Innovation and business transformation have reached radical speed. Market forces, financial growth targets, businesses, national economics, politics, and societies are shifting at a commensurate pace, exposing new opportunities and vulnerabilities almost constantly. It’s a game of disruptive whack-a-mole that has (insightful) organizations putting more focus on security. More and more, organizations are recognizing that an incident or breach is a when – not an if.
Not enough, however. Too many organizations are still so in love with the pursuit of asset creation (data, money, and reputation) that they forget about protecting it until a major security incident (likely a cyber incident) happens. The reality is, in today’s climate, every opportunity for a lawful organization is also an opportunity for an illicit one.
The situation raises the question of how organizations can keep their focus on building the ability to innovate and deliver while putting the bulwarks in place across their enterprise systems and networks to mitigate vulnerabilities.
The Emerging (In)Security Landscape
Last month I attended an event that launched Verizon’s 2017 Data Breach Investigations Report (10th edition). As part of this event, executive leaders across communications, critical infrastructure protection, academia, and network security discussed the current state of cyber risk. They noted that during 2016, 42,068 security incidents compromised the integrity, confidentiality, or availability of an information asset. Of those, 1,935 actual breaches resulted in the confirmed disclosure of data to an unauthorized party.
No one will dispute the value of hindsight. The statistics and discussion around them generated a more important question about what will happen tomorrow. When we’re back together for the 2022 Verizon DBIR (15th edition), what risks, incidents, and breaches will we lament?
Toffler Associates takes this approach of standing in the future to create clarity and an action plan for the present in many strategic areas of business and government. In this case, it’s a necessary approach because while a growing number of business, academic, and government communities are considering their enterprise, network, and system resilience, not all are – perhaps because they don’t fully understand it.
Mapping the Global Risk Environment
We have identified three macroevolutions that are happening across the globe. Each is rife with opportunity and fraught with vulnerability. With the proper clarity and risk mitigation strategies, however, the balance can be tilted toward opportunity for those legitimate (legal) entities and away from those that seek to use the innovations to penetrate and steal assets.
Radical Connectivity Means Radical Transparency
Two innovations in particular – the Internet and the Internet of Things (IoT) – have connected (and exposed) humanity to near-transparency levels. Consider that by 2020, the world will have 5 billion active Internet users and 30 billion connected devices, including smartphones, cars, and even wearables. This spread of global connectivity has made the free-flow exchange of information and personal data collection almost second nature. People are aware that the businesses providing their devices and connections can gather, store, and use their private data. Most are comfortable with the exposure, provided that they get an improved experience in return.
Business Transformation is Revolutionizing the Value Chain
Businesses seeking to reduce operational costs, gain competitive advantage, and improve customer service have turned almost unanimously to flexible cloud computing platforms. By 2020, most users and applications will be mapped to the vast cloud infrastructure. The shift is transforming business processes, enterprise strategies, and customer experience approaches by housing data and analytics, and making them accessible across distributed networks in real-time.
Deepening Human-Machine Integration (the HumanOS)
Progress in the area of biodigital convergence technologies has outpaced virtually any other innovation center. We’re well on our way to the estimated 411 million wearable devices that are expected to be connected by 2020, and with the emergence of implanted technologies like externally monitored artificial organs, we’ve moved from IoT to the Internet of Humans (IoH). People are part of the network. This progress has done so much to create valuable insight into who we are – physically, emotionally, mentally – the uses for this knowledge are limitless.
In each of these areas of progress, the possibilities and benefits come with risks. Connectivity via the Internet, cloud, and wearable technology raises the potential for adversaries to manipulate the technologies to cripple organizations and hurt people on an individual or communal level. The incredible number of opportunities to shape experiences positively is matched closely by the emergence of people and regimes intent on tapping into that same information illicitly for nefarious uses.
Addressing the Main Sources of Future Cyber Risk
Innovating (at least) on pace with their legitimate counterparts, criminal, terrorist, and nation-state groups and syndicates are taking advantage of these positive innovations and transformations. Their level of sophistication is high and improving. Investments in new attack platforms and alliances have emboldened these threat actors, and increased their capacity to steal intellectual property and customer data, manipulate or destroy sensitive corporate data, disrupt operations, and harm reputations.
Smart enterprise organizations are seeking to protect against possible future pitfalls and blind spots. They should be watching four main cyber risk areas:
Five Steps to Combat Growing Cyber Threat
To attain resilience, organizations need to be deliberate and proactive in managing current and future cyber risk. Toffler Associates recommends building a foundation for readiness in four main areas – collaboration, scenario planning, technology investment, and taking a ‘hacker’ mentality.
- Implement regular strategic, enterprise, and tactical risk assessments.
Institute a mechanism to understand industry-level vulnerabilities, enterprise-level risks, and breachable areas across the supply chain. This approach will enable the organization to define types of threat actors, methods, attack surfaces, potential consequences, and the likelihood of occurrences so that you can make informed decisions about security countermeasure investments.
- Identify critical assets across the enterprise.
You probably can’t lock down every device and network in the environment. Prioritize the assets that host and transmit the most sensitive data for ongoing monitoring and assessments.
- Re-evaluate incident response procedures.
To reduce the reputational and financial risks to a company because of a security incident or breach, it is critical that an effective incident response plan be instituted that identifies points of contact, remediation efforts, and coordination with business units and local law enforcement.
- Align with and inform enterprise strategy and culture.
Ensure your enterprise culture emphasizes security and that your organizational objectives and strategies incorporate enterprise security.
- Build and iterate your risk mitigation approach.
Maintain clarity about emerging risks related to your strategy and critical assets, and iterate your risk prevention activities to pinpoint the most areas most vulnerable to an incident or breach.
As you invest in technology, remain vigilant about how it exposes you to cyber risk across the value chain. Remember that this is as much a business, operational, and human focus area as it is an IT challenge, and resilience demands enterprise-wide focus and foresight. Prioritize innovation in security as much as you do your product, service, and market efforts. The only way to take control of the future risk landscape is to incorporate cyber-readiness into your enterprise-wide strategies.
It’s time to protect the future value of your innovation by investing in a focused cybersecurity strategy now.
 U.S. Department of Homeland Security National Protection and Programs Directorate (DHS NPPD)
 GW Center for Cyber and Homeland Security
 Palo Alto Networks