We have been defining “innovation” as “executing new & creative ideas that add value to the performance of the organization”. In that sense, innovation simply means finding a better way to do something, which results in a positive benefit.
Cyber innovation is more about enabling an organization to innovate and be innovative within various domains of cybersecurity. So, there is a question of “What does it mean for an organization to have mature cyber innovation capabilities?” And one answer is that it means they have a developed, stable, and efficient system in place that maximizes the organization’s ability to innovate on new cyber technologies & processes while appropriately managing risk in the face of ever-present and emerging cybersecurity threats. The cyber innovative approach is a holistic and multi-faceted approach to enabling cybersecurity within an organization, and improving it over time.
This approach is not meant to be a replacement for a standards-based approach. Personally, I’m all about standards, they’re crucial. The cyber innovation approach is meant to be complimentary to the use of standards and frameworks. But standards by themselves are not a complete solution, especially if the standards in question lean heavily in the direction of technical controls. Modern security practitioners realize that security is a moving target, and that to develop a robust security posture, you need more than technical controls. You need awareness, you need a culture and mindset of cybersecurity, you need an executive team willing to lead the charge. And so, the cyber innovation approach is a more holistic approach to cyber than a purely standards-based one.
I like to say that you can innovate on your products. You can innovate on your processes. And you can also innovate on your corporate culture and mindset. It is my belief that this third category is perhaps the most important for the world to innovate on now. Collectively, we need to get out heads right about modern cybersecurity.
This is a great question, and I think it would take much longer than the 45 minutes or so that we have to give it a complete answer, but there are certainly a few we can mention.
The first few things that come to mind are: scalability of cybersecurity (e.g., managing an increasing number of IoT devices), protections against emerging technologies (e.g., how will quantum computers affect your security?), the disintegration of the network perimeter (e.g., BYOD policies or remote work), how to deal with the lower and lower barriers of entry for attackers (e.g., script kiddies or social engineering attacks), and I would also say sunsetting outdated tools, equipment, and cryptography (please stop using DES or SHA-1). And I’ll actually add one more to that list, I would say alignment between the cyber and non-cyber business aspects of an organization. Too often there is unproductive tension between those two things, and I think by internally aligning a bit more, that organizations can realize major benefits.
It is. If your organization uses a computer, then it will need to worry about cybersecurity. And, if you have cybersecurity, you have an opportunity for cyber innovation. And absolutely, different organizations will get different benefits out of cyber innovation. But one of the nice things about this approach is that it gives benefits in a lot of different areas, not just in one’s ability to mitigate security incidents. We can see social and reputational benefits from taking a leadership role in cyber innovation, there is competitive advantage in being able to see what’s coming and adapt to it before other firms can, and in general, realize efficiencies and savings across the organization by having those innovative processes in place.
As for which types of organizations will see the most benefit from this approach, I would say that certainly organizations in the technology space in general would get sizable benefit. Or, in any area where the underlying technology changes frequently, organizations transitioning to more remote working or zero-trust environments, organizations that want to scale largely, or any industry that is susceptible to disruption.
The ability to adapt to change and disruption.
Consider this, technology is changing rapidly, and it feels like there are technological breakthroughs everywhere you look. And breakthroughs aside, the world is considerably more technologically advanced than it was twenty years ago. The first iPhone came out in 2007; its the age of a young high school student. So, you have to wonder where are we going to be twenty years from now?
Naturally, this also means that threat actors are also becoming more capable, more ambitious, and more present. Yesterdays security technologies may not be enough to combat tomorrow’s threat actors. So, what can organizations do about that? It isn’t feasible or pragmatic to adopt and implement new tools every other week. That simply isn’t going to work. But with defined innovative processes, a culture and mindset of cybersecurity, and a governance team willing to spearhead the effort, tomorrow’s threats can be better mitigated today.
This is what we mean when we say this is a holistic approach. We are considering innovation across different domains, in ways where they augment and compliment each other. This wider-view approach allows organizations to tackle these emerging problems from more angles than has been traditionally allowed for.
One other threat which I don’t think is adequately addressed by the traditional approach to cybersecurity, is sunsetting outdated cryptography and transitioning to new algorithms. Cybersecurity is a complex and multi-faceted creature, and the underlying cryptographic algorithms (for data encryption, digital signatures, etc.) have been relatively stable for a long time. And because of that, those algorithms have been sort of buried and hidden away beneath all the other aspects of cybersecurity. Consequently, there is often a lack of expertise within organization about those algorithms. And, if something goes wrong with those algorithms, remediation becomes much more difficult.
A great example is the (attempted) migration away from using the SHA-1 hash algorithm, or the Data Encryption Standard (DES). These things are no longer considered secure, but they’re still used out in the wild to a worrying degree. And this is partly because of how difficult it is to transition to new crypto primitives. And now, there is a good probability that cryptographically relevant quantum computers will be built this decade. Such machines will be able to efficiently break the cryptographic algorithms that underly all of our IT infrastructure (such as RSA or ECC). And so, organizations need to be prepared to migrate to quantum-safe algorithms, which is a much taller order than just switching to a new hash function (re: SHA-1). Innovative approaches will be required to pull off such a transition.
We began this project because we saw there was a need for it, and no one else seemed to be making any proposals.
My concern with traditional approaches is that they have trouble keeping up with the times, and they’re generally narrowly focused (e.g., focus more on technical controls than on promoting a culture). Cybersecurity is so much more than just looking at packets or having an alphanumeric password. It touches on aspects across the organization, and it is still evolving. We need to realize that and change our approach to reflect that reality.
This is something that needs to be led by the governance team of the organization. It somewhat depends on where the organization is at in its cyber innovation journey, we say. If the organization is at CILF level 2 for example, then this effort would likely be led by a CISO. But at the higher levels of the CILF, the organization would establish a cyber innovation steering committee, which would include the CISO or “cyber owner”, among others.
The answer to the second question is both yes and no. That change in mindset, the change in the culture of the organization (and the industry at large) is not going to happen over-night. It will take some time. Fostering that innovative mindset is something that the organization would be working towards as it begins to adopt cyber innovative practices. But at the end of the day, there does need to be someone in the organization who has that mindset and who is willing to make it happen.
They are borderline inextricable. In particular, the Technology, Processes, and People & Culture domains are tightly linked. The Leadership domain feeds into the others and supports them, but it is somewhat more stand-alone. The leadership helps set the direction, the people and culture support and carry out that vision, and the technologies and processes are the vehicles we ride to achieve those goals.
Again, we see the CILF as being complimentary to existing standards, frameworks, and so on. I wouldn’t make the claim that being at CILF level 3 will make you GDPR compliant, but I will say that it can help you not break compliance once you have it. And that can come from various aspects of the CILF. General security and privacy awareness helps, that future-sight and long-term planning will help you avoid certain pitfalls, understanding what cyber technologies you’re using, and how and why, that strategic internal business alignment, or taking a leadership role in the industry (for helping set standards or regulations, etc.) In each of the 4 CILF Innovation Domains, you can find something that will help you maintain those strict data protection and privacy laws. And to the second part of your question, I would say that yes, that’s a big part of the whole idea. To bake in that agility to change as needed, to keep your finger on the pulse of the industry as well as emerging threats or changes in legislation.
One of my favourite idioms is “look before you leap”. Before you take any big actions, do a little research first. Have discussions and dialogue about cyber innovation with your peers and colleagues. And most importantly, download the CILF v1.0 and give it a read.
Get a FREE copy of CILF here
CYBER INNOVATION LEADERSHIP FRAMEWORK
In one of his most famous essays, Paul Graham of Y-Combinator fame articulated why a recession is the best time for founding a Startup (http://www.paulgraham.com/badeconomy.html ). As per Paul
“Which means that what matters is who you are, not when you do it. If you're the right sort of person, you'll win even in a bad economy. And if you're not, a good economy won't save you. Someone who thinks "I better not start a startup now, because the economy is so bad" is making the same mistake as the people who thought during the Bubble "all I have to do is start a startup, and I'll be rich."
Let’s explore why Paul Graham is correct and its all about the founder(s)
Why a recession is the best time for a Startup?
A recession is the best time for a Startup because, by definition, a Startup has low costs and can provide solutions to potential customers at less price. In addition, potential customers are also exploring new solutions that ensure that their own services can continue in this new harsh economic environment. Furthermore, investors are looking for Startups that focus on new opportunities and can leverage the new environment’s economic fundamentals to succeed and grow.
Humanity and a more connected environment
The 2020 COVID19 pandemic has only accelerated humanity’s pivot to a more connected environment. Through new technologies such as SmartCities, Connected Vehicles, Supply Chains, Industry 4.0, and many other similar initiatives, we were already moving towards a greater reliance on working remotely and using technology and infrastructure to support this remote work. This, of course, meant that there is a greater need for Cyber solutions and expertise that ensure the protection of data being used in all these connected transmissions.
Growth of Cyber
Cyber was already projected to grow exponentially in the next few years as a market. According to Fortune Business Insights, “The global cyber security market value stood at USD 112.01 billion in 2019 and is projected to reach USD 281.74 billion by 2027.” This is expected to grow even more as the number of Cyber breaches and the losses due to them increase. An example of these costs is highlighted in a recent study published by the Atlantic Council and the Zurich Insurance group which estimates that cyberattacks could cost up to $90 trillion by 2030 if cybersecurity fails to advance at a rapid pace. Thus, a well-positioned Cyber Startup has a viable business proposition and has great potential for the future.
Adding Value to Society
But its not all about making a profit and becoming rich. Successful Entrepreneurship, by definition, is all about adding value to human society. The only way we can all recover from the after affects of the 2020 COVID19 pandemic, including the recession, is for all of us to get together and pitch in wherever we can to ensure the well-being of our society. Cyber is a great way to add value in this environment as many organizations were not ready for a telework environment and did not have the cyber technologies and governance structures in place for such an eventuality.
The Passionate Cyberpreneur
All of the above means that the 2020 recession is the moment when passionate entrepreneur should focus on becoming a Cyberpreneur. The current remote working environment provides several Cyber pain-points which the Cyberpreneur can solve using their creativity and enable the security and indeed the safety of our personal and professional lives.
Why would YOU, the passionate Cyberpreneur, not want to take advantage of such a historic opportunity to add value to society through your unique skillset?
AJ Khan
Cybersecurity Innovation Leader
Cyber Security is the body of knowledge that encompasses technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. Today, we live in a connected world where our lives are totally dependent on technology. From banking and e-commerce, Cryptocurrency, automated vehicles, Voice-activated Home assistants, healthcare, supply chains, EVERYTHING in our daily lives is based on technology and data. That is why today, there are many challenges in this field which creative and passionate individuals can solve through innovation. And It is for this reason that in the World Economic Forum’s Global Risk 2016 report, cybersecurity risk is recognized as one of the top commercial risks along with geopolitics, the environment, and the economy.
There is certainly more and more recognition of the need for disruptive innovation in Cyber Security and the necessity to secure the technology and data on which our lives have become so dependent. This is obvious from the increase in the global spending in Cyber Security which has grown exponentially. In 2004, it was USD 3.5 Billion which has grown to USD 120 Billion today in 2017. By 2021, this spending is expected to grow to USD 1 Trillion.
Cyber Security is a vast field and there are many areas where innovation can happen. These include process-based improvements such as in Governance, Risk & Compliance (GRC), Privacy, Policies & Frameworks (NIST, ISO 27001/2, PCI, GDPR) and Awareness & Outreach. There are also significant opportunities in Cyber Security areas such as Cloud Security, Threat Intelligence, Internet of Things (IoT) Security, Mobile Security, Security Management, Identity & Access Management, Crypto Currency & Blockchain, Artificial Intelligence, Application Security, Penetration Testing, Fintech & Healthcare Security.
While various countries, including Canada, has been focusing on Innovation, there are still many factors contributing to lack of innovation in Cyber Security. The first of these is to link cyber security innovation effectively to the needs of major industries such as the financial services or Healthcare industry. Secondly, while most leading innovation nations have developed significant clusters of innovation, there is no single centre of gravity, coordination, or systemic catalyst to bring it all together. And of course, there is a global shortage in cyber security talent. There is usually also limited collaboration on applying R&D strengths in related fields to cybersecurity problems. Finally, a strong process need to exist for start-ups to access global Cyber Security markets and sources of capital.
Countries and Organizations taking a leading role in Cyber Security Innovation today can not only better protect their critical and business infrastructure but will also be well-positioned to reap the financial and trade dividends of this growing technology market.