Two strategies you can use to reimagine Cybersecurity.

Security Technology

August 4, 2020

Two strategies you can use to reimagine Cybersecurity.

Words are power. They have energy, and whether we’re speaking, reading, and exposing ourselves to them, we can use them to build relationships, increase knowledge, and drive action. We can use them purposefully, intuitively and strategically. For good and for bad.

Consider one of the most relevant words of the moment, crisis. Most dictionaries define it as:

A time of intense difficulty or danger.

A time when a difficult or important decision must be made.

A situation when people become less confident and start to worry.

The turning point of a disease when an important change takes place, indicating either recovery or death.

All of these descriptions accurately describe what’s occurring now. But as a leader, who’s coping with the current crisis – Covid-19, the last thing you need from me right now is a pep talk on how to manage it. What you do need is practical guidance on cybersecurity, and specifically how to defy the odds, seize an opportunity and emerge from today with certainty and strength. So, I’m going to walk you through what I’m seeing cybersecurity leaders do, and two strategies you can use to reimagine cybersecurity without looking like an amateur.

I’ll be looking at what’s sacred, what needs to be reset, reinvented or reimagined. Now, this is important, because thanks to Covid-19, whether you know it or not, you’re now a part of a humungous test that’s shaking the foundations of society, business, and technology. Many of the changes you expected to be eased into over the next few years are here now, and as we move through this crisis, we’re all going to see a new normal emerge. Leaders will adapt, behaviours will change, and innovation and dissolution will be on speed.

Competition is going to be intense, too, and your visible contribution is going to be more important than ever. Some people will find this period easy and they’ll thrive during it. Others won’t, and they’ll struggle and buckle under the stress. You’ll hear thought leaders like Dan Pink, Klaus Schwab and Satya Nadella speculating on whether it’s a message from the future, the bonfire of blinkered capitalism, or even a shift from hierarchies to wirearchies.

Whatever you believe, thanks to the crisis one thing is certain – we’re now going to see a huge unmasking of our dysfunctional ways. It’s as if someone has literally taken a great big highlighting pen and run it over our people, processes and technologies. Everyone is affected, and that why now is the perfect time to re-evaluate, collaborate, strategize, and do things properly.

With cybersecurity covering attacks and compliance failures, and Europol recently warning how cybercriminals are exploiting employees working remotely during Covid-19, the number of cyberattacks are rising.

Just consider where we were before Covid-19. Then, imagine what will happen if we don’t take the right action now, when our adversaries are making the most of our unreadiness.

Hackers attack us every 39 seconds.

71% of breaches have been found to be financially motivated and 25% driven by espionage.

The average time to identify a breach is 206 days.

62% of all incidents have arisen from negligent insiders – employees who make simple mistakes.

Supply chain attacks are rising – last year they were up 78% and this year the FBI sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers.

The GDPR fines have been issued to 340 organisations and are just over €158 million (excluding British Airways and Marriott International who the ICO issued intentions to fine, €204,6 million and €110, 3 million respectfully.

Smart cybersecurity leaders recognise the opportunity that’s available to them and are purposefully creating diverse teams – teams who have diversity of experience and thinking, and who can help them to uncover missed risks and to not be so blindsided. They’re asking, where are we fragile, when are we dependent, and what are the consequences? And, faced with so much uncertainty and fluidity, they’re applying one of two strategies to improve new realities.

Let’s look at them.

Strategy #1 is short-term – typically anything from 90-days to six months.It’s used by leaders who are unable or nervous to invest in large scale, multi-year, transformational programmes. Here, they’re applying spring cleans and making incremental small steps to improve. It’s where you’ll see them focusing on the things that are sacred, things that can make a huge impact to their security posture, like the 10 steps to cybersecurity hygiene. According to research from CESG (the UK Government National Technical Authority for Information Assurance) 80% of cybersecurity attacks originate from poor cyber habits, so getting the basics – the fundamentals – right would dramatically reduce an organisation’s cyber risk exposure. It’s a solid way forward especially when budgets are reduced or delayed, as many are.

Using marginal gains is a strategy Dave Brailsford, the General Manager and Performance Director for Team Sky, Great Britain’s professional cycling team, used to lead his team to consistent Olympic gold medal success. He refers to it as being,

“the 1% margin for improvement in everything you do.”

When David became Head of Team Sky in 2002, there was virtually no record of success. In fact, the British team had only won one gold medal in the last 76-years. He wasn’t deterred, though. He believed that if you could improve every area related to cycling – the critical success core areas – by just 1%, then those small gains would add up to a remarkable improvement. Fascinated with process-improvement techniques like Kaizen, a long-term approach to work that systematically seeks to achieve small, incremental changes in processes in order to improve efficiency and quality, he wanted to focus on progression, and compound the improvements.

So, he started by optimising the low hanging fruit – the nutrition of his team, their weekly training programme, the ergonomics of the bike seat, and the weight of the tires. Then, through experimentation, he searched for 1% improvements in other areas. He found small improvements to aerodynamics by examining wind tunnels, eliminated impurities that were found to be accumulating on the track floor, reduced infections and illness by hiring a surgeon to teach their athletes about hand washing and food preparation. When he discovered a pillow that offered better sleep, he ensured his team used it, even if they were staying in hotels. He searched for 1% improvements everywhere. And, the results paid off.

So, before we move onto the second strategy, please consider turning things upside down. Stretch your mind to think small not big. Focus on the system not the goal. The habits rather than the outcomes. Improving by just 1% doesn’t require much energy. It isn’t notable, often isn’t noticeable, and as a result can be less risky. And we like that in cybersecurity!

Small wins and marginal, slow gainsare powerful and hugely transformational. So, reimagine security. What can you do? Can you “¦

“¦Plan 1% better? Prepare 1% harder? Think 1% further? Research 1% deeper? Execute 1% better? Learn 1% faster? Think about where you can apply the strategy backwards, too. For example, can you proofread 1% slower.? Work 1% less?

Think about the impact of this. Better still, measure it. I promise you, it’s where the magic happens, and the difference between pretty good and great.

Strategy #2 is long-term. It’s where you’ll find cybersecurity leaders who are not concerned with fighting the old but building the new. They’re interested in innovation, scale, speed, and agility and it’s here where you’ll notice the difference. They’re applying a ‘bend, but don’t break’ approach which marries the disciplines of cybersecurity, business continuity and resilience. They want cybersecurity to be done properly – to be integrated throughout the business rather than centralised and siloed, and with effective executive presence they can get buy-in to achieve that. That’s why they’re able to roll out effective security awareness training programmes, collaborate successfully with peers and partners, drive automation and workflow integration, scale cybersecurity technology investments; deploy advanced technologies like artificial intelligence (AI), machine learning (ML), and Security Orchestration Automation and Response (SOAR); and move to the cloud or other virtual environments.

Whichever strategy is used, know this. Cybersecurity leaders are streamlining tools, reducing suppliers, demanding more added value and expecting faster returns on their investments. Their goals are set on how quickly they can detect a security breach, contain it, mobilise their response, and recover operationally. And that’s why they have to focus on the three pillars of strength – people, processes and technology.