prepared for various threats (particularly the unknowns) in this highly interconnected and globalized digital landscape is building efficient cyber resilience. Cyber resilience is the characteristic of a business to prepare for, absorb, respond to, adapt to, and recover from an adverse situation (for example, a cyberattack), while still continuing to function and deliver as intended. In addition to preparation and recovery, one of the key success factors in building a strong cyber-resilience framework is adaptability and predictability — adaptability to an ever-evolving threat landscape and predictability of the unknowns.
Technological Disruptors to Cybersecurity
Various technological disruptors such as the cloud, mobile, and the Internet of Things (IoT) have led to digital transformation. At the same time, these disruptors demand a transformation of cybersecurity and how it is integrated within critical societal functions and sectors, such as finance and healthcare. The fast-paced technological advancements challenge and shape how businesses develop and implement their cybersecurity strategy.
The "Cybersecurity Adoption Lifecycle" below, adapted from the technology adoption lifecycle, provides a model to understand where an organization is or can aim to be in the adoption market, as well as understand the relative maturity regarding the market and peers in the field.
Most organizations and businesses are in the mainstream cybersecurity market — that is, in the preventive security and regulatory-driven security fields. There are very few that build and truly implement cybersecurity to advance society and serve as a business differentiator. This requires investing and working in the fields of adaptive security and even predictive security. However, to be truly successful, one needs to succeed in crossing the chasm — that is, the gap between adaptive security and preventive security. This chasm is the transition from adaptive security toward the mainstream market — that is, a successful adoption of adaptive security as a part of the industry standard and, at a later stage, even an established framework. Last, there are the laggards, the ones that bet on reactive security.
In today's complex and ever-evolving digital landscape, cyber-risk is not only an enterprise risk but a systemic risk. To ensure we're not lagging, it's not enough to be proactive — we need to be adaptive and predictive. Those are the key success factors to ensure that cybersecurity serves to support society and business amid technological disruptors and ongoing crisis.
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.