Understanding the uncertainties of cybersecurity: Questions for chief information-security officers

October 7, 2019At a highly dynamic moment of change in the way companies use technology, cybersecurity is probably the most dynamic of all corporate technology domains. The field and the companies that rely on it are being transformed as an uncertain geopolitical environment emboldens potential cyberattackers, rapid technological innovation creates new ways to launch and repel cyberattacks, and cybersecurity’s emergence as a critical business function prompts experimentation with organizational and operating models alike.

In such an environment, perfect foresight is impossible. Yet business, technology, and security executives all have a responsibility to understand the important uncertainties and to develop practical working hypotheses about how to manage them. To help these senior managers, we’ve compiled a list of the key questions they ought to ask over the next 12 to 18 months.

Evolving market expectations

Two of these questions focus on market expectations: whether consumers will start to care about security issues and the way differing regulatory, political, and cultural expectations about data protection shape security across national boundaries.

1. Will consumers start to care about privacy and security?

Anyone who has observed the procurement of group health insurance, pharmacy-benefits management, prime brokerage, or IT-outsourcing services knows that corporate customers care a lot about how their suppliers protect sensitive data. But with a few exceptions—such as high-net-worth or mass-affluent purchasers of financial services—the consumer market just doesn’t seem to care about privacy or security. Most breaches involving personally identifiable information haven’t affected revenues or market share in any sustained way.

Yet in view of the relentless attention to privacy and security issues in the press and the political arena, this indifference could certainly change. Companies have a responsibility to protect all consumer data, but when senior executives think through their risk appetites, levels of investment, and incident-response plans, they must consider not only how sensitive consumers in general are but also who may be the most sensitive consumers and which perceptions and actions (or failures to act) might heighten their concerns.

2. How will different regulatory, political, and cultural expectations about data protection across national boundaries shape the security environment?

Perhaps paradoxically, while consumers have been relatively blithe about their data, privacy and security have continued to be hot-button political and regulatory issues. Jurisdictions such as Brazil, California, and the European Union have started to implement tough new requirements on data privacy. But regulations in different jurisdictions may contradict each other or create conflicts between compliance and security—particularly by constraining the forensics a company can perform on its own network to identify insider threats or compromised accounts. (Regulators might perceive those actions as inimical to the privacy rights of employees.) Authoritarian states may demand that companies limit security or privacy protections for their customers or employees as a condition of doing business in those places. That in turn may spark public frustration and anger elsewhere.

Going forward, companies will certainly have to think about tailoring their security models to the requirements of different national markets. Some may have to make tough choices about whether they can reconcile expectations about privacy and security in all the markets where they might ideally like to do business.

Evolving risks

The next set of questions focuses on evolving risks: whether companies will be collateral damage, coopted or directly targeted by nation-state actors; how companies will protect their data in a world of pervasive sensors and protect their machine-learning capabilities; and how quickly quantum computing will become a security threat.

3. To what extent will companies be collateral damage, coopted or directly targeted by nation-state actors?

As the NotPetya attack showed, nation states increasingly use cybertools as weapons of domestic and military tradecraft. Originally directed at targets in Ukraine, NotPetya wreaked havoc on unprotected networks around the world. Another harbinger of what’s to come: it has been widely reported that NotPetya was derived from a stolen exploit originally developed by the US National Security Agency.^[1]

In an era of renewed great-power conflict, countries increasingly promote their global interests by means other than war. During the past several years, asymmetric approaches (such as cybertheft, cyberattacks, malign influence, and media manipulation) have taken advantage of unsuspecting content providers, critical national-infrastructure operators, and intellectual-property producers.

When global tensions rise and economic interventions become increasingly common in great-power conflict, companies will be collateral damage; in fact, they will probably be targeted directly in state-against-state cybercampaigns. Similarly, nation states may increasingly use for-profit companies as proxies, partners, and conduits for asymmetric activities. Businesses must therefore determine how much risk they face from either intentional state-sponsored attacks on them or, as collateral damage, from attacks on other targets.

4. How will companies protect data in a world of pervasive sensors?

The Internet of Things (IoT) dramatically raises the stakes for cybersecurity—at least potentially, cyberattackers could manipulate devices that are now becoming connected to networks: for instance, automobiles; heating, cooling, and ventilation systems; and industrial machinery. The IoT involves huge numbers of network-connected sensors that will generate massive amounts of sensitive data. The security functions of companies will have to understand what kind of data the devices installed on their networks collect, who might benefit from compromising the data, and how to secure a whole new technological environment.

Although that goal is challenging, it is at least more straightforward than protecting sensitive information in the consumer IoT. Companies prohibit their executives and managers from working with sensitive documents on any personal device and from transmitting them via personal email accounts. Will companies also have to prevent employees from making or receiving company-related telephone calls at home in rooms with voice-activated smart devices?

5. How can companies protect their machine-learning capabilities?

Businesses are racing to implement machine-learning systems to detect fraud, improve pricing, rationalize supply chains, and optimize dozens of other business decisions. For all these use cases, decision algorithms improve over time as more data generate better insights about the connections between inputs and the objective function to be optimized. This is a fundamental change—analysts can no longer replicate algorithms on a pad of graph paper, as they could with traditional decision tools. It may therefore be all but impossible to determine whether a cyberattack has subtly compromised a business capability (by reducing the ability to detect fraud, for example). Security organizations and their business partners may need to develop new ways to ensure the validity of machine-learning algorithms.

6. How quickly will quantum computing create security threats?

All security relies on encryption—and on the assumption that massive computing resources would be required to decrypt data protected by even a moderately capable encryption algorithm. But quantum computers that could crack the RSA-1024 encryption standard in less than 24 hours may be only a decade away.^[2] At a stroke, many of the security technologies the modern world depends on would become ineffective: for example, what would happen to investments in business processes based on blockchain if the encryption it requires could be compromised quickly?

Of course, defensive capabilities advance just as offensive ones do, and quantum encryption will probably attempt to protect users against quantum decryption. Yet the National Academy of Sciences estimates that it will take 20 years to make enterprise networks less vulnerable to quantum-based attacks.^[3] That time frame, and the risk that some attackers may have access to quantum capabilities well before the next decade’s end, mean that companies—especially in critical infrastructure sectors—have a responsibility to start early planning for the transition to a quantum world.

Evolving security protections and platforms

The next group of questions addresses evolving security protections and platforms: how quickly a zero-trust model could be adopted, the future of passwords, the evolution of the security-tech market, and the security problems of cloud services.

7. How quickly could zero trust be adopted?

Most chief information-security officers (CISOs) have believed for years that the perimeter is less important than it used to be, though they continue to make investments in perimeter-based controls. Now, as companies start to accelerate their move into the public cloud, these traditional perimeters may become irrelevant for larger and larger parts of the corporate environment.

In the zero-trust model, applications base no trust assumptions on whether a user (or another application) is inside the network perimeter. This has several advantages: organizations can set the right level of protection for each application and dramatically limit the ability of attackers to move laterally across technology environments.

Yet companies have decades worth of legacy applications that assume the existence of a network perimeter, and very few technology organizations have developers with the skills to develop zero-trust applications. Less than 10 percent of the CISOs McKinsey surveyed believed they could adopt the zero-trust model, even for cloud applications, in the next two or three years.^[4] The key to success in zero trust is the ability to understand and go on tracking users, assets, and controls simply, but at a granular level—or, if necessary, to reengineer or reshape them. CISOs will have to caucus with their application-development and infrastructure colleagues to determine how quickly their companies can develop the required capabilities.

8. When will we finally be able to kill passwords?

Passwords are terrible. Users hate them, forget them, write them down on publicly displayed sticky notes, and use them across accounts—including consumer accounts from providers with security vulnerabilities. Eliminating passwords could both reduce that vulnerability and improve the user experience dramatically.

What might a postpassword world look like? It would probably combine biometric authentication or authentication based on devices (such as phones, which use biometrics) with behavioral analytics that can determine, probabilistically, if users are legitimate. The advent of the WebAuthn standard for using devices to authenticate online services might be a critical enabler.^[5]

But a successful transition will require device manufacturers, service providers, and commercial-software developers to adopt relevant standards and incorporate them into their offerings. In many cases, companies may want to develop the behavioral analytics to complement biometric authentication. Given the momentum, CISOs and other executives may want to start putting plans in place now.

9. How will the security-technology market evolve?

The cybersecurity-tooling market has recently been among the most fragmented in enterprise technology. Systems architects might have only a few practical choices for app servers or database-management systems. But their security colleagues must sort through dozens of endpoint-protection or antimalware products. Despite the problematic complexity, attempts to create integrated security platforms have met with limited success, to date.

Enterprise security leaders planning investments should ask the larger market participants to explain what makes their integrated offerings compelling. If they can’t, it isn’t clear whether proprietary products will continue to dominate this space or companies will seek to optimize their security expenditures by adopting open-source products. Equally important, how will the answers to these questions differ across market segments—say, between larger and smaller companies or between companies facing threats that are more sophisticated or less sophisticated?

10. When will large companies be able to consume cloud services securely?

The case for public-cloud infrastructure is exciting: access to innovative services for developers, near-infinite capacity on demand, and (at least potentially) lower costs. Yet for large, complicated companies—especially in heavily regulated industries—the pace of adoption has been slow. Some companies with thousands of applications (and more than 100,000 servers) desperately want to leverage the infrastructure of the public cloud but have succeeded only in running fewer than ten applications there.

Legacy applications never designed to run efficiently in the cloud are part of the problem, but security is a major bottleneck as well. Security teams are racing to perform risk assessments of hundreds of cloud services—first to learn if capabilities such as identity and access management (I&AM) and monitoring work in them and, second, to build the level of automation that would make it possible to configure systems securely in the cloud. Companies thus need to determine just how quickly they can build cloud-enabled security capabilities, which acceleration opportunities they have, and what that means for the overall journey to the cloud.

11. Will smaller companies use cloud services to reduce their security footprint dramatically?

Some security professionals talk about the cybersecurity poverty line: companies that annually spend even $50 million or $100 million a year on IT may struggle to afford all the cybersecurity tools they need and to attract the talent to deploy and manage them. The transition to cloud services has challenged larger companies scrambling to recast their security architectures and operations to support a cloud-based infrastructure.

But the cloud may be a security godsend for smaller companies. Their technology executives (or counterparts in small, independent divisions of larger companies) should ask themselves if they could dramatically reduce their internally managed technology footprint, their surface area, and therefore their level of risk by accelerating the transition to business applications based on software as a service (SaaS) and to SaaS-based desktop environments, voice communications, and network connectivity. This question will be especially relevant for private-equity firms, which invest in many midmarket companies.

Evolving security operating models

The final set of questions focuses on evolving operating models for security: whether the cyberinsurance market will protect against cyberrisks, how the scope of security organizations will develop, and how cybersecurity talent pools will react to demand.

12. Will the cyberinsurance market protect against material cyberrisks?

For the past decade, market observers have suggested that cyberinsurance is the next major growth area for insurance carriers. Sceptics have rejoined that it will always be the next major growth area. For now, the sceptics seem to be right: the cyberinsurance market has grown only incrementally and still doesn’t cover most cyberrisks except customer-data-breach mitigation and regulatory penalties. Direct costs, reputational risks, and intellectual-property theft do not get meaningful coverage. Since companies cannot effectively hedge cyberrisks, they adopt new technologies relatively slowly for fear of their adverse cybersecurity implications.

As for the insurance carriers, they don’t have good actuarial data for cyberthreats, know how to model cyberrisks well, or truly understand the cyberrisks they would insure or the returns on the relevant investments. However, new quantitative methods are emerging to assess the likelihood of long-tail cyberevents, and one or more carriers may succeed in quantifying and insuring cyberrisks. If so, companies may be able to transfer risks they have so far been accepting or mitigating at high cost. But that will come to pass only if carriers can dramatically improve their underwriting.

13. How will the scope of security organizations develop?

Cybersecurity has become a more important issue for boards and senior management teams alike. Many companies have therefore started to expand the remit of what used to be the information-security organization, recasting it as the IT-risk group, responsible not only for information security but also for technology compliance, the quality of software, disaster recovery, and business continuity. The goal is to have one executive and one team make integrated decisions about protecting corporate information and systems from both accidents and attacks.

Other companies, thinking that no clear line separates cybersecurity from physical security in an increasingly digital world, have integrated them. A few companies have combined cybersecurity with fraud control because they think that most fraud has an online component and want integrated analytics to oppose it. A few other companies combine the security and privacy teams, on the theory that customers care only about the misuse of their data and don’t distinguish between security and privacy. Meanwhile, many companies have moved much of their security-related service delivery and technology support into the technology-infrastructure organization, so that CISOs and their teams can focus on strategy and risk management.

In short, the organizational structure for cybersecurity hasn’t stabilized. Senior managers must watch developments in their industries to see which organizational structures succeed.

14. How will cybersecurity talent pools evolve in relation to demand?

CISOs disagree on many things, but they almost universally believe that cybersecurity talent is in short supply. When people chose majors and courses of study in the past, almost nobody expected cybersecurity to be as big an issue as it is today. But for several years now, demand signals indicating a pressing need for cybersecurity expertise have been penetrating the talent marketplace. Computer-science students are beginning to take cybersecurity courses, security specialists trained in the military have entered civilian labor markets, and lawyers and other professionals have gone back to school to retrain themselves as cybersecurity experts.

Technology executives should think about their cybersecurity operating models: what to outsource, how aggressively to automate, and which skills to foster internally. As they do, they must know how much cybersecurity talent is available and whether it aligns with their overall strategy. People with low-end cybersecurity skills, for example, may become more available long before companies can find enough experts with the advanced skills required to face off against business leaders on cybersecurity issues or to direct the automation of cybersecurity.

□ □ □

Policy decisions, investment choices, and security incidents now confront security, business, and technology executives with pressing (and often exhausting) cybersecurity issues they must address in the short—and sometimes very short—term. Yet in view of the cybersecurity environment’s highly dynamic nature, CISOs and other executives have a responsibility to think through the longer-term questions raised in this article.

Companies can address some of the issues described here—for instance, quantum computing, pervasive sensors, and the cyberinsurance market—as events unfold in coming years. Other issues, such as evolving consumer expectations and regulatory demands, require more immediate attention because they could have a dramatic impact in the next year or two. To withstand the coming security onslaught, companies will have to change in important ways. The questions posed in this article are the natural starting point.