Bad Idea: Cybersecurity Kills Innovation

Bad Idea: Cybersecurity Kills Innovation

Dan Lohrmann

Chief Strategist & Chief Security Office at Security Mentor

Views 555

Bad Idea: Cybersecurity Kills Innovation

08.06.2016 02:15 pm

Earlier this year, I was asked to participate in a Brookings Institute article series on the topic of “Ideas to retire” in public sector IT management. While the focus was on government, I believe that most of these topics relate to the private sector as well.  

The bad (and ugly) ideas discussed ranged from “Zombie technologies in the workplace” to “technology alone can improve student learning.” In each case, we were asked to offer an alternative solution / idea / concept.

Working with the Brookings editors, I chose to tackle the common misperception in many business areas that cybersecurity kills innovation. I am a strong believer that security must be an enabler to be effective. In fact, cybersecurity can (and should) enhance innovation. So here’s the problem and the solution as I see it….

The “security disables” paradigm plays out in a multitude of ways. Government project leaders leave security requirements off the list within top innovative priority projects and keep cyber professionals off mission-critical teams, thinking that innovation will be slowed. On other occasions, innovation projects may not get priority treatment because of security concerns.

Technology companies selling products and services also fall into the same trap. New application-specific functionality becomes the “must have” priority over security functions. Generally speaking, a “first to market” mindset is articulated, with a view that security can come later. Developers see the biggest opportunity in “cool new features” and business functionality rather than secure code that is penetration-tested and checked for security vulnerabilities.

Although history has shown that both public and private sector business leaders deploy new solutions with the mindset that security slows down innovative opportunities, the reality is the opposite. From Wi-Fi and cloud computing to mobile devices and social computing, security enhancements came long after initial deployments. Had better security been included from the start, the later costs incurred from vulnerability remediation and data breach cleanup would have been less.

One example of this was the deployment of Healthcare.gov, which was launched before proper security was in place in 2014. Critical vulnerabilities were missed, which if addressed could have improved the public’s perception of the overall project rollout.

A new mindset

Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.

Cybersecurity is a primary responsibility for all developers, project managers, and end users. Also, the security of a product is a core functional requirement and as important as the most innovative feature that is marketed. Entrepreneurs who sell to government will be more successful if they sell secure products from version 1.0, rather than holding off and making security a 2.0 or 3.0 enhancement for later consideration.

Too often government leaders think of security as a disabler or an unnecessary evil that limits progress. Many government business leaders see cybersecurity as some else’s job that slows them down and won’t get them promoted or lead to project success. An “us or them” mindset is common nationwide in federal, state and local governments when it comes to working with cybersecurity teams.

Oftentimes, security features are seen as expensive roadblocks that kill innovation or cost too much to implement. Even when security features are available, shortcuts are often taken that disable these capabilities. Integrators and system administrators are regularly asked to turn-off security monitoring capabilities “just until we get things going.” Sadly, audit findings reveal that security is rarely re-enabled even years later.

Too many government technology and security teams spend their precious time recovering from incidents and data breaches and dealing with after-action reporting and response. While this work is important, the age-old saying “an ounce of prevention is worth a pound of cure” applies to cybersecurity.

Security is a critical part of the innovation solution

Changes in thinking are needed by several various groups.

First, executives need to build security into government solutions from the start of projects and throughout the entire lifecycle. They should see cybersecurity as a tool that enables new possibilities to break down old barriers, and provide enough resources to ensure security is done right. While everyone must recognize security as part of their role, security ambassadors need to be included on key strategic project teams. Oftentimes, security is an afterthought for major projects, or security is added only after a data breach. This must change.

Second, an assessment and a prioritized inventory of innovative solutions, potential risks, and tradeoffs should be developed by a combination of technology developers and managers. Both public and private sectors decision-makers collaborating on and sharing this assessment. In addition, staff training and education should be conducted in order to minimize attitudinal barriers identified in the U.K. by Cisco and other studies.

Third, security and technology professionals need to stop saying “no”, and instead strive to:

  • Offer workable alternatives to provide deliverables on time, on budget, with the right level of security.
  • Examine global best-practices and innovative approaches to solve security and privacy concerns.
  • Empower new capabilities that will maintain trust with citizens and staff.

History repeats itself regarding technology and security. No doubt, the specific hardware, software, operating systems, frameworks, issues, vulnerability, and threats change daily. But whether we are talking about Wi-Fi or new technologies, the same fundamental challenge remains for technology and security professionals: Are you bringing problems or solutions?

Security teams can build more trust with enterprise staff by using a risk management approach to focus on the most serious situations. They can share compelling stories and real-world examples with end users in security awareness training, newsletters, and tips.

Fourth, new technology deployments in cutting-edge new areas such as big data, the Internet of Things, and artificial intelligence need to include security experts and practitioners from the start. The privacy and security implications of collecting various types of data should be reviewed from a holistic perspective, with experts from legal, HR, technology management, procurement, strategic planning and other business areas playing a role in determining how best to securely deploy innovative solutions.

Simply stated, security is a central component of innovation, as identified by the White House in their move to accelerate innovation in cybersecurity research and development.

There is an unavoidable, symbiotic relationship between innovation and security. The benefits of innovation are not possible without the risks.

However, effective security builds trust and is a win/win/win for the public sector, private sector, and citizens. If we are to improve trust in government, better security is an innovation imperative which starts with a different mindset towards developing secure applications and systems from the start.

Latest blogs

James Booth PPRO

Brave New World: A Futuristic Vision of Payments

Over the last ten years, the retail e-commerce ecosystem has undergone a wide-ranging transformation. As recently as 2010, the e-commerce and payments value chain were relatively straightforward: Any eCommerce merchant could integrate a payment Read more »

Nish Kotecha Finboot

How blockchain could potentially transform global healthcare in the wake of COVID-19

In the globalised world we live in, entities such as the World Health Organization (WHO) have been established to ensure cooperation between different governments on global health-related issues. In the face of pandemics such as the one we are Read more »

Lina Andolf-Orup Fingerprints

Dispelling biometric myths and misconceptions

Gangsters cutting off enemies’ fingers to access secret locations and spies lifting fingerprints from martini glasses - the imagination of the entertainment world has been running wild ever since biometrics entered the scene. Couple that with the Read more »

Shiran Weitzman Shield

Tackling Apparent Contradictions of Compliance versus Privacy

As technology evolves and becomes more complicated, so too do the moral and ethical dilemmas, along with the associated regulations. However, well-intentioned regulations designed to protect people and businesses alike can sometimes seemingly Read more »

Francis Leclerc Horizon Software

Just about managing: How cloud can help boost trading profits

It’s a tough environment for trading at the moment. Margins are being squeezed across the board to the extent that some major investment banks are completely withdrawing from certain asset classes upon discovering they are not making a profit. Read more »

Related Blogs

Simon Viney BAE Systems Applied Intelligence

The Retro Fraudster: How to Spot the Old-school Tactics Making a Comeback

As technological innovation drives new opportunities for fraudsters, digital security counter-measures could inadvertently be encouraging a resurgence of old-school tactics. These criminals know that today’s customers are wise to some of the more Read more »

Jay Ablian Fiserv

Despite Mixed Messages from Consumers, Businesses Shouldn’t Slow Cybersecurity Efforts

Many businesses have increased their investments in cybersecurity and data protection in recent years and, in many ways, it has paid off. Consumers have seen a 25 percent decrease in debit and credit card compromises since 2017, according to a Read more »

n/a n/a

Cryptocurrency And Cybersecurity For Your Business

While there is hardly any denying that cryptocurrencies such as Bitcoin are quite important for businesses as it enhances customer convenience in terms of payments among other benefits, although, many businesses find themselves confronted with Read more »

Jorge M. Taboada buguroo

Buguroo’s Three Fraud Predictions For 2020

As banks strive to make online banking even easier and payments even faster for their customers, they also face a race against the clock to keep their security up-to-date and compliant. Here are three fraud trends we expect to see move up the Read more »

Jorge M. Taboada buguroo

Discovery Of A Spy Trojan That Exploits The Android Binder Vulnerability

Trend Micro researchers Ecular Xu and Joseph C Chen recently discovered three malicious applications in Google Play. They are not the first malicious Google Play apps to be found. In the past, others have been detected that were designed primarily  Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel