If there were any question about the critically important role that information and cyber security practitioners play in the welfare of today’s society, there is new evidence spelling it out in stark, attention-grabbing terms.
Data fraud/theft and large-scale cyberattacks were each identified among the top five global threats in the latest edition of the World Economic Forum’s Global Risks Report. The other elements on the list: extreme weather events, failure of climate change mitigation and major natural events, such as earthquakes and tsunamis.
Think about that for a moment: protecting data and thwarting cyberattacks now have ascended alongside dealing with natural catastrophes as the most pressing threats demanding the world’s full attention.
In some ways, the cybersecurity dangers we face are similar to the other, naturally-occurring disasters that occupy the top spots on the global threats risk. Just like a city or village can appear perfectly tranquil one day, only to be torn asunder the next by a raging storm or fierce earthquake, too many organizations today are lulled into a false sense of security, preoccupied by business as usual, and then are blindsided by a major cyber incident that causes business upheaval from which they may never fully recover. But unlike most of the natural disasters that cause so much damage, humans are capable of preventing much of the suffering that results from attacks on our digital world. That is a challenge the security community must commit to addressing on a global scale.
Given that backdrop, it is encouraging that the gathering of world leaders in Davos for the 2019 World Economic Forum included extensive discussions around cybersecurity and its rising importance in the global digital economy. As Brad Smith, president and chief legal officer at Microsoft, said in a panel discussion in Davos, “It’s all about keeping the world safe. The world depends on digital infrastructure and people depend on their digital devices, and what we’ve found is that these digital devices are under attack every single day.”
Cybersecurity is a fundamental enabler of the digital economy, protecting organizational assets, contributing to business continuity, defending brand names, potentially providing a competitive advantage, and managing liabilities and risk as a whole. The failure of organizations to take sufficient action in protecting themselves and their customers from cyber threats has necessitated increasing regulatory involvement, with 2018 marked by the enforcement of the EU’s General Data Protection Regulation (GDPR) and similar policies being crafted in the US and elsewhere; Smith anticipates a large-scale federal privacy law in the US to be enacted within the next year or two.
While new regulation and the development of national cybersecurity strategies can be helpful, there is not one or two isolated steps that alone can keep us safe. Cybersecurity requires a holistic approach, taking into account people, process, technology, organizational structures, business strategies and addressing the overall business ecosystem, which nowadays is built through the interfacing of many actors. These actors increasingly work across international borders, meaning the more substantive dialogue that international leaders have, such as the conversations that took place in Davos, the more opportunity for meaningful collaborations that will drive toward real solutions. This dialogue must be ongoing and include both the public and private sectors, as well as academia and industry professional associations.
These challenges are only going to intensify in the coming years. The evolution of the cyberthreat landscape cannot be ignored, especially with the rapid proliferation of new technologies and the corresponding changes to business models. The fact that only 40 percent of respondents to ISACA’s 2018 Digital Transformation Barometer express confidence in their organization’s ability to assess the security of systems based on AI and machine learning suggest that the challenges will only escalate in the coming years as AI and other fast-developing technologies are deployed more frequently. The global public and private sectors are still far from being prepared for this reality. In particular, there is much work to be done in recognizing the need to take a risk-based approach to understanding organizational cybersecurity preparedness and in appropriately prioritizing and investing in training resources for security teams.
One of the more interesting comments at the World Economic Forum came from Troels Oerting Jorgensen, Head of Centre for Cybersecurity at the WEF, who said, “We must not sell fear but protect hope to make sure the good side of the internet is always in focus.” That is a great way to look at it, but even better than hope is confidence, and confidence must be earned by being prepared. While cybersecurity appearing so prominently among top global threats is a jarring sight for all security professionals, at least there is no ambiguity about the extent of the challenge. While there is only so much humans can do about a tsunami or prolonged drought, cybersecurity is a people-driven challenge that our collective ingenuity and resolve can go a long way toward addressing.
Editor’s note: This post originally appeared in CSO.