The World Is Changing
Being a CISO has been defined as the hardest position in IT to fill because of the amount of technical knowledge, and business savvy one needs to understand. A CISO needs to understand people, processes, technology and security, and how they all interact and relate. My job as a CISO and cybersecurity professional is to show you how institutions need to and can adapt to keep their people and data safe and secure. This is not going to be an easy task. Over the next 5 years, the number of people is going to increase to over 8 billion people, and the number of processes and technical solutions is going to increase exponentially.
The world and everything in it is changing, in some cases greatly and quickly. We are going to see the explosion of the Internet of Things (IoT) and transform the world to the Internet of Everything (IoE). Everything, including trees, will be connected to the internet and we are currently on an exponential curve toward making the IoE reality in the not so distant future.
By 2025, it is projected the whole world will be online with 75.44 Billion things connected to the Internet. This means a human being’s attachment to technology is not going to decrease. By 2025, if all IoT endpoints were spread evenly to each person across the globe, each person would have 9.4 pieces of technology, all of which are individually and collectively connected to the internet. With this much connectivity comes great risk.
The Risks
Unfortunately, IoT/IoE are not the only risks we have in front of us. Currently, we are using Narrow Artificial Intelligence (AKA as Narrow AI), and the world is fighting to see who achieves full or Artificial General Intelligence (AGI) or even Super AI superiority. Thankfully this risk can wait a while and depending upon what you read and whom you believe, AGI will not happen until at least 2030, and many say 2060.
Unfortunately, over the next 3-5 years, the world to include Boston will face many risks a CISO and security practitioners will mitigate. According to the WEF, over the next 3-5 years, the world will face an erosion of multi-national trade agreements and a move protectionist nation. This movement leads to the inclusion or invocation of political and financial sanctions, all of which are meant to reduce the economy of another country. These movements, as well as several other actions, such as the destabilization of economies, the continued use of antiquated public infrastructures, and the fall out from the impacts to climate change, are all indicators a global recession is coming.
Be Prepared
Being prepared is more than the Scout Motto A CISO needs to understand a recession is coming, because if you have the means and resources now; it is the best time to prepare for the future. If a recession comes and your organization is impacted, your organization’s budget will also see a reduction in kind. Some institutions (especially ones with unlimited endowments) and organizations will be able to weather the looming financial storm. Some will get a bailout, especially when they are too big to fail. However, others will simply fall into the Charles (or insert name of any other) River. In any event, the CISO and an organization’s (cyber) security posture needs to be ready for the challenges and cyber disruptions to be faced, whatever the budget. Institutions and organizations need to leverage good technologists and business partners who can read the changing seas.
Over the next few years, the understanding and use of cybersecurity practices called cyber-hygiene is the best approach to mitigating your risks. The reasoning is it is always about people, and people are the biggest risk to any institution or organization. People are human and, therefore prone to error, and practicing good cyber-hygiene is the best method for overcoming the shortcoming. However, technology is not the answer to cyber-hygiene. Individuals practicing good cyber-hygiene is akin to eating right (coding correctly), exercising (maintenance), getting the proper inoculations (patching/updating), washing your hands & bathing (anti-virus), getting rid of the junk/trash (removing old data), getting a checkup (monitoring), getting blood work (virus detection) and cleaning house (operations, maintenance & continuous process improvement. I’m sure I can come up with others, you can get the idea.
We look to technology to perform the same tasks repeatedly, most likely because there is a desire or need the same outcome. With this logic, we would not use a human to perform a repetitive or exacting task. Therefore, our need for technology advances and within these advances are additional risks. Usually, the risks are known; however, many are not and it is the blind spots which can do the most harm.
The Blindspot Risks
Technology is rapidly evolving and may be an institution's biggest blind spot. The use of technology is making individuals, institutions, and humanity more vulnerable because people have and are becoming more-and-more reliant on technology every day. This reliance becomes a major blind spot if totally reliance is on technology to identify and mitigate the risk.
Institutions can overcome the vulnerabilities and risks identified above or elsewhere by employing a technologist known for building highly resilient systems and solutions. Because many of these systems are entrusted to ensure the safety of people and the institution’s knowledge, assurances need to be made and control gates incorporated into the institutions' governance structure. If these systems are not resilient to attack, a data breach or insider threat, then the actual value of having such technology needs to be quested and evaluated within a business impact assessment (BIA). The BIA will provide an organization with a roadmap in which to bake in security, which often increases quality.
Another challenge with humans is trust. Today, trust is at an all-time low. To mitigate this lack of trust, institutions and organizations can build or leverage ‘zero-trust’ architected systems, infrastructures and other technological solutions. This, however, is only one potential solution to the larger challenge to mitigate (cyber)security risks. If you would like to learn more about how to identify your security risks, please don’t hesitate to reach out to learn more.
Be Forward-Leaning by Connecting-the-Dots
Over the next 5 years, cyber disruptions, especially in and around high-tech facilities and institutions, will be very difficult to locate unless these organizations are actively monitoring their facilities and campus for rouge devices. The reason for this lies within the use of robots and they are becoming smaller and more common and now a widely used tool by bad actors and criminals. The use of robots also means they are blending-in and introducing another threat vector, robotics. In the future, it will be imperative for a CISO, especially, ones securing a public setting and locations with unrestricted access such as universities and college campuses. Private institutions will be able to overcome a major of this risk by implementing a protective technology dome.
Hackers and bad actors will fear and relish the use of technology. Let me give you an example. Currently, across many institutions and colleges in Boston and around the world are seeing a rise in the use of robots. Mainly because the institution themselves is the creator of this new technology and in turn, creating their newest risk. These devices are often put into place with rules only imposed by the creator. Once the technology is free to move about autonomously, people will not think twice about having a robot parked outside of a door room or lab is delivering food or something else.
The problem is the ‘something else’ – the unknowns, or in this case the known unknowns. In this case, the bad actor can hide their tools of disruption or for data theft. Bad actors can use robots to easily hide fake wireless access points, monitor for unencrypted signals, or monitor the actions and activities of one person or many. The result is a desire to disrupt an institution by (re)directing resources (data, people, processes, and technology); however, the purpose for this disruption has a variance almost as great as the number of people on the earth. This is one of the as many potential scenarios for disruption.
Like many risks, once an institution is aware of the risk, the organization can define and put a risk mitigation plan in place for this and other future scenarios. This is the part where bad actors will relish in the use of technology. By understanding the risks, CISO’s and cybersecurity practitioners can put processes in place to mitigate future risks and create or implement technical solutions to detect, identify and if necessary, detain the risk.
Conclusion
By 2025, it is expected the onset of AI will change the world and humanity in more ways than imaginable. However, this AI will be limited and narrow in its abilities. Until AI has reached AGI status sometime in the not too distant future, the need for humans to connect the security dots will not diminish. CISOs and cyber practitioners will be needed to identify the blind spots and to be prepared for the inevitable risks well will face. Unfortunately, we know something bad will happen. If we are properly prepared, most, if not all of us, will get past the adversity. During this time and until we reach AGI, humanity is needed to ensure our (cyber)security.
*** *** *** *** *** *** *** ***
Terminology Note
You may have noticed the use of parentheses around the term (cyber) in cybersecurity. My reasoning: Today, cyber is about security and not all security is about cyber; although the two should and can be heavily integrated. A BIA should be conducted to demine the feasibility of this approach.
Today physical security utilizes a great deal of technology, with or without humans. Personal and organizational (personnel) security is about both the protection and safeguarding of people first and most likely includes the protection of resources - even if that only of the individual - both forms of protection are greatly aided by technology.
All security practitioners and teams define and utilize standard operating procedures (SOPs), identify and define the risks, create and implement mitigation plans. Security, whether is it personal, physical, operational, organizational, or national, should always ensure the institutions or organizations Continuity of Operations by ensuring the safety and security of the people, processes and assets of the institution and organization.
What do you think?
Is your (Boston or Global) institution or organization protected? Do you know and understand your data? Better yet, do you know where your data is? What do you fear most over the next 3-5 years for you and your organization?
Thank You
Thank you for reading and for your time. It would mean a lot to me if you commented below.
If you would like to learn more about managing your risks efficiently and effectively, please don’t hesitate to reach out.
Have an awesome day,
Chip
References
Boulton, C (2019). Why CISO is the hardest tech role to fill. https://www.cio.com/article/3072940/why-the-ciso-is-the-hardest-tech-role-to-fill.html
BSA (2019). Boy Scouts of America, Boy Scout Oath, Law, Motto and Slogan and the Outdoor Code http://usscouts.org/advance/boyscout/bsoathlaw.asp
CinnovationGlabal (2019), Best future predictions for 2025 by Creative Innovation Global (Ci2016) & Creative Universe. Creative Innovation 2016 Asia Pacific. https://www.youtube.com/watch?v=4kiBETz1V7o
IoTrees (2019). Internet of Trees, European Space Agency, (ESA). ESA Business Applications. https://business.esa.int/projects/iotrees
Joshi, N (2019). How Far Are We From Achieving Artificial General Intelligence? https://www.forbes.com/sites/cognitiveworld/2019/06/10/how-far-are-we-from-achieving-artificial-general-intelligence/#32f118b36dc4
Lisk, J (2019). The biggest cybersecurity risks threatening Boston-area businesses right now. The Boston Globe. https://sponsored.bostonglobe.com/bg-brandlab/cybersecurity-risks-threatening-boston-businesses/
RBC (2019). The AI Race: The Rise of the Machines. RBC Capital Markets https://www.rbccm.com/en/insights/imagine2025/the-ai-race.page
Statista (2019), Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025. https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
WEF (2019). The Global Risk Report 2019. World Economic Forum. https://www.weforum.org/reports/the-global-risks-report-2019