PanAm Risks, Asymmetric Warfare & the Cybersecurity Responsiveness Gap (Part 2)

Vulnerability to the cybersecurity responsiveness gap?

• Nefarious hackers are not sympathetic to your challenges
• Failure to embrace end-to-end innovation neuters cybersecurity
• Learn from the pandemic to free up planning and retain talent

The second article of this three-part article series introduces how understandable failures to embrace end-to-end innovation solidifies the unseen cybersecurity responsiveness gap.

The previous article introduced the Log4j cybersecurity incident, which dramatically shone a light on business and national security risks that are greater than many realise. The third article will consider the roles of the authorities, markets, lenders and data providers to avert PanAm-like harm and to nudge the entire economy away from eventual real damage. It also addresses financial services' failure to lead the open source ecosystem. These issues affect enterprises across services and physical goods industries, with given examples specific to financial services.

Nefarious hackers are not sympathetic to your challenges

This article’s considerations must be caveated by realism. There is no one-size-fits-all and clean slates are hard to come by. But that can never become an excuse. Cybersecurity and technological opportunities are both never ending challenges. While open discussion identifies required endstates, roadmaps to success will always be shaped by starting points. Institutions with legacy technical-debt that would be at home in the dial-up internet era cannot be compared to the nimblest of startups. Cloudnative security posture is several steps away for some firms. Nonetheless, blackhat hackers do not charitably pass by opportunities, merely because an organisation deserves sympathy for tech sprawl that predates responsive tools and processes.?

"hackers do not charitably pass by opportunities, merely because an organisation deserves sympathy for tech sprawl"

Failure to embrace end-to-end innovation neuters cybersecurity

In days gone by, no executive used a computer themselves. Those days have more than passed. Every business is now a technology business, especially in financial services (even for the most people-centric firms). This requires a corollary across the boardroom – not just delegated by it. This brings implications for competitiveness, operational resilience and cybersecurity. With top to bottom consequences, from c-suite headhunters to rotating tech employees into non-CIO/CTO roles and vice versa. Just as financial services knowledge is a given, sufficient technological intuition cannot be optional in a technology business.?

"every business is now a technology business, especially in financial services... this requires a corollary across the boardroom – not just delegated by it"

Most boards do know that innovation ideally blends nimble footing and velocity of continuous improvement. Getting this right in practice depends on cloud-native technology automation of modern systems. By avoiding traditional manual approaches (even off-cloud or with proprietary systems), entire technologies can be innovated, torn down, tweaked or rebuilt with relative ease and no business downtime. This means that cybersecurity threat-response is also cut from months to hours in extremis. Modern practice “shifts security left ” into the innovation process itself, architecting for risks from the outset, no longer leaving them to others. All with an “infrastructure and policy as code ” approach granting rapid ‘tweakability’, directly auditable by compliance and security teams (contrast this with firms not rapidly knowing where they were impacted by Log4j and many developers still downloading vulnerable versions months later ).?

"security responsiveness is dramatically impossible without the levers that modern innovation also depends on, making the cybersecurity responsiveness gap inevitable for many"

Nonetheless, practical reality means that state-of-the-art technology processes often face a glass ceiling. Continuous innovation is often deprioritised by ground level firefighting or wrangling legacy systems. Practicalities can limit modernisation. Critically, this means that security responsiveness is dramatically impossible without the levers that modern innovation also depends on, making the cybersecurity responsiveness gap inevitable for many.

As written in Part 1, awareness of a software vulnerability is just the starter shot. An inability to then neuter existential risks quickly is a foreseeable event and thus a board, shareholder and regulatory concern. Any apparent obscurity of this existential topic is part of the problem, stunting accountability and opportunities.?

Learn from the pandemic to free up planning and retain talent

An apparently reasonable business assumption is that independent standards and regulators will guide change – and that this problem can be left for information and compliance teams. Nonetheless, standards-adherence alone is unlikely to grant a business a responsive technology stack. ISO , FIPS , CSA and other standards do exist and regulators will always push for cloud best practice . Yet principles-based regulatory approaches require firms to consider state of the art processes and capabilities. This leaves much open to interpretation, let alone the rapid pace of change and legal implications of failing to comply sufficiently.?

"standards alone leave much open to interpretation... there is no substitute for front-of-mind board-level understanding of the cybersecurity responsiveness gap"

These interpretations are mainly left to the CIO/CTO office, who are largely forced to justify existing and future budgets to the board in reactive cost terms. That does make a career imperative of rarely asking for budget increases, especially post-subprime. Understatement or fears of being a Cassandra also carries risks. As evidenced by pandemic preparedness policy, budget-givers can wrongly see risks as unforeseeable black swans , rather than the foreseeable future events that they are.?

There is no substitute for front-of-mind board-level understanding of the cybersecurity responsiveness gap to free up discussion. Open discussion would not only free teams to deliver budget plans for cyber-prepared responsiveness. Responsive systems automation will also facilitate continuously nimble innovation that retains high-value staff, who may otherwise be attracted to state-of-the-art firms.?

Part 3 of 3 to follow…

? Richard Ramyar 2022?

Visiting Scholar (Honorary) @?The London Institute of Banking and Finance ?/?LIBF Centre for Governance, Risk and Regulation ?/?LIBF Centre of Digital Banking and Finance

Third party use of the term "cybersecurity responsive gap" is welcome

Views are mine and not necessarily those of any employer, client or other associated organisations

See https://www.wipro.com/cloud and https://www.wipro.com/cybersecurity for associated services