Monthly Archives: March 2019

Digital Transformation, Dynamic Threats and Growing Accountability

March 1, 2019

By Mark Sangster, Chief Security Strategist at eSentire, Inc., contributor to SecurityMagazine.com

 

Businesses today accept the presence of cyber risks. In fact, 70 percent assume a business-altering event will occur in the next few years (FutureWatch Report), but often have a more difficult time identifying specific risks, key factors and mitigation strategies. Worse, the board or senior leadership often makes assumptions about the safety of the firms that is overly optimistic when compared to confidence ratings of security practitioners.

The difference between awareness and understanding is driven by the communication gap between the board and executives steering the business, and the security experts close to the problem. Both parties struggle to comprehend the other’s needs and responsibilities.

A firm’s risks stem from a handful of business aspects, including the firm’s participation in high-risk industries, its appetite for emerging technologies, and willingness to properly invest in targeted security practices. While this sounds obvious at first, it’s lost when the line of sight from the security practitioners to the board is over the horizon.

This article will explore board-level concerns, key drivers to invest in security, and how emerging technologies outpace the evolution of security technologies and services. The data presented in this article was collected in late 2018, through third-party research that surveyed 1,250 security executives, managers and practitioners. Data was collected from the United States, Canada and the United Kingdom. Participants were equally represented across various industries and company sizes, ranging from less than 100 employees to 5,000 employee or more. Read the full FutureWatch Report.

Major Attacks Are an Assumption

Unanimously, business leaders such as the CEO, board members and technical executives (CIO) alike predict a major cyber-attack in the next two to five years. Over 60 percent of respondents assume a major event will occur. Interestingly, 77 percent of CEO and board respondents consider their organization prepared for such an event. As expected, technical leaders are approximately 20 percent more likely to predict an attack and are 10 percent less optimistic than their business peers in their organization’s preparedness.

Senior leadership fears operational disruption, reputational damage and significant financial losses over regulatory penalties as top consequences of a major security event.

While business leaders show a confidence in their firm’s ability to manage a security breach, the devil is in the details. Only 29 percent of respondents indicated that their high-value or high-profile information is not adequately protected. And two-thirds of respondents are not confident that their cybersecurity programs match their peers, nor that their programs are appropriately resourced.

The Cybersecurity Rosetta Stone

Boards and security practitioners still struggle to translate their concerns and objectives. Only one-third of business leaders are confident in their security executive’s ability to monitor and report on cybersecurity programs and 66 percent worry that these programs are not aligned to business objectives.

IT and security leadership sentiments echo this concern. Most organizations struggle to show the value of IT security spend to senior management, including status reporting difficulties. Aligning to enterprise risk management confounds over half of businesses, along with the ability to managed external risks with third-party vendors and the growing complexity of regulatory compliance.

On the positive side, progress has been made over the last few years. The CISO is no longer the least interesting person to the board, until they are the most important person.  Over half of respondents indicate their board is very familiar with the security budget (51 percent), overall strategy (57 percent), policies (58 percent), technologies (53 percent), and currently review current security and privacy risks (51 percent).  Moreover, line of sight from the CISO to the board is more direct. Forty-five percent of security officers report to the board or CEO, 33 percent continue to report to the CIO and a small handful (10 percent) report to a privacy or data officer.

Moreover, nearly two-thirds of security budgets are set to rise in 2019. Spend on the security side is still reactionary. While regulatory requirements is in the basement of the board’s concerns, it tops the list for security practitioners. A security teams spend is generally reactive to client demands, major technology purchases, a major security event or near miss, and the adoption of emerging technology.

Emerging Technology: A Double-edged Sword

IT and security teams find themselves in a difficult position between meeting the demands of the business to adopt emerging technologies that offer competitive advantage, while also carrying the burden of mitigating the risks that come along with new deployments.

Nearly three-quarters of respondents are currently using cloud services or plan to deploy cloud services in the next six months, with financial services, manufacturing and healthcare leading the adoption rate. Only law firms lag in their cloud adoption. Artificial Intelligence (AI), Internet-of-Things (IoT) and Industrial IoT (IIoT) top the list behind cloud.

Cloud security adoption is the priority, followed closely by identity and access management, threat detection and response, and endpoint detection and response. Security Information and Event Management (SIEM) moves beyond a compliance tool and now plays a role in the greater detection and response portfolio.

More than half of telecom, information technology, financial services and manufacturers invested in securing their cloud services. Similarly, financial services, healthcare and manufacturing also emphasize threat detection and response investments. These industries are equally investing in identity and access management as a response to a more distributed workplace. Again, law firms are significantly less likely to adopt these technologies.

Digital transformation is here to stay and brings with it a drive to always evolve and constantly change. Economics demand that vendors constantly improve and offer new features and technologies which outpaces our understanding of the associated risks. We focus on the benefits while assuming vendors have resolved the security issues. For example, cloud technology tops the list of security priorities today, but AI and IoT/IIoT are on track to surpass cloud as the primary risk concern in less than two years.

This challenge will only increase over the coming years as 5G facilitates a ubiquitous mosaic of always connected devices. Risk associated with emerging technologies becomes more concerning as adoption rates accelerate, compressing the time in which organizations and vendors can adapt and develop appropriate security controls and deploy protective solutions.

Most Susceptible to Risk: Law Firms, Transportation and IT

Law firms lead when it comes to risks associated with external actors and attacks and their ability to report status, show value and meet internal risk standards and regulatory requirements. Transportation and IT firms report higher than average levels of risk. Financial services tend to run just below industry averages across external attacks and internal or industry requirements.

Digital Transformation Outpaces Current Security Approaches

Digital transformation touches every facet of business operation and redefines how businesses engage with their customers. The emerging technologies underpinning this tectonic shift must constantly expand capabilities and adapt to survive in a competitive environment. Current security approaches are not fluid enough to keep pace with adoption of emerging technology and platforms.

Today, most firms identify their primary security posture as leveraging prevention technologies and device management. Firms that leverage a predictive security model such as threat hunting, machine learning, and device analytics reduce their risk by thirty percent. Less than one-fifth of firms identify as predictive. The trend is consistent across all industry segments with financial and healthcare services leading the charge and law firms lagging.

Firms adopting predictive security models are better able to identify never-before-seen threats and have engaged rapid response capabilities to reduce the risk of a business-altering event. Over the next two years, older preventative models drop to less than one-third, while predictive threat hunting will more than double to 40 percent. This trend correlates with the shift in business drivers away from regulatory dominance toward business-centric considerations such as operational disruption, reputational damage, and, of course, financial losses.

Interestingly, advanced firms are more apt to adopt emerging security technologies such as endpoint, threat detection and response, identity access management, and cloud security. Moreover, mature firms aggressively leverage SaaS and are more likely to adopt 100 percent cloud-based security services than firms using a device-management model. Outsourcing is a palatable alternative to recruiting and retaining threat hunting talent from a pool that cannot support the growing demand.

Digital Transformation, Dynamic Threats and Growing Accountability

Digital transformation continues to expand a larger and more fluid attack surface from the advanced methodologies used by well-resourced adversaries like organized criminals and nation-state actors. Regardless of industry, businesses operate in a world with ever-increasing accountability to protect their clients’ confidential information, adhere to state legislation, comply with privacy laws and meet the growing complexity of overlapping regulatory obligations.

This triad of risk demands that IT, security practitioners, and leaders align with business governance objectives, while senior leadership acknowledge their role in establishing expectations and providing resources to adequately protect the business, its investors, employees and customers.

We’ve left the world of prescriptive regulations as a measure of security end state. Many organizations recognize that the financial loss associated with operational disruption and reputational damage outweigh the penalties set out by regulators. In the future, organizations will likely move to a perspective driven by their clients. In this state, brand and reputation will form the barometer by which a company’s security performance is ultimately measured. Protecting the client will mean by extension, protecting their data and services, avoiding operational disruption and resulting financial losses.


Author: Mark Sangster, Chief Security Strategist at eSentire

Mark Sangster is an industry security strategist and cybersecurity evangelist who researches, speaks and writes about cybersecurity as it relates to regulations, ethical obligations, data breach incident response and cyber risk management.

How do folding phones adapt to users, and vice versa?

By James Sanders in Mobility, TechRepublic on January 31, 2019 8:00 AM PST

Oblong CEO John Underkoffler discusses the burgeoning folding phone trend, how users will take advantage of the form factor, and how cases would work on a folding phone.

 

Video

TechRepublic’s James Sanders spoke with Oblong Industries CEO John Underkoffler about the burgeoning folding phone trend, how users will take advantage of the form factor, and how cases would work on a folding phone. The following is an edited transcript of the interview.

 

James Sanders: I’m here with John Underkoffler of Oblong Industries. 2019 is widely expected to be the year of folding phones as rumors indicate Motorola, Samsung and Xiaomi are preparing models with foldable strains. In terms of user experience, what’s the make or break factor for folding phones?

John Underkoffler: I think there’re actually two make or break factors and one is physical and the other has to do with the pixels in a sense. The physical one is ergonomic. And this may sound a little weird, but for me it comes down to can you open the thing with one hand? Does it have a really kind of fantastic feel as you open it? I mean, of course the precedent here is anyone having been down to the planet opening their Star Trek flip phone and there should be that similar kind of gestural feel, a similar kind of satisfying ergonomics to the simple motion of getting the phone to open into a usable mode. The other make or break factor as far as I’m concerned is of course the experience or the experiences. We know that what’s going to make these valuable in a raw sense is the fact that when they’re unfolded, there’s more display area that opens up the kind of field for the kinds of applications and the kinds of work and information that you can undertake and understand in the context of a folding phone.

But what those are is going to make all the difference and how software designers decide to use that larger space will make really all the difference. If it’s simply a matter of scaling up existing apps to fit into a bigger screen, I don’t think anyone has got much of anything to sell.

James Sanders: Samsung’s prototype shows only one hinge, meaning one flex point, making it more of a brochure. Leaks of a Xiaomi prototype show a two fold pamphlet design. How will increased fold points impact that user experience? And how are more complex designs likely to be more fragile?

John Underkoffler: Well, there’s the physical aspect is having two hinges mean that the thing can get smaller, probably not, but it does mean is that it’ll likely be able to get bigger. In a way, I feel like the folds and the introduction of insides and outsides where historically, of course the smartphone is only ever had an outside, actually introduces the opportunity for new kinds of designs and new user interactions. Like for example, is there a thing you can do? Is there a new swipe that actually takes information you were looking at on the display, on the outside of the phone and kind of swirls it around to the inside. And when you have two hinges or two fold points instead of one, maybe there’s literally a new kind of fold semantics that extends our UI language for using smartphones. Maybe the act of folding and unfolding itself is part of the interface instead of simply part of the physicality of getting the phone ready to use. I think that would be really significant. I’d love to work on it.

James Sanders: Because of the emotional connection that people have with their phones, everyone I know has a case on their phone. How are you going to do that with a folding phone and without a case? How is it going to be that these aren’t just scratched the day after they’re taken out of the box?

John Underkoffler: Yeah, the case issue is a really good one. I think that historically smartphone manufacturers have gotten away without having to adequately, let’s say physically safe guard the devices that they sell you using the devices that they sell you, which is why there’s such a burgeoning market for cases. You get your new pixel or whatever phone it is and it’s unbelievably elegant and slender, and then you’ve got to put it in the case. As you pointed out, the case isn’t really an option or as easily an option in the new foldable phone world. Although I guess I’m driven to recognize that if you buy nice used books. Books, some people have heard of them. Sometimes the original book’s cover will come in a kind of foldable, mylar encasement that’s sturdy and not unattractive and keeps the thing safe. So maybe there’s something that can come along like that.

However, I really feel as if the onus is now on the smartphone manufacturer itself to make sure that the device is sturdy in a way that anticipates that, “Yes, of course it’s going to fall out of your pocket or your shirt pocket or your pocket book.” Or wherever it’s going to fall from. There’s physical hazard to being in the world and the phones are not immune and the phone itself should anticipate that.

———————————————