Securing the Ecosystem to Secure the Enterprise with Cyber Security Awareness
October is National Cyber Security Awareness Month – that time of the year when the annual campaign to raise awareness about the importance of cybersecurity is on. And a great time to give deeper thought to the billions of devices, people, enterprises, and institutions that connect with each other over the Internet, and give rise to the giant ecosystems that dominate our world. Securing these ecosystems against the rising threat of cyber-attacks is the shared responsibility of all their members, including large corporations, small enterprises, universities and research organizations, non-profit companies, government agencies, and all their people of course. This is the thinking behind the just constituted Global Ecosystem of Ecosystems Partnership in Innovation and Cybersecurity (Global EPIC), which brings together 14 global ecosystems from around the world to facilitate knowledge sharing and co-creation of impactful cybersecurity solutions. There is also the National Institute of Standards and Technology's Cybersecurity Framework – now a federal policy by President Trump's executive order – which has been working to secure U.S. organizations and ecosystems by unifying the utterly fragmented cybersecurity landscape with common language, standards, and best practices.
Since the ecosystem is only as strong as its weakest link, it is imperative to individually safeguard every constituent by putting the right security strategies, policies, and infrastructure in place. This applies as much to non-profit firms, which often deal in highly sensitive data, as it does to ‘for-profit businesses’ or educational institutions. Each of these entities must also empower their staff with cybersecurity knowledge appropriate to their role within the organization. Beyond that, they should think of evolving their security practices so that they are proactive rather than reactive, and preventative rather than curative. Bringing in skills around new technologies - especially Artificial Intelligence - can really help to realize these objectives. For instance, machine learning and predictive analytics can come together to monitor hundreds of parameters in network and transaction data, and identify patterns such as suspicious activity before it progresses into a full-blown attack. This is of great value especially in our times when the traditional way of spotting an anomaly - extracting the attacker's signature -is breaking down as hackers use more advanced methods each time. AI can also be used to automate the established practice of quarantining breached systems and networks to contain damage, as well as the sending out of alerts and quick fixes. AI may be deployed to conduct a root cause analysis that the security organization can consult before taking further action.
Last but not the least, the ecosystem should develop a long-term vision for cybersecurity. Building an adequate knowledge and talent base to handle heightened future threats is of paramount importance. Unfortunately, cybersecurity qualifications are currently only accessible to those with advanced degrees or experience, which greatly restricts the pool of available professionals. If the rising volume and variety of cyber-attacks has taught us anything, it is that the need to understand systems security (and gaps therein) is not the prerogative of learned professionals. Career gamers and hackers come from a variety of educational backgrounds. The ecosystem could turn this to its advantage if we could make cybersecurity education part of high school and college curriculum, educational institutions implemented directives with zeal, and business organizations recruited students and nurtured them into seasoned security professionals over time. What a boost it would be to truly nurturing a 'secure culture'!
As I write this, I recollect reading an article that compared cybersecurity to the thought experiment of Schrodinger's cat. (The experiment presents a cat that may be simultaneously both alive and dead, a state known as quantum superposition, as a result of being linked to a random subatomic event that may or may not occur.) The article argues that when it comes to the security posture of our information, we may be simultaneously compromised and secure. Much like Schrodinger's cat. As interesting as that may be, I think the real question that must be answered in the context of cybersecurity is - Who will bell the cat, and how? My sense is, it is up to us. All of us.