It turns out that today's approach to cyber security is profoundly wrong, but the good news is that it's not your fault. Instead, it's the fault of an old IP-type of mindset of protecting devices through design and layering on more protection. In the New IP world, to get cyber security right, companies should focus on understanding where their value lies and then protect it.
This eye-opening insight came from Scott Borg, chief economist of the US Cyber Consequences Unit, who spoke at The New IP event in San Jose, Calif., on February 19. The US Cyber Consequences Unit is an independent, non-profit research institute that advises corporations and governments on the strategic and economic consequences of cyber attacks. And according to Borg, the unit has been able to anticipate every significant cyber security threat for about 12 years. "We haven't missed one."
Borg said today's companies don't understand the value of what they are protecting and how that value matches up with the different profiles of cyber attackers. "You need to know what they are coming after," he said. "The solution is not to layer on more defensive tools but to change the way you are carrying out an operation."
The mind shift required is one toward "cyber security as an enabler of value creation," according to Borg. "Today we are not organizing cyber security to defend things that matter or changing how we are going to do things differently in the future," he said. "Most people have not had the opportunity to do cyber security right, even if you are the guy or gal who your cyber security team reports to, because our whole approach is profoundly misguided."
Instead he said there are three ways in which companies should approach cyber security:
- Cyber security needs to protect the way we create and distribute value.
Today cyber security teams don't know how their companies create value -- whether it's through customer experience or manufacturing or systems and equipment -- and they don't know how to protect those things.
- Cyber defenders need to understand what they are defending against. They need to know who is out there, what their capabilities are, what they are going to try to do, and what kind of attacks they will attempt. "Hardly anybody is doing that kind of threat analysis today," said Borg. "Threat analysis today doesn't talk about the different groups of attackers, or how to tell if a company is in the sights of those attackers."
- Cyber security needs to be directed at the future, not the past. Not only do you need to be looking at what attacks are coming, you have to be looking at how you are going to be deploying systems in the future to create value.
Ultimately, Borg says, companies today are not organizing their cyber security to defend the things that matter. (See Cyber Security Expert Warns: You're Doing It Wrong.)
For more from The New IP event:
— Elizabeth Miller Coyne, Editor, The New IP