CyberSecurity in the Age of Empowerment, Convergence, and Innovation.
I want to begin in this post from where I ended by post in my Blog Series on Enterprise and IT Transformation “Enterprise by Design, Not Chance”. I ended that post with a snippet from a poem by William Butler Yeats – He wishes for the Cloths of Heaven. In it he writes " - … I have spread my dreams under your feet, Tread softly because you tread on my dreams." Every day and everywhere the businesses spread their dreams beneath our feet, and (we as Cyber Security Architects and IT professionals) should tread softly because we are treading on their dreams.
As an Enterprise Architect, I had made a promise to myself that my primary goal should be to help businesses attain their dreams, by helping them generate business value. When I chose to specialize in Cyber Security, I retook the oath I had taken earlier, and my mission has not changed in spite of all the bad news we hear about cyber attacks in the news.
The early 20th-century economy and business were powered by coal, steam engines, and manufacturing.The latter half of the 20th-century economy and businesses were powered by oil, airplanes, and petrochemical driven manufacturing. “Social” is the new oil that is powering the first half of 21st century economy. Social is at the heart of SMACT (Social, Mobile, Big Data Analytics, Cloud and Internet of Things)
This is the Age of Empowerment: Competitive businesses (with well-informed customers and employees) are seeking out opportunities to respond to a very demanding customer and employees needs. This is the age of empowered customers and employees. However, pursuing some opportunities can expose businesses to excessive risk or invite behaviors that can damage a company’s credibility and reputation.
This is the Age of Convergence: Technology is expanding at an exponential rate. We are seeing the convergence of Man and Machine, lead by Artificial Intelligence (Machine Learning), Augmented Reality. Each of us will soon have “smart” devices inside us. We are racing towards what Ray Kurzweil calls as “Singularity. This sort of “one in two” will create serious challenges for cyber security and in the allocation of ethical and moral accountability between the two (the man and the "thing" he/she is connected to).
This is the Age of Innovation: Professors C.K. Prahalad and M.S. Krishnan in their book New Age of Innovation: Driving Cocreated Value Through Global Networks talk about the need for companies to focus on the importance of individual customer experiences (N=1). They say companies should take a horizontal approach to supply rather than vertical integration, and focus on obtaining access, rather than ownership, of the resources in a global marketspace (R=G). These new business models require Cyber Security Specialists to take a new approach to managing risk at the same time help business co-create value.
In the mid-80s, I started my career in the Oil and Gas Industry and Industrial Control Systems (ICS) Operational Technology (OT). Safety was at the center of Real Time systems then and even now. Companies who mastered safety in age of industrial revolution survived and flourished.
Charles Duhigg, in his The Power of Habit: Why We Do What We Do in Life and Business, talks about how Paul O’Neill, the CEO of Alcoa, quintupled Alcoa's income simply by changing one aspect: worker safety. I strongly believe today's businesses can use the same strategy of focusing on one keystone habit (Cyber Security) to co-create value in the new “Social” oil era. I believe in the information revolution era powered by SMACT, companies who mastered cybersecurity will survive and flourish.
Failure to address the cyber security can cost to the companies in damaged reputations, fines, business losses, missed opportunities, and diversion of management attention to deal with the crises. The key question is how today's Business and IT leaders protect their companies from control failures when empowered, converged, and innovative employees and customers are encouraged to redefine how they engage with a company.
Let’s talk about a four key controls that we can adopt:
Value System Controls:
I truly believe that CyberSecurity is not a technology problem, it is a human problem unless we address the Human Vector, we can never achieve good cyber security hygiene. There are only two categories of people when it is about CyberSecurity – The Good People and the Bad People. The fundamental difference between the good people and bad people is their Value Systems.
I have huge faith in human nature, I believe > 95% of the people are good and have good value systems. Companies have used value systems for years in an effort to articulate the values and direction that leaders want their employees and customers to embrace. Typically value systems are concise, value-laden, and inspirational. Through Organization Change Management techniques, companies can increase awareness of the cyber security problem. Safety Slogans played a huge part in promoting the value of safety. I believe a targeted Cyber Security Slogans and Campaigns driven by a good value system controls that articulate the cyber security goals and objectives can go a long way.
Boundary Systems Controls:
Boundary systems are based on a simple, yet profound, philosophical and psychological principle that is now used in modern management. If the management wants their employees and customers to be creative and create value for the organization they need to ask this question, “Am I better off telling them what to do or telling them what not to do?” The answer is the latter.
Telling them what not to do allows innovation, by clearly defining limits (Boundary System Controls) by telling employees and customers what not to do allows value creation. The boundary system controls should be based on your enterprise cyber security maturity, culture and Risk Appetite and Risk Tolerance. Going back to my safety example. When babies start to crawl, parents realize that their kids will get hurt, but what they want to prevent is life-threatening accidents, and take some safety precautions that prevented these life threatening accidents. However, as these children grow older and mature, the parents slowly increase those boundary controls. In the age of a “Social” powered digital transformation, boundary system controls are a pragmatic way to approach cyber security.
Boundary systems are an organization’s brakes and like racing cars, the fastest companies need the best brakes. Boundary systems controls are especially critical in those businesses in which a reputation built on trust is a key competitive asset. Examples are any end customer facing organization like banks and online powered businesses.
Diagnostic Control Systems
Diagnostic control systems work like the dials on the control panel of a car, or akin to an industrial control system which enables the operator to scan for signs of abnormal functioning and to keep critical performance variables within preset limits. The operator cannot take actions unless critical events of interest are “sensed” and reported. The detection is done using Sensors that relay the information of the current state to the central console. Designing effective “sensor” systems for social interactions that affect a digital organization is the key.
Interactive Control Systems
Interactive control systems focus on constantly changing information in complex interconnected systems and make correlations of otherwise what looks like unrelated information to human eyes and make the connection. In simple words, it is about "Connecting the dots". In Chaos theory, this is known as Lorenz’s Butterfly Effect. Does the flap of a butterfly’s wings in Brazil set off a tornado in Texas? Alternatively, can the first written word in a funny satire about a dictator bring down the reputation of a huge multinational? Just like the meteorologist are looking for signs for the next hurricane and tornado. Can we in Cybersecurity see the first domino falling, or see the first infection in an Advance Persistence Threat and build interactive control systems?
A well defined Advanced Security Operations Center is an example of a good interactive control system in Cyber Security. The key is to look at all internal and external events and to build the Attack Tree. The next level of an interactive control system is to build self-learning, self-healing applications/sytems. These are systems that look for errors and negative feedback and then uses it to get better and prevent a Black Swan Cyber event from happening. In Industrial Control Systems, we call these “cascade controls.”
Capgemini has introduced a consolidated security service called Cybersecurity Global Service Line, integrating its expertise in cyber security.
We provide end-to-end advisory, protection, and monitoring services to secure your organization. To find out more visit www.capgemini.com/cybersecurity and SMACT blog series Putting cyber security at the heart of digital transformation .