Cyber, Culture and the Cloud

The cyber security industry is poised for strong growth in the coming years, as the increased threats and cyber security expectations of users and governments drive a new wave of need. Whilst this poses good news to those providers who are delivering a modern cyber security capability, many CISOs are identifying a desire for change in the way cyber security is being delivered.  The pandemic has meant we’ve reached the cyber breaking point and we need to facilitate that change in order to deliver better cyber security outcomes.

Whilst I am a cyber security CTO and Master Inventor, I also have the unusual distinction of being a trained and certified Culture Coach at IBM (under a program delivered by Human Synergistics). Many people I talk to about this program are familiar with the colours - blue referring to a constructive engagement style - green being passive/defensive - red being aggressive/defensive styles. In the journey to a culture coach, one learns about the behaviours that individuals and teams exhibit in delivering positive (and negative) outcomes. For interest, my charts are above - how I feel about the way I engage VS the way others feel that engagement. On the back of so many meetings in the past three year, with clients, partners and industry, I wanted to consider what the culture in cyber security feels like today and what fundamentals could help to enable the change being asked for. On a wet and cold December weekend in Australia, I decided to put thoughts to print...

Any client I speak to recognises that the way cyber security has been done in the past decade cannot be sustained under the current pressures. Unfortunately, it's human nature for people to work within their comfortable and conventional ways, such an approach makes us predictable. This is not exactly a good thing when you're fighting to defend your environment against growing threats. 

Whilst we are in the middle of a skills crisis (and a pandemic!), organisational dependency on the few has left many lacking confidence in considering cyber security transformation change. Suppliers and individuals providing services are then in a power position to drive oppositional behaviours – which ultimately smothers any desire for change. The passive/defensive mindset may be supported by a fear that failed change programs will be fodder in the case of an organisation being breach.

Compliance programs themselves have good intentions in rising the water line across the industry but leaves room for a rewards program for innovative change. After all, in a compliance driven environment, a positive compliance result is not just a governance mandate - but is also insurance in the case of a breach.  In an environment where breaches are almost certain (even at the best cyber security companies), innovative advances need to find new ways of working to deliver demonstrable incremental advances whist maintaining any compliance obligations. Herein lies the opportunity. 

Over the past 5 years, digital transformation has delivered widespread, and often exponential, commercial benefits at a lower cost. Adoption of modern practices has changed the way that information technology is delivered through the cloud. Although the cloud started out being a place where applications were hosted and run, people soon realised it was the adopted practices that delivers that accelerated value. We are now at the point where micro services-oriented solutions can respond and recover to operational challenges, scale up and down automatically and run anywhere across an open environment at lower cost. Incredible, we are now considering how these workloads can be moved to compute at the edge. It is in the combination of how compute is delivered, the architectural flexibility, and the way that developer and operations (devOps) engage that has fundamentally shifted the financials in delivering better IT. 

Information security programs are thirsting for this kind of transformational change. Whilst change is hard, avoidance has made monolithic practices an acute pain point in terms of cost. Modern cloud practices have delivered clear cost efficiencies in IT, why not across cybersecurity? In one example, it seems inconceivable to a modern devOps professional that best practice security detection relies on copying, moving and analysing security data in a central place.  It’s simply unsustainable to rely on practices that the IT landscape divorced years ago to drive cyber security threats out of information technology environments.   We also need to recognise that compute will need to run in multiple clouds and we need to move towards proactive cyber threat identification, hunting and remediation.

This is all easy to say, but where do we start. The good news is that modern cyber security platforms are emerging to help facilitate this change, and organisations are now considering how to introduce new modern practices into working environments. Like digital programs, with a constructive mindset applied, it'll be the combination of the two that will imagine, design and deliver agile, incremental examples of the possible. That’s where my personal support of the need for cross organisational skills in cyber security lies – diversity will lead to breakthrough moments. We just need to find the right point to get started and executive support and strong affiliation across programs - after all cyber is a team sport.

What I have learnt, what I have felt in the client meetings over the past 12-18 months is that the desire for change is upon us. As an industry, clients and vendors alike, we need to work together strategically to define incremental change programs to deliver the lower cost, higher value outcomes whilst delivering compliance demands. We need to recognise that the cultural change is a critical part of this – and that individuals should be convinced that re-skilling to modern will only help to accelerate their value over time - and that every organisation will need these transformational skills moving forward. If skills and competencies from affiliated vendors are not demonstrating this change to you – it’s time to make the investment yourself. 

In some ways, this is the architectural battle that IBM's CEO talks about. Whilst the RedHat OpenShift platform might not be known to everyone in cyber security, it is the foundation of our strategic approach to modernising IT Security. This open, cloud-oriented platform is designed to help clients get the most out of their existing tools, leave the data where it lies, and allows customers to design their own devOps oriented threat management and zero trust programs.  As workloads move more and more to hybrid/multi cloud, IBM wants to help clients openly connect the data, the workflows so they can orchestrate use cases that deliver to their specific needs. But taking on this journey will require a constructive discussion within your organisation – something to ponder as we close out 2020.

Until I meet you all again, I wish everyone a safe and joyous holiday season.