This article is the 12th in a series of articles by NAV CANADA Vice-President and Chief Information Officer Claudio Silvestri about talking to your board about cybersecurity.
Have a deliberate approach to innovation and remaining current
If there is one thing that is constant in the world of IT, it’s change. Cybersecurity is only different in the sense that the risks of not keeping pace have far more negative consequences that can happen at greater velocity.
In this regard, your technology adoption philosophy should lean more towards being an innovator or early adopter versus being in the late majority or laggards group. You should be comfortable with taking more risk on emerging or new technology related to cybersecurity than perhaps you would for your other technology needs.
Your Board should understand that cybersecurity is a constantly moving target. Cyber criminals and state-run operatives are constantly innovating to develop new techniques to exploit technology and human vulnerabilities. So you must be doing the same to protect your organization.
A large part of the work your Board does is forward-looking and strategic in nature. They will appreciate the fact that you are taking a similar approach to managing the cyber risk. The message you are sending is that you are being vigilant and proactive.
Of course, for most of us the practical reality is that IT budgets are always constrained, and it’s difficult to prioritize your own funding requirements ahead of the technology needs of your internal stakeholders. However, as described in an earlier article, you should ensure your business leaders and executive management team understand the cost/risk trade-offs related to ensuring you’ve done everything you reasonably can to defend against cyber attacks. That should also include funding to support innovation or, dare I say, experimentation with technologies entering the marketplace.
According to Gartner, in 2018 the global information security market was estimated to be worth approximately $115B USD representing a 12 per cent increase from the prior year. Growth for 2019 is expected to slow to somewhere around nine per cent to push the market value to roughly $125B USD.
This growth will be, in large part, driven by the development and introduction of new products. Product vendors will make choices in their product strategy based on extensive market research that tells them where things are moving and what new products or new capabilities are required.
This means product vendors will be pushing hard to introduce new technologies and you will have an abundance of new things to consider. But you have to be deliberate in your approach to ensure you are proactively seeking them out, and avoid being distracted by “shiny object syndrome.”
What I mean by “deliberate” is that your innovation approach should be directly linked to seeking out new technologies that either align with your weaknesses or future business strategies, or provide clear countermeasures in response to emerging attack strategies used by cyber criminals or state-run operatives. Having clarity of purpose will be important to help justify the allocation of resources to innovation.
Things you have in place today can be rendered obsolete tomorrow. If you don’t have a pipeline of new investments moving into your overall detect-and-defend ecosystem, you run the risk of being caught flat-footed and unable to respond quickly enough to new forms of threats.
Your approach to innovation does not always have to be revolutionary or technology-based. Innovation comes in all forms. For example, in terms of cybersecurity, we have to remember that technology is only one part of the equation, and there is this other thing called the “human” that we have to consider when it comes to being innovative.
For example, as mentioned earlier with regards to employee awareness and training, the human element will always be the weakest link, and is the largest contributor to security breaches by far. Innovation in this area is largely in your control with fewer dependencies on technology. The good news is that you can innovate here without the need for large investments. The bad news is that changing behaviour is much more challenging than implementing technology.
In my view, when you’re trying to change behaviours in the digital world, having appropriate computer use policies will not have the same impact as a creative communications campaign that sets out to change the hearts and minds of your employee population. Innovation in your communications approach could simply mean pushing the boundaries on organizational culture.
Next article in the series: “Cybersecurity essentials – Organized approach“