There’s been a good amount written lately about emerging cyber security technology. To a certain extent, that’s true: a good CIO wants to enact business innovation through process enablement via new technologies, and would rather spend money toward that end than in systems to simply protect what he already has. A great CIO pays attention to a few protocols and paradigms that hold true across emerging cyber security technologies that allow them to present little or no new risk.
Some emerging cyber security technology that’s soon to be in your enterprise if it isn’t already: Internet of Things (IoT), virtual assistants, deep learning and machine learning in general, cognitive technologies, and blockchain. Some of these can start to blur the lines between security and safety – for instance, self-driving automobiles are an immediate example.
To maximize the efficiency of traffic, it seems to me that robotic cars will interact with each other, traveling in fleets, or perhaps as if they were a school of fish. What happens, then, if a car malfunctions and threatens the group? Asimov’s 3 Laws of Robotics comes to mind:
- A robot may not harm a human or, through inaction, allow a human to come to harm.
- A robot must obey orders given it by human beings except where such orders would conflict with the First Law.
- A robot must protect its existence as long as such protection does not conflict with the First or Second Law.
In addition to these is the Zeroth Law: a robot may not harm humanity or, through inaction, allow humanity to come to harm. Thus, if a path off a tall bridge would be the only way to protect the larger group, the robotic car would certainly go off the deep end. Quite a conundrum.
There are only a few critical security considerations, all human safety issues aside: Is the new tech a nicety or necessity – that is, will it constitute new critical infrastructure? Will it deal with sensitive data? If so, can that data have a value placed on it if it’s lost or leaked? Consideration should be made for these interests early on in the development of new cyber security technologies, else introduction of new risk threatens enterprise value rather than enhancing it.
Nicety vs. Necessity
Determine whether the new technological innovation would be nice to have, or if it’s critically important to have. Drivers of this determination are time and money, with money being the bottom line every time. Will implementation drive down payroll and facilities costs? Allow for remarkably faster time-to-market? These kinds of things will help you decide.
Use Beckstrom’s Law to get an idea of the value of a new technology: Value is worth the Benefit minus the Cost. If you’ll save so much time with a $10K investment that you actually save $100,000, it’s an attractive ROI.
If it amounts to new critical infrastructure, make sure it’s very resilient and optimally recoverable. Establish a Recovery Point and Recovery Time Objective from the very start. Plan for geographically separated redundancy, or depending on your risk appetite, simply buy two and have a hot spare. If it’s critical infrastructure, it’s going to cost you money every minute or hour it’s unavailable due to some unforeseen event.
Data exists in three states: At Rest, In Transit, and In Use. If the data is sensitive, it absolutely must be encrypted when it’s at rest (such as in a database) or in transit (en route to a user interface, being backed up, etc.). This is hardly an emerging technology consideration; it’s the way PII, PCI, and PHI should be treated for the past 15+ years – so an application of this kind of protocol should be widely accepted when new technologies are under consideration.
When it’s in use or being created, data is in the clear, and that’s when it’s vulnerable. Protecting endpoints with Next Gen Endpoint Protection (Carbon Black Defense and Response, for instance) mitigates this exposure. But what if it’s an IoT device, the OS of which has no EPP available? Consider whether the loss or leak of the data in question is worth the risk, and place tangible values on the determination.
Also, ensure that endpoints use multi-factor authentication to ensure they’re being used only by authorized individuals. If MFA isn’t available for the new or emerging technology you’re considering, delay the decision: if it’s something that represents a business necessity, it soon will accommodate MFA.
Virtual Assistants, i.e., remote contract help with office administrative tasking, is a growing field. Consider enabling that kind of function with VDI, or use Group Policy to ensure that sensitive data and content is only saved to a secure location over which you have control. Don’t have sensitive data residing on a contract worker’s Mac in their home office, for instance.
In most if not all scenarios, security’s mission of preserving enterprise value boils down to the protection of data. To be sure, availability attacks – DDoS, SCADA attacks like Stuxnet, grid vulnerabilities – are of high concern too, but much of the time, security preserves value by protecting data. Even fraudulent wire transfers amount to data transfer, protection of which leads to only authorized access being permitted.
In general, if there’s a robust and mature security practice in place already, a company will fare much better in evaluation and enablement of emerging technologies. Policy, process, and procedure will already be in place to ensure that:
- Critical Systems are Survivable in a measured way
- Data is protected in each of the three states and
- Access to sensitive data is controlled effectively with MFA.
These should be ingrained in the company’s culture.
Also, to take a cue from Social CyberSecurity: these are aspects of security to which everyone in a mature environment will pay attention. Social CyberSecurity has much to do with the psychology of compliance, motivating individuals and groups to pay attention and comply, if not participate actively, in security. For instance, when people disembark a plane in an unfamiliar airport, they’ll tend to go the direction everyone else is going. Facebook has conducted studies that show that if users are presented with new security options that state “50% of your friends are doing this”, the click-through rate is much higher for the new security settings. And, if you’re concerned about your company’s abilities to accommodate emerging technologies when considering your security capability maturity, contact Managed Security Services Providers like CIPHER. We’ll be happy to consult with you, help you to evaluate exactly what your security capabilities are, and shine a light on the things you can do to increase Security Maturity.
Dave Rickard is the Technical Director for CIPHER US.