Bad Idea: Cybersecurity Kills Innovation

Bad Idea: Cybersecurity Kills Innovation

Dan Lohrmann

Chief Strategist & Chief Security Office at Security Mentor

Views 572

Bad Idea: Cybersecurity Kills Innovation

08.06.2016 02:15 pm

Earlier this year, I was asked to participate in a Brookings Institute article series on the topic of “Ideas to retire” in public sector IT management. While the focus was on government, I believe that most of these topics relate to the private sector as well.  

The bad (and ugly) ideas discussed ranged from “Zombie technologies in the workplace” to “technology alone can improve student learning.” In each case, we were asked to offer an alternative solution / idea / concept.

Working with the Brookings editors, I chose to tackle the common misperception in many business areas that cybersecurity kills innovation. I am a strong believer that security must be an enabler to be effective. In fact, cybersecurity can (and should) enhance innovation. So here’s the problem and the solution as I see it….

The “security disables” paradigm plays out in a multitude of ways. Government project leaders leave security requirements off the list within top innovative priority projects and keep cyber professionals off mission-critical teams, thinking that innovation will be slowed. On other occasions, innovation projects may not get priority treatment because of security concerns.

Technology companies selling products and services also fall into the same trap. New application-specific functionality becomes the “must have” priority over security functions. Generally speaking, a “first to market” mindset is articulated, with a view that security can come later. Developers see the biggest opportunity in “cool new features” and business functionality rather than secure code that is penetration-tested and checked for security vulnerabilities.

Although history has shown that both public and private sector business leaders deploy new solutions with the mindset that security slows down innovative opportunities, the reality is the opposite. From Wi-Fi and cloud computing to mobile devices and social computing, security enhancements came long after initial deployments. Had better security been included from the start, the later costs incurred from vulnerability remediation and data breach cleanup would have been less.

One example of this was the deployment of Healthcare.gov, which was launched before proper security was in place in 2014. Critical vulnerabilities were missed, which if addressed could have improved the public’s perception of the overall project rollout.

A new mindset

Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.

Cybersecurity is a primary responsibility for all developers, project managers, and end users. Also, the security of a product is a core functional requirement and as important as the most innovative feature that is marketed. Entrepreneurs who sell to government will be more successful if they sell secure products from version 1.0, rather than holding off and making security a 2.0 or 3.0 enhancement for later consideration.

Too often government leaders think of security as a disabler or an unnecessary evil that limits progress. Many government business leaders see cybersecurity as some else’s job that slows them down and won’t get them promoted or lead to project success. An “us or them” mindset is common nationwide in federal, state and local governments when it comes to working with cybersecurity teams.

Oftentimes, security features are seen as expensive roadblocks that kill innovation or cost too much to implement. Even when security features are available, shortcuts are often taken that disable these capabilities. Integrators and system administrators are regularly asked to turn-off security monitoring capabilities “just until we get things going.” Sadly, audit findings reveal that security is rarely re-enabled even years later.

Too many government technology and security teams spend their precious time recovering from incidents and data breaches and dealing with after-action reporting and response. While this work is important, the age-old saying “an ounce of prevention is worth a pound of cure” applies to cybersecurity.

Security is a critical part of the innovation solution

Changes in thinking are needed by several various groups.

First, executives need to build security into government solutions from the start of projects and throughout the entire lifecycle. They should see cybersecurity as a tool that enables new possibilities to break down old barriers, and provide enough resources to ensure security is done right. While everyone must recognize security as part of their role, security ambassadors need to be included on key strategic project teams. Oftentimes, security is an afterthought for major projects, or security is added only after a data breach. This must change.

Second, an assessment and a prioritized inventory of innovative solutions, potential risks, and tradeoffs should be developed by a combination of technology developers and managers. Both public and private sectors decision-makers collaborating on and sharing this assessment. In addition, staff training and education should be conducted in order to minimize attitudinal barriers identified in the U.K. by Cisco and other studies.

Third, security and technology professionals need to stop saying “no”, and instead strive to:

  • Offer workable alternatives to provide deliverables on time, on budget, with the right level of security.
  • Examine global best-practices and innovative approaches to solve security and privacy concerns.
  • Empower new capabilities that will maintain trust with citizens and staff.

History repeats itself regarding technology and security. No doubt, the specific hardware, software, operating systems, frameworks, issues, vulnerability, and threats change daily. But whether we are talking about Wi-Fi or new technologies, the same fundamental challenge remains for technology and security professionals: Are you bringing problems or solutions?

Security teams can build more trust with enterprise staff by using a risk management approach to focus on the most serious situations. They can share compelling stories and real-world examples with end users in security awareness training, newsletters, and tips.

Fourth, new technology deployments in cutting-edge new areas such as big data, the Internet of Things, and artificial intelligence need to include security experts and practitioners from the start. The privacy and security implications of collecting various types of data should be reviewed from a holistic perspective, with experts from legal, HR, technology management, procurement, strategic planning and other business areas playing a role in determining how best to securely deploy innovative solutions.

Simply stated, security is a central component of innovation, as identified by the White House in their move to accelerate innovation in cybersecurity research and development.

There is an unavoidable, symbiotic relationship between innovation and security. The benefits of innovation are not possible without the risks.

However, effective security builds trust and is a win/win/win for the public sector, private sector, and citizens. If we are to improve trust in government, better security is an innovation imperative which starts with a different mindset towards developing secure applications and systems from the start.

Latest blogs

Shuvo G. Roy Mphasis

Reboot 1.0: How financial services technology can enable the supply chain to support a post-lockdown boom

Ground control and Captain Tom When veteran Captain Tom Moore decided to walk one hundred laps of his garden before his 100th birthday to raise funds to support NHS heroes battling Covid-19 from the frontline, he never imagined that he would Read more »

Lisa Gutu Salt Edge

Building a PSD2 compliant channel: challenges and opportunities for financial institutions

PSD2 obliges ASPSPs including banks, e-wallets, prepaid cards and other companies that offer payment accounts to provide at least one channel for secure communication with third party providers (TPP). Even neobanks or e-money institutions, including Read more »

Thomas Pintelon Capilever

Credit origination - A lot of innovation on the horizon

While consumer credits are becoming more automated and user-friendly to request, all other credits are often still very manual and labor intensive to originate. In this (relatively long) blog I will try to give a description of the (potentially Read more »

Kelly Kearsley Hourly.io

Time Card Theft is a Big Problem. Here's How to Stop It.

Trust is at the core of every employer-employee relationship. You trust your people to do their jobs, and they trust you to compensate them for their work. Most of the time, it works. However, there's always the person looking to bend the rules or Read more »

Daria Afanasyeva UTP Merchant Services Ltd

Cybersecurity – Online payments are getting more secure

Ever since we've been able to buy anything we need with just a click of a button on our laptops or phones, online sales have been consistently increasing each year. Just last year, the total value of UK retail sales was £394 billion, with an average Read more »

Related Blogs

Tom Kellermann VMware Carbon Black

Modern Bank Heist: from smash and grab to hostage situation as cyberthieves evolve

The financial sector is historically one of the most secure industries in the world. It needs to earn trust and convince customers that their hard-earned money is safe. Nevertheless, the fact that banks are guardians of the one thing cyber criminals Read more »

Mikkel Stegmann Fingerprints

Convenience + Security: The Maths of Multi-Modal Authentication

For today’s efficiency-loving consumers, convenience is more important than ever. When it comes to unlocking our smartphones, for example, the hassle of having to remember PINs and passwords has been long discarded in favour of quick and easy Read more »

James Richardson Bottomline Technologies

Payment Protection for the Modern Age

Modern cybersecurity professionals have succumbed to an arms race with criminals as corporate defence spends balloon, attempting to keep pace with ever-evolving infiltration and extraction techniques. As expenses grow, dangers continue to mount. In Read more »

Simon Viney BAE Systems Applied Intelligence

The Retro Fraudster: How to Spot the Old-school Tactics Making a Comeback

As technological innovation drives new opportunities for fraudsters, digital security counter-measures could inadvertently be encouraging a resurgence of old-school tactics. These criminals know that today’s customers are wise to some of the more Read more »

Jay Ablian Fiserv

Despite Mixed Messages from Consumers, Businesses Shouldn’t Slow Cybersecurity Efforts

Many businesses have increased their investments in cybersecurity and data protection in recent years and, in many ways, it has paid off. Consumers have seen a 25 percent decrease in debit and credit card compromises since 2017, according to a Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel