How cyber is shaping the future.
Many organisations overlook the risks associated with connecting existing technologies already in their environments. The attack surface increases across the entire ecosystem.
Dana Spataru, Global Cyber Emerging Technology Leader, Deloitte Cyber
Connecting the emerging technologies spectrum Headlines often focus on cutting-edge technologies like quantum computing, 5G and digital twins but the full spectrum also includes brownfield technologies, like operational technology, that have existed for decades in the manufacturing environment. What’s “emerging”, whether the technology is brand new or has long been deployed, is its connection to the Internet and how the physical and digital worlds are becoming connected in nearly every way imaginable. We’re witnessing a digital metamorphosis across everything from medical devices to transportation to agriculture and beyond. Not only is it transforming the way we make and use almost everything, but it brings security risks that were never conceivable before. When CIOs and CISOs ranked what will drive their adoption of emerging technologies in the next three years, security capabilities came out on top (64%), followed by enhancing data privacy capabilities (59%) and compliance capabilities (50%).
Traditionally isolated from the Internet, the Operational Technology (OT) space has recently experienced waves of ransomware attacks. The immediate impact on production has drawn attention to the vulnerabilities of connectedness, a situation exacerbated by COVID-19 as more companies have opted to remotely manage plants and equipment. It’s important to understand that all connected ecosystems, whether for medical devices, vehicles, or even entire cities, share similar risk characteristics. Medical devices may have been built for old on-premises platforms in hospitals but are now used at home via the Internet. Electric cars—expected to rapidly replace fossil fuel-powered fleets across the globe—often require connectivity for enablement. These connected vehicles need parts from a slew of geographically dispersed suppliers who may not have built security into their components. As cities connect more of their services and critical infrastructure, they are partnering with numerous third parties from cloud providers to platform owners. In every situation the attack surface grows, risks multiply and responsibility blurs.
For small all-digital organisations, a single view of cyber risk is still possible. In the short term, for larger entities with complex interconnected ecosystems that’s no longer a reality. The solution is letting each party assume security responsibility and accountability for the processes under its purview. When everybody is effectively covering their part of the ecosystem making that more secure, overall risk reduces, even if there is no holistic view of it.
The speed with which entities can do that differs based on the type and complexity of technologies, but the idea is to effectively cover the basics of security and safely share information. Right now, the fix is simple. Over the long run, organisations should keep in mind there is a lot to gain in efficiency and effectiveness if processes are aligned between areas. The sooner that alignment happens, the faster higher security maturity can be reached. Both centralised and decentralised models can be effective but they should ultimately combine into an integrated single cyber risk view.
From a governance standpoint, emerging technology stacks can be very complex, but someone needs to own the security agenda. Having board recognition and support helps facilitate not only acquiring and managing technology but creating the right strategic partnerships. What’s making this easier is that unlike traditional IT, emerging technology is closely connected to the core business.
For example, if a manufacturing business experienced a cyberattack on its OT, it’s easy to see how this would quickly become a problem beyond the CISO. With production grinding to a halt, the head of operations would be immediately concerned, revenue loss would pull in the CFO and CEO, negative publicity would afflict the CMO and so on.
The mirror image of the above scenario is that emerging technology makes the positive impact of cybersecurity more apparent to business leaders. If a CEO wants to sell more products building security into them makes them more appealing in our increasingly connected world. The focus shifts from security as a cost to seeing it in terms of value creation. This enables conversations about how reducing downtime leads to improved processes. Security, of course, is necessary and although it underpins the discourse, it becomes the secondary argument.
Despite the general belief that recent major cyberattacks are the result of increased sophistication, most of them are actually happening due to a lack of basic security controls and hygiene. It’s not necessarily complicated.
DANA SPATARU, GLOBAL CYBER EMERGING TECHNOLOGY LEADER, DELOITTE CYBER