Cyber security as an enabler for innovation
Innovation is critical to the ability of any organisation to continue to compete against its peers by attracting elevated consumer and B2B spend. Smaller companies are typically seen as being more innovative or at least appear to innovate at a faster pace. Part of this is due to size; it is easier and faster to implement change for a speedboat than for a supertanker. Attempts to promote a culture of innovation, or indeed any change, in large organisations are inherently riskier, due to fears around reputational damage and shareholder value attrition, which in turn enforces a risk-averse culture that is less open to new explorations. Although size and ready cash reserves – the latter providing organisations with revenues to acquire smaller innovative companies – have historically protected huge companies from their relative lack of innovation, these may be less effective in the future. The pace of change appears to be accelerating, with an emphasis on an environment which promotes agility and novel trials, often through, or in close alignment with, technology.
Of course, technology is no longer a support function; increasingly it is an integral part of the organisation, or may, in fact, be the revenue-generating business itself. Given the importance of technology, modern corporations that fail to engage with the latest technology offerings will rapidly fall behind their peers in growth, revenue and profits, threatening their progress and ultimately their survival. At the same time, the introduction of new products, services or processes within an operational environment will invariably, at least in the short term, increase an organisation’s risk profile.
The issue of large organisational inertia can be addressed through the implementation of separate departments, division into smaller operating units and even spin-offs to accelerate innovation. In terms of operational risks, those in relation to cybersecurity are becoming mainstays for organisations. Cyber breaches could hinder or close down operations through loss of valuable intellectual property, regulatory and contractual fines, as well as litigations and loss of clients due to reputational damage. Clearly, organisations are stuck between a rock and a hard place. However, there are things that organisations can do to reduce their risk exposure, including to cyber security risks, to aid innovation.
What should companies do?
1. Know where your assets are
Visibility of organisation’s assets and interconnections within the estate, including on-premise and cloud-based assets, helps provide confidence in the basis of your risk assessment. Thus, clarity on assets and good cybersecurity could become an enabler of innovation, rather than an inhibitor.
2. Use sandboxes and automation
Innovation involves trying new things, which will almost certainly have less predictable behaviours – but these can be conducted within ‘sandboxes’, environments which have been built as closed, hopefully, “safe” environments for testing of new software and technology. These segregated environments can be closed down at a moment’s notice to reduce the attack surface associated with innovation. And, in the cloud, leverage the extensive automation and templating tool-sets now available, to enable rapid build-up (and secure configuration) and tear down of development and test environments which in turns enables your real assets (your innovative, creative, agile people) to respond to new ideas (and associated threats) quickly and efficiently.
3. Prepare for the worst
Build security into your trial products from the get-go; don’t let it be an add-on. Include security testing in your test strategy, including inducing failures and fault states. Try so-called “chaos engineering” to stress-tests distributed systems (especially those deployed to the public cloud) against real-world failure scenarios which can and should include evaluating resistance to cyber attacks. Build “agile” and timely rejection and recovery capabilities into your infrastructure and application layers.
For a brighter future, the foundations have to be laid today. Organisations need to promote innovation and be innovative – in preparing for the inevitable cyber risk your new technology faces. At the same time, organisations must continue to protect and support existing operations. Nevertheless, the direction is clear, good cybersecurity could be an enabler for innovation.
Dr Wendy Ng, CISSP, CCNP; 10th October 2018