Slowing Innovation Should be a Cybersecurity Violation
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
Risks come in many forms. Going too fast, being reckless, taking chances, etc. are easy to recognize warning signs. But what about the other end of the spectrum? Is going too slow ever bad? I say yes, especially when it unnecessarily impedes productivity, innovation, operational logistics and intentionally creates frustration of users.
Recently, an Indiana state trooper Sgt. Stephen Wheeles (@ISPVersailles) pulled over a slow driver in the fast lane. Well we have all been frustrated with situations on the road where people are in the fast lane, but going slower than the flow of traffic, which is why I love this story!
In accordance to a new state law that requires vehicles in the fast lane to move over if cars behind them are moving faster, officer Wheeles (such a perfect name) stopped a car for this violation as about 20 cars were stuck behind this slow vehicle. He has instantly become a sensation on Twitter! pic.twitter.com/tePjJ1Xigy
Cybersecurity
The lesson here, goes beyond justice for every time I am on the freeway and find myself behind someone who doesn’t understand the concept of a ‘passing’ lane, as it does apply to cybersecurity.
As security professionals we are here to find an optimal balance of risk. Far too often I talk with 2 opposing groups in the industry: security and product teams. Security wants complete perfection with the elimination of all vulnerabilities (which is impossible, by the way) while product teams just want to be free to innovate and rapidly share with the world without the burden of security assurance and oversight (which is reckless). Okay, that personification might be a little exaggerated, but neither positions are perfect.
The point is, what we all rationally want is to find that right middle ground. It is tough, which is why a risk person is needed in the mix as this goal is actually doable. Ultimately, we must find that optimal balance between security costs, residual risks, and end-user usability for any system. The security architects/engineers won’t inherently seek such a compromise and product developers won't pursue it independently. It takes a risk professional to bridge the gap, champion the cause, and show how the middle ground is best.
Risk Goals
In the end, being too slow or inefficient can unnecessarily inhibit innovation that provides great benefits. I am not advocating ignoring critical risks, but rather understanding the big picture. Far too often we are preoccupied with what ‘could’ happen and not realistic in what ‘will’ happen. Just because there is a chance that a meteor could come spiraling from the sky and crush you, does not mean we should be looking into deploying meteor shields! (yes, by the way I was once in a risk meeting where that exact topic was discussed before I shut it down. I will save that for another blog)
Managing risk is about understanding the threats, as well as the likelihood of vulnerability exploitation, and potential impacts. We must all move forward in the best way possible realizing the ramifications of our decisions, both pro and con.
Epilogue
...and pulling over slow drivers in the fast lane is a GREAT start! Sgt. Wheeles is my hero for the week! Hey California legislature, time to pass a similar law and get CHP to improve the flow of safe traffic across our highways.
Image Credit: Credit: Sgt. Stephen Wheeles / Twitter
Global Executive | Board Member | Public Speaker | Business and Digital Transformation | Cybersecurity Board Governance | Servant Leader, Advisor, Consultant and Coach
6 年Matthew, great points!? There is a spectrum of ultimate innovation (high risk from lack of security on the one side) to ultimate defense (high risk from losing market share due to product maturity and potentially stolen intellectual property on the other side).? Using a risk framework with more appropriate weightings and balance is key.? I also find that deciding the strategic, business direction first is crucial.? Once we understand where we need to go, we can secure a bit more and then start getting traction as we move in that direction.? To your point, why build meteor shields if it's not within our business strategy to head into space?? The risk factor would be so low, it'd turn into a skunk-works project from a business value perspective.? Upon knowing our strategic direction and having a mindset of securing with that in mind and a bit more, then, we can fan out product innovation a bit more (3 wide and 3 deep).? We fan out product innovation with security in mind, to mitigate the risk of losing intellectual property in one place and not being able to come back quickly enough from a competitor making a move in the market with our own products (IP purchased on the Dark Web).? The 3 deep (3 is an arbitrary number) refers to an organizations nimbleness in being able to shift on a dime in a coordinated fashion and go to market even faster to retain or regain their market share and potentially get ahead if they plan enough and execute correctly.? Thank you for your post!? I enjoy your writing!
Founder of OwlTree Logic
6 年Great story and very salient points. With the constant evolving nature of security there has to be a certain pace just to keep up, much less stay ahead along with balancing risks vs costs.