As the field of cybersecurity matures, cybersecurity professionals have steadily been adopting a holistic approach to their practices. Where there was once a hodgepodge of cybersecurity tooling that had been cobbled together (based on knee-jerk reactions to incidents or available budget and resources), cyber programs are emerging which are a result of careful consideration and strategic planning.
Thus, we have seen the rise of Cyber Strategy. Cyber Strategy considers the ultimate goals of the business, takes stock of the organization’s context, strengths, liabilities, and special opportunities, and formulates long-term strategies and decision-making tools that help navigate cybersecurity risks and threats. Cyber Strategy also requires creative thinking about current situations that the organization is in and possible future developments that may give rise to adjustments in the strategy over time. This discipline has only become more vital as time goes on.
What Difference a Pandemic Makes
As the world emerged from COVID, paradigms shifted and business evolved in many ways that we could not have foreseen. Trends that were set to develop steadily over time were accelerated and brought to the forefront. Some widely-accepted norms were abandoned altogether. These drastic changes have also redefined how we protect our data in so many ways.
As workforces became decentralized by a stay-at-home world and businesses began to really see the value of a streamlined user experience. Any friction in the experience meant inefficiencies in business processes, and ultimately, lost revenue. As cybersecurity has historically been viewed as one of the major hindrances to the user experience, cybersecurity solutions and controls have had to adapt, eliminating user delays as much as possible. This requires strategic thinking and careful orchestration in the implementation and provision of security controls.
A workforce scattered across large geographies also pushed the adoption of digital transformation in many business units that formerly were not used to such inclusion of technology into their processes. This was one of the many ways businesses were made aware of just how much technology they depend on, especially as lesser-visible parts of their supply chain. The supply chain threats increased the necessity and frequency of risk assessments and risk experts to perform them.
The pandemic may be gone, but many of these cybersecurity problems it caused are here to stay.
Keeping Up with Technology
The rate at which technological advances impact our businesses is advancing at breakneck speeds. Leaders have not even finished assessing the last industry-shattering development and another makes headlines the next morning.
With the emergence of cloud technologies, remote access technologies and more, cybersecurity experts have witnessed the slow erosion to the absolute obliteration of “the perimeter”. It’s gone! We currently wage cyber warfare at the endpoint, within running processes, and in the end-user’s mind.
The Internet-of-Things has given rise to smart devices, smart cities, and a smart world. As we use these advances to make our lives and businesses better, the flipside is that each device dramatically expands the attack surface of an organization. Hackers always say, “If it has a brain, we can hack it.” To the average cyber expert, every new IoT device is just a new hole in the shield that can be exploited.
Machine Learning (ML) and Artificial Intelligence (AI) has been all over the place, lately, as well. Everyday, we are seeing new ways, from the earth-shattering to the mundane, that Large Language Models like ChatGPT, Microsoft CoPilot, or Google Bard, or Generative AI such as DALL-E are changing our world.
Cybercriminals are no slouches. They were some of the earliest adopters of ML and AI, finding ways to enhance their tactics, techniques, and procedures from scaling up phishing campaigns with adaptive language in their emails, to even using AI to enhance existing malware or even write new ones from scratch.
For each paradigm-shifting development there are two fads that don’t amount to much in the grand scale of things no matter what the pundits tell you. Sifting through the noise to get to the signal has always been a fight that cybersecurity experts have fought.
The rapid-fire pace of technological advancement is nothing new, but it does mean that more than ever, we need experienced operators who can leverage their expertise and critical thinking skills to navigate the information, wade through the buzzwords, and anticipate their future impact on the cyber strategy.
Cybersecurity is an Infinite Game
If cybersecurity were a game of chess, the gameboard would always be spinning and the pieces would never stay the same. There is no such thing as a state of “absolute security”. Cyber threats and cybercriminals are relentlessly raising the stakes and cybersecurity professionals are fighting a never ending battle to keep up with them.
Threat actors are very often quite innovative and are many times early adopters of the latest advancements in technology and it requires cybersecurity experts with equal tenacity who are consistently keeping their finger on the pulse of the future.
Best practices and approaches to security are also constantly shifting. For instance, many businesses are starting to recognize that investments in attribution and catching attackers in real life often involves steep costs with little to no benefit. They are also seeing that cybersecurity is a numbers game where the adversary simply has more opportunities to attack and defenders simply have less resources to prevent attacks. These observations have pushed a shift in strategy for many cybersecurity leaders to focus on resilience. Instead of the lion’s share of cybersecurity spend aimed at prevention and attribution, many leaders are finding great value and impact investing into security controls that allow for faster, more accurate detection and swifter, more complete response to cyber attacks.
This shift dramatically transforms the nature of cybersecurity spending and it takes seasoned cyber leaders to plan these changes out in a measured, sustainable manner that balances short-term and long-term considerations.
Cybersecurity is a vast continuum of disciplines in which we are experiencing the intersections of technology, business, globalization, and innovation in ways we have never seen before. Contributors to the cybersecurity mission run the entire gamut of experts in an organization, from the ever-obvious technicians and engineers, all the way to risk managers, human resources experts, and finance.
Internally, operations and teams are constantly evolving and conflicts always need resolutions. Externally, the threat landscape is in a state of constant flux and the enemy is only becoming more sophisticated.
The complexities of formulating, implementing, and continuously improving a cyber strategy require adept security managers and security officers to coordinate those stalwart efforts, and they require an enterprising and innovative Chief Information Security Officer to lead them.
Cybersecurity has never been a simple proposition. It was never just opening one port and closing another. It was never as simple as the push of a button. “Set it and Forget it” was never on the menu. Organizations that once approached cybersecurity in simplistic terms as this are paying high prices for those misconceptions. Now, more than ever, protecting your organization’s information requires strategic thinking on various dimensions. Organizations need innovative, strategic thinkers to light the way.
At Horangi, we're proud of our experienced consultants. They're experts in cybersecurity and are here to help your organization plan for the future through their understanding of business goals and ability to align cybersecurity strategies with those objectives. Our consultants bring a forward-looking vision that they've gained through valuable insights from working in a multitude of industries and can create tailored strategies to meet your organization's unique needs. We offer customized approaches that seamlessly integrate with your existing team and methods. Whether you need advisory services, risk assessments, or strategic planning, our consultants are ready to enhance your organizational resilience.