The Digital Revolution is here. It’s been called the Internet of Things (IoT), or even the Internet of Everything. Applied to Industry, it’s called the Industrial Internet of Things (IIoT), Industry 4.0, and the Digital Enterprise. Regardless of the name, it has the potential to unlock $11 trillion of economic value by 2025, per McKinsey Global Institute. In the process, industries will be disrupted, competitiveness will be redefined, jobs will be eliminated and created, and day to day life will change in fascinating ways.
This blog is about realizing Digital Freedom – overcoming challenges in cybersecurity to empower organizations to aggressively pursue their digital aspirations. This is an important topic given so much is at stake. My goal is to help decision makers connect the dots and make their organization more cyber secure so they can go digital.
The “Burning Platform” – Survival. As a business leader, if you haven’t been asked how you’re “going digital”, you will be. Digital transformation is happening now, tangible examples are proliferating:
If you’re a Jurassic Park fan, you can relate to this as the T-Rex BOOM, BOOM, BOOM moment for every business and organization. Uh oh, something big is coming.
You have to go digital to survive. Going digital requires an unprecedented level of data generation, connectivity, and device/system autonomy. In this environment, cybersecurity is critical to success.
Cybersecurity End Game – Resilience. The end game is to become resilient. This means operating through a cyber incident and returning to normal operations as quickly as possible. This is a great concept because it’s outcome-oriented. Methods and tactics need to be evaluated based upon their impact on resilience. The NIST Framework provides a great model for this: Identify, Protect, Detect, Respond, and Recover. More on this in a later post.
Cybersecurity that Matters – Cyber Economics. ROI-based cybersecurity decision making is Cyber Economics. Let’s put it to use.
If resilience is the goal, then investment of time and money should be prioritized to have the biggest impact on resilience. This was very well articulated in two reports published by the AFCEA International Cyber Committee that included very distinguished participants. In 2013, the AFCEA published The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment. In 2014, the AFCEA published The Economics of Cybersecurity Part II: Extending the Cybersecurity Framework. I’m blowing the dust off these reports because they deliver the best practical advice I’ve seen to date.
In Cyber Economics, there are two primary considerations:
1) The level of sophistication of cyber attacks
2) The criticality of the mission being supported and/or the data being stored or transported.
Using Cyber Economics, here’s where to invest:
Address the Majority of Attacks: A high percentage of the successful cyber-attacks are “unsophisticated”. This includes Phishing Attacks where employees receive an email that looks legitimate (it’s not), they click on an attachment, and unknowingly they unleash the attack. So, to address the number of attacks, this is a pretty easy focus. There are plenty of products and services that provide awareness training and measurement of how “naïve” an organization is to this type of attack. Quoting the AFCEA Report, “Principle #1: Implementation of a comprehensive baseline of security controls that address threats of low to moderate sophistication is essential and economically beneficial.” This is a great first step, however, this doesn’t address resilience, our real objective.
Protect What Matters: For resilience, it’s important to focus the first investment dollars on protecting mission critical functions; human life, state secrets, critical infrastructure, intellectual property, and important data. The loss of or damage to any of these would be catastrophic. Given the value of these targets, your investment should address both sophisticated and unsophisticated attacks.
“Principle #2: Focus security investment beyond the security controls to counter more sophisticated attacks against the functions and data that are most critical to the organization.” - AFCEA Report.
For Resilience – The “Protect Surface”: The “threat surface” is huge for any organization. With a focus on the threat surface, awareness dictates that we understand that “they’re going to get in”, in fact, they’re already in the network. As alarming as this sounds, let it go. It’s important to change our mindset to the “Protect Surface”. We care about resilience, not zero breaches. (I apologize to any perfectionists out there.) Therefore, invest in advanced security controls and methods to protect the organization’s vital functions and assets – the much smaller Protect Surface.
“Principle #3: For sophisticated attacks, an organization should accept the security risk of not protecting functions and data that are of lowest impact to the organization’s mission and where cost exceeds benefit.” - AFCEA Report.
The net-net of this is to invest in security controls that handle the majority of unsophisticated attacks, and to apply advanced controls and methods to protect the “crown jewels”.
What Market Voices Are Saying: Digital Freedom is a challenge today. A recent Deloitte Survey of Manufacturing Executives found that over half view Industry 4.0 (Digital Manufacturing) as strategic to their business. In the same survey, the cybersecurity concern was cited as a major inhibitor to adoption. If we can improve cybersecurity, our customers can accelerate adoption.
Our team at ADI is developing security technology to tackle this challenge with and for our customers. More on this in later posts.
Shout Out to a Digital Freedom Fighter: To our Security Team at the Analog Garage in Boston, working on securing ADI Hardware.