The struggle between corporate “commercial” and “security” teams with differing strategic priorities is familiar and has preoccupied board room discussions for years.
Finding the ideal balance between innovating and mitigating risk is difficult at the best of times. However, in our current environment of accelerated and diverse change, driven by IoT, digital transformation, AI/ML, big data and more, it can feel like trying to thread a needle while snowboarding.
It’s clear organizations need to evolve and embrace new opportunities, but the risks and the consequences of any breach have never been higher, both commercially and legally.
Pandoras box is opening, and we have to prepare for both the positives and negatives it will inevitably bring.
Candid Assessment for Successful Cooperation
Overcoming the complexities of today digital conditions necessitates collaboration and success demands high-quality partners that specialise in the specific elements for your project needs. However, it’s not only their expertise or product, but the willingness to work openly, offering frank advice and support to securely deliver your goal, that is important.
That goal needs to be the clearly defined and wholistic, extending to legacy security, protection during implementation, as well as the final solution.
Getting to this point can be uncomfortable.
We naturally try and avoid those stark discussions on existing problems we haven’t resolved, or the limitations of the systems we have purchased. We try hard to convince ourselves that this time those implementation issues will be minimal. Yet this is not realistic and we should keep in mind that everyone is facing these same problems.
Openly discussing what we would rather not admit is the only way forward.
A clear plan allows you to maintain control and create a framework of security that you can hold internal and external participants to. This will also help you avoid the “octopus on roller-skates” scenario, lots of activity but not much progress, on delivery.
Pressures to Tilt the Balance
Considering security while creating a plan and sticking to it is hardly a revolutionary idea. It applies as much to yesterday’s IT networks as the situation we find ourselves in today. The difference now is the vast increase in technology diversity and its level of maturity, making planning, finding reliable partners and solution delivery exponentially more difficult despite its importance.
The size and convoluted nature of IoT makes decisions more nuanced.
It is, on the whole, accepted that IoT is deployed in larger numbers, can be resource constrained devices, has long life cycles, and tends to be physically and virtually more exposed than the rest of the network. All of which increases the cyber threats that need to be mitigated.
Conversely the volumes and potentially deployment topographies can also mean significant investment costs. This lends an interesting paradox to organizations. Challenging the balance between risk-taking commercial and risk-aversion security priorities.
Regardless, whether the solution is a consumer offering, or to support an enterprises digital transformation, regularly “secure by design” principles are tested when challenged by commercial logic.
“Why build a device and potentially relinquish first mover advantage or delay realising transformational cost savings when we can buy something?”.
“Why buy the slightly more expensive device if another does the same job?”.
Here again there must be realism and balance.
Risk aversion is unique to every company, driven by tangible considerations, such as use case, industry, exposure, and intangible concerns and attitudes such as previous experiences and decision makers personality.
Having the highest level of management, list the scenarios that can never happen to the company and working backwards to how they can be sensibly minimised, with any outstanding risks described and listed seems to be a good way of finding common ground. Plus, with Gartner quoting 75% of CEO’s will be personally liable for the consequences of Cyber-Physical System attacks by 2024, it seems fair they set the bar.
Converging Focus
Of course, not all decisions are in your hands.
Legislation surrounding cybersecurity and data privacy is already present in many industry verticals. With consumer acts such as the UK’s PSTI Bill, or EU Radio Equipment Directive security updates and others passing into law in 2024, security in IoT devices is becoming increasingly mandated.
The vast quantities of personal data IoT collects is protected via GDPR, CPRA, HIPPA and others. AI is next in the spotlight with the UK one of the first to start consultation on new regulation.
These minimum-security requirements and other acts, stipulating reporting and recovery processes e.g. EU NIS2 directive clearly show the importance afforded to cyber security within our new digitized world by global administrations.
Parting Thoughts
Balancing “commercial” and “security” is always going to be difficult, but for too long security has been the “belle of the ball” when projects are first discussed, or when decision makers respond to industry surveys, only to find itself the first invitation cut when budget constraints are applied.
We are at a watershed moment where this has to change. Governments are mobilizing but there is also a groundswell of support from public opinion driven by highly publicised cyber-breaches, the pandemic, geo-political instability, AI’s impact, and a number of other contributing factors.
More weight is being applied to the security side of the scales, potentially reining back the speed of progress but more importantly protecting our prosperity over the long-term.