Consider... American Authorities are confident that the Russian Government was behind the cyberattack on the Democratic National Committee. Did that attack change the course of the U.S. presidential election? We'll never know. But it definitely changed the discourse that followed. The idea of a foreign power mounting a cyberattack to undermine a U.S. election went from crazy tabloid conspiracy theory to bona fide front-page news.
A single cyberattack initiated ripples that ultimately rocked the foundations of democracy. Along the way, we were taught an incredibly important lesson: our problem isn't limited to the initial cyberattacks we face; our problem is the long tail of chaos they create.
As the opening keynote speaker at RSA Conference 2017, I discussed how security professionals could lead in a world where chaos constantly upends expectations and redraws boundaries.
This topic is especially relevant since the ripples of chaos spread farther and faster due to the astonishing ways in which technology connects us. For instance, recall that in mid-2015, two researchers found a way to disable a SUV while it was in motion. What happens when there are millions of autonomous vehicles on the road that can all be disabled at once, or can all be accelerated towards a single target? The idea of a cyber 9/11 suddenly becomes a lot less abstract.
Are the people working on new frontiers such as virtual reality, drones, or the latest application of artificial intelligence, considering how their designs could be exploited? Every advance in technology can and possibly will be exploited by someone. Human ingenuity is powerful.
Organizations must embrace innovation to compete in today's digital world. Innovations create startling ripples - with both positive and negative ramifications. How can security professionals manage through the chaos?
At RSA, we believe the first step is to adopt a business-driven security strategy - because security isn't just a technology problem; it's a business problem. Corporate executives don't care if an incident involves SQL injection or cross-site scripting. They need to understand the business impact. We can't have security folks on one side of the room and strategists, finance folks, and entrepreneurs on the other. It's not a middle school dance; people can't be afraid to mingle. The stakes are just too high.
At RSA, we call the inability to draw connections between security details and business objectives the "Gap of Grief."
To key to overcoming the gap of grief involves applying a broader lesson that is at the heart of innovation and advancement: don't draw lines that separate different fields; draw connections to bring them together.
Security professionals must draw connections across different functional areas to break through silos and put business context around threats to the organization. In particular, they must draw connections between technical security details and business impact involving areas that are relevant to the C-suite and board, such as operational continuity, intellectual property, reputation, compliance and more.
When implemented properly, business-driven security is crucial to helping companies compete in a digital world.
Now is the time for security professionals to drive important conversations with business leaders. In the coming days, reach out to leaders within your organization to hear about the challenges their unit is facing and the business objectives that are particularly important to them.
With this information as a backdrop, what do you think it will take to bridge the gap of grief in your organizations?
In my next blog post, I'll provide some concrete answers that will help you make business-driven security a reality.
You can read more on business-driven security here and here.