RSA Conference 2017 review: the future of innovation, robotics and talent
This past week at the RSA Conference in San Francisco, there was a great deal of talk about the breakneck pace of innovation in today’s business landscape. Organizations across industries large and small know that they need to innovate or die.
Every day, headlines shout about another industry being disrupted. Brick-and-mortar retailers threatened by online shopping. Manufacturing companies trying to connect machinery to the Internet of Things. Data-intensive financial firms implementing robotics for the first time. The automotive industry adopting automation, and technology to evolve to self-driving cars.
Companies know they need to rapidly transform to be more agile. They are scrambling to upgrade legacy IT systems and processes, and proactively adopt digital technologies that can usher in amazing new opportunities for them. But with these opportunities come new — and continuous — cybersecurity risks that have executives increasingly concerned. In fact, 87% of C-level executives say that they lack confidence in their organization’s level of cybersecurity, according to EY’s 2016 Global Information Security Survey (GISS).
Security researchers and practitioners at RSA offered many insights on how to overcome cybersecurity challenges, making one thing abundantly clear: there is no one-size-fits-all solution. For example, when the Mirai attack last fall turned legions of printers, thermostats and wireless routers into a bot army, many companies realized that en masse, even the most innocuous devices can represent a major security threat.
For chief information security officers (CISOs) to succeed in this demanding environment, they will have to take a dynamic approach to security and work with every layer of the business as a partner and coach, not just a cop.
A key component of this approach involves enhancing their ability to streamline the identification of nefarious actors and techniques. They need to constantly evaluate the potential sources of cyber threats. Today, ransomware, distributed denial-of-service, phishing, malware and more frequent attacks on critical infrastructure are growing rapidly, while insider threats continue to be a problem for every industry. Unfortunately, less than half (49%) of organizations are confident they are going to be able to continue to identify suspicious traffic over their networks, according to EY’s recent GISS report.
However, the return of nation-state attackers may be the most sinister danger. Although some threats against Western organizations have decreased, overt attacks by other groups are growing. More troubling, the drop in some nation-state activity can be attributed to attackers’ efforts to update tactics to prepare themselves for more sophisticated attacks targeting US organizations for innovations and secrets.
In order to confront this growing list of risks, companies will need to find highly skilled talent in an already hotly competitive labor pool. The significant shortage of US-based Tier 3 and Tier 4 cybersecurity professionals has grown acute. So acute, in fact, that House Homeland Security
Committee Chairman Michael McCaul (R-Texas) is pushing for a cybersecurity unit as part of the Department of Homeland Security that will work to identify and improve resource gaps to protect critical infrastructure. That's a start, but to produce the 1.5 million cybersecurity professionals needed by 2020 to address the predicted national shortfall, the private sector also needs to rethink how it trains, recruits and retains the best talent.
Creating a culture of security
Just before the RSA Conference, EY proposed a series of questions for CISOs as they attempt to secure their organization without slowing down innovation. Over the course of the conference, a few answers started to emerge.
It’s critical that cybersecurity be embedded throughout each layer of the organization so that it becomes part of the corporate culture instead of a barrier to progress. Of course, this is more easily said than done. So what can companies do today to help address cybersecurity challenges in a methodical, enterprise-wide manner? Here are three key approaches:
- Make cybersecurity a foundational pillar of every business, transformation and critical infrastructure from the outset. Rather than adding on cybersecurity at the end of the digital transformation process, organizations will want to consider building their digital assets on top of a holistic cybersecurity framework. This makes certain that digital strategies are secured against cyber risk from the outset and remain protected in a continually evolving digital environment. The alternative — retrofitting cybersecurity — is expensive and often dangerously ineffective against advanced cyber criminals.
- Consider cyber analytics and orchestration to deal with the talent shortage in the short term. Cyber orchestration can improve security awareness and significantly reduce the need for talent throughout the digital transformation life cycle. Machine-to-machine communication combined with business and threat analytics will improve cyber threat detection and response times, and reduces the number of risks and costs of a breach.
- Work with colleges and universities to address the talent issue over the long term. Colleges and universities have done a good job integrating cybersecurity education into computer science programs. But what about the other disciplines? Business? Engineering? Marketing? If cybersecurity is an issue for every employee — and it clearly is — then it only stands to reason that business should push for cybersecurity education to be embedded into every aspect of a pre- and post-secondary institution’s curricula through its own educational outreach programs.
With constant and continuous innovation moving from a nice-to-have to table stakes for many enterprises, cybersecurity cannot be an afterthought as companies rush toward the digital future. CEOs and CISOs must work together to design and execute a holistic security agenda that is viable over the long term and touches every aspect of an organization in order to foster secure innovation and avoid unnecessary losses. After all, the bad guys are continually innovating, too.