5 Years of Reflection, 5 Seismic Industry Shifts - Why I'm On the Board at CRA
CyberRisk Alliance’s five-year anniversary is upon us and as a member of the CRA board of directors, a practicing Chief Security & TrustOfficer, and a cybersecurity professional working for a solution provider, I have a unique perch from which to reflect upon our journey. It is through this lens that I wanted to examine the role that CyberRisk Alliance has to play in service of the cybersecurity landscape and market now and moving forward.
What has occurred over the past five years to some extent has been more of what came before – more threat and vulnerability vectors resulting in more breaches. However, there have been more substantial seismic shifts that have dramatically changed the slope as well as the dynamics of the cyberrisk curve, our industry, and our roles.
1) The pandemic and the immediate impact to the workplaceand workforce. For those who lagged behind in technology adoption this translated into a jarring/frenetic approach to immediate remote work and instant cloud adoption, resulting in a get-it-done approach that for some ignored the need for security. For others this meant scaling dated security architectures and tools that burdened already strained security staff/budgets. And, for a rare few who had forward-leaning technology adoption strategies, as well as innovative security architecture this simply meant dealing with the “burst” of change with relative ease without a dramatic rise in risk.
2) Geopolitics, regional conflicts, and even our own US election issues resulting in the attack of the US capital on Jan 6th2021 have magnified every organization’s inherent cyber risks. Supply chain attacks have grown, use of technology to magnify divisive and false content has grown, insider risk has grown, focused attacks on organizations grew based on the public policy positions they have promoted, and even executives outside of the work environment have seen a dramatic rise in their personal technology footprint being the focus of attacks.
3) Regulation, executive orders, and enforcement have rolled out at an unprecedented pace, in turn increasing compliance risks, corporate liabilities, and culminating in “the shot heard around the world” this year with CISO criminal prosecution and subsequent conviction on top of direct CISO civil liabilities for their actions or lack thereof.
4) AI, AI, AI. While in use broadly for several years in almost all industries including the cybersecurity industry to increase efficacy and efficiency of control, the dam broke with OpenAI and Chat GPT this time last year. Everyone can use AI, everyone can develop AI, from your kindergartener to your grandparent. The path to ubiquity is certain in all aspects of our lives and in every device as well as application we use, whether it’s your car, an elevator, or the pharmacy that fulfills your prescriptions. The opportunities are compelling, including for the attackers who have already poisoned countless public models, breached AI to subvert outcomes and steal, and caused yet another exponential step-up in risk. Why? Because just like every other technological change we have gone through, the existing security controls do not work to mitigate or in most cases even identify these vulnerability/exploitability risk vectors. Those controls were designed yesterday for yesterday’s technology environment. They were not designed for this new AI tech stack or usecases.
5) “It’s the economy, stupid.” For decadesnow security budgets have risen at an almost unstoppable pace in manyorganizations and yet in some organizations their security is still well below“the poverty line” with limited security budget, staff, and skills. However, you look at it though the securityindustry hit a wall this year in terms of growth, with some reports indicatinga drop in the pace of security spending by almost 65%. Venture funding subsequentlycontracted, some formerly prominent security vendors saw valuations drop by 90% or more, and some vendors as well as bankers to the cyber industry became insolvent.
These as well as myriad others represent significant challenges for the industry both for the practitioners as well as the solution providers. Yet there is a tremendous set of opportunities ahead of us as well. The opportunity to do what I call “Protect to Enable”. If we can protect efficiently and effectively, we can bend the growth of the cyber curve of risk.The outcome which can occur because of better protection will be to lower the total cost of controls to our organizations and unleash the power of technology to fuel economic and social benefits.
We all - practitioners and solution providers need to constantly ask ourselves the following questions:
1) What am I doing to manage cyberrisk?
2) Is it enough?
3) How do I know?
We should only answer with intellectual honesty and rigor.
But as the saying goes, it takes a village. Which is why the soul of CyberRisk Alliance is to be Community-Centered and Data Driven. We serve the security practitioner by facilitating meaningful connections and providing access to insightful content. Our goal is to elevate the industry’s abilities to make better informed decisions among our respective choices as we set our specific organizations risk postures as well as in selecting products and services to fulfill those goals.
I am proud to be on the CRA board and thankful to Doug Manoni, Bob Dethlefs, and Growth Catalyst Partners for allowing me to participate in shaping CRA to serve the community as we all navigate the promise and potential perils that face us.