Information security has been an intriguing part of our past, is a critical part of our present, and will be a defining factor in our future. There are actions that must be addressed at the micro/individual level and challenges we must collaboratively address as an industry moving forward.
The economics of security are clear: “There is no financial stability without cybersecurity,” writes Loretta J. Mester, President and CEO of the Federal Reserve Bank of Cleveland. Indeed, the perception of poor cybersecurity has been shown to reduce stock price and stock price multiples, harm brand reputation, lower market share, reduce sales, precipitate fines, add legal expenses and make it harder to hire quality employees. To have a future requires mastering information security.
The path toward future information security mastery includes:
- Acknowledging individual responsibilities/accountabilities,
- Making individual infosec beliefs explicit,
- Practicing good cyber hygiene,
- Paying attention to the software supply chain, and
- Hardening operational technology components.
Spectators no more
For the vast majority of the digital age to date, information security was a less-than-well-attended spectator sport. Workers, customers, executives, and board members essentially sat in the stands while info-wizards [security professionals] battled bad actors in the shadows.
Humanity’s arms-length relationship with information security is over! Moving forward, everyone who uses a device is involved with cybersecurity; everyone who uses a device improves or degrades cybersecurity; and everyone has a role and corresponding set of responsibilities regarding information security.
I predict that by the end of this decade accountabilities for information security will be explicitly specified for every individual over the age of five. At the end of each day, quarter, year, and career, executives will be judged and rewarded/punished as to whether they have improved or degraded the cybersecurity of their community and workplace.
It is not my intention, nor effective practice to “blame the user” for all our cyber woes. We do, however, need to make sure that every individual in the enterprise knows that they have a role to play in information security.
Think, say, do
You don’t need to be a futurist, a psychologist, or an anthropologist to know that there is frequently a wide discrepancy between what people think, what they say, and what they do. In the future, cybersecurity will be less about computer science and more about behavioral science.
Information security requires changing behavior. To change behavior, we have to manage what people know and how people think about information security. To do this we have to understand what people believe about information security.
Belief, knowledge, and behavior change are inextricably linked. Step one is to accurately assess what every employee in the enterprise believes about information security. This can only be accomplished via hands-on, “shoe-leather” interviews conducted by managers. Pollster Nate Silver labels the output from such interactions “vibrations on the ground.”
I forecast that the results of such person-by-person assessments will surface two strongly held and totally dysfunctional beliefs about information security:
- “I’m not important and no one is targeting me.”
- “I can’t stop them even if I wanted to.”
Practice basic cyber hygiene
Every one of us needs to promote and practice good cyber hygiene. Cyber hygiene includes, but is not limited to, good password practices, robust vulnerability patching processes, timely detection, prevention, and remediation, putting protections in place to prevent and block malware, and ensuring robust access protocols.
Attending to these best practices will go a long way toward improving overall security. According to Microsoft’s 2021 Digital Defense Report, nearly 70% of data breaches were caused by phishing, and 98% of attacks could be prevented with basic security hygiene.
As we embrace individual accountabilities for good information security behaviors, thereby removing the “low hanging fruit” for bad actors, we can expect the focus of cyberattacks to shift. Two areas to watch are operational technology and the software supply chain.
Security professionals have been warning for years about potentially devastating attacks on operational technology [e.g., plant production lines, manufacturing technology, utilities, elevators, thermostats, lights, and vehicles]. The attack on Colonial Pipeline was a wake-up call for many.
Another attack, this one coming in late 2020, put software supply chain security in the spotlight. The attack on network monitoring software provider SolarWinds put users of their Orion software at risk, notably including US government institutions and agencies.
Modern software development has been likened to making a cake. Unbeknownst to many executives the components of the software cake are not all generated in-house. Clever hackers have figured out that it is much more profitable to hack a software component that is installed in thousands of companies than to hack the thousand companies themselves.
The big concern of the immediate future of information security is that widely deployed software components may have been compromised. Organizations are carefully revisiting their software “Bill of Materials.”