Tim Li is a principal at Deloitte Risk & Financial Advisory and Deloitte & Touche LLP and leads Deloitte’s Strategic Growth Cyber portfolio for federal, state and local governments and higher education institutions.
Cybersecurity incidents continue to make headlines, challenging public agencies in the US to modernize cybersecurity defenses to protect citizens and the country.
The recent Executive Order (EO) on Improving the Nation’s Cybersecurity calls for the federal government to “improve its efforts to identify, deter, protect against, detect and respond to these actions and actors.” As cyber challenges evolve in complexity and scale, they create multi-faceted challenges for government.
So, while the EO lays out a solid foundation of recommendations, organizations should also take heed of the following considerations as they evolve their future cyber thinking:
- Enable trust as the foundation for collaboration. The EO calls for the private sector to share information with government to improve overall cyber situational awareness. However, there are challenges in facilitating this type of information sharing. Organizations need to work with government to define what and how information is shared. But perhaps most critical, cultural challenges and market disincentives pose a distinctive barrier for information sharing which requires bi-directional trust. That is achieved when both parties feel they benefit from sharing information; or even omni-directional trust, where entities feel that the information they share benefits the broader industry. Cultivating this sense of shared responsibility creates a culture where organizations work together to help protect all of us against shared adversaries.
- Shift from situational awareness to situational understanding of the cyber landscape. The cyber industry is inundated with information (e.g., vulnerabilities, threats, other intelligence). As this information is aggregated together, consumption can become overwhelming. Organizations need to think about how they derive insights from this data, contextualize those insights to create understanding and ultimately drive risk-based decision-making and action. Typically, the best insights are not derived from siloed information; creating use cases for correlating data to identify new insights is critical. Next, applying the appropriately tailored views helps to derive what those insights mean. These views could be for different stakeholders, different situations or even different points in time. This contextual view helps cyber leaders make informed risk decisions in real-time to help their organizations execute mission-critical activities without suffering from information paralysis.
- Reimagine connection across an ecosystem. Knowing your suppliers and third parties is critical to understanding potential cyber risks that may be multiple degrees of separation away. However, organizations should start thinking even beyond their supply chains. Consider a car’s side mirror and the disclaimer “objects in the mirror are closer than they appear” — this warning could not be more appropriate. For example, a major commercial retailer and a federal agency may have no direct connection or relationship. However, both may have users with self-registered credentials that are common. If the retailer gets hacked, the agency may also be at risk due to the exposure of common credentials. This example introduces the idea of “users-as-a-connection,” where a user may be linking two organizations who are oblivious and have not consented to such a connection. Recognizing this intersectionality and enabling capabilities to curate, share and consume advanced risk signals can provide leading indicators for organizations to proactively turn unknown risks into known risks.
- The convergence of the cyber and physical worlds is here. The age of ubiquitous connectivity has arrived — there is no longer a separation of the cyber and physical worlds. Cyber physical systems (e.g., smart grids, industrial control systems) that support critical infrastructure are now connected and, thus, potentially targets for compromise from anywhere in the world. These cyber physical systems are often engineered for long life spans (years), incongruent with the rapidly changing cyber threat landscape. Due to system complexity and limited allowable downtime, they are also more difficult to patch or update, making them extremely vulnerable to incidents that could have a significant impact. Organizations need to rethink how they design, test and monitor these systems. They are vastly different from traditional information technology systems—one simply can’t use the same people, processes and technology and expect similar desired outcomes.
- Never trust, always verify. The EO highlighted the importance of zero trust principles and asked agencies to develop strategies for implementation. These principles are not new, but successful enablement requires a different mindset to apply them. Zero trust is ideally implemented for specific and granular use cases, requiring collaboration across an organization between cyber, IT, application, business teams, etc. If any of these stakeholders are out of sync, it will be difficult to implement zero trust principles in your environment. Yet what is most interesting is the paradox created around trust. Our first consideration defined the need to establish trust to support collaboration. However, in this consideration, we emphasize how one can’t assume trust exists, hence the need to change how cyber capabilities are implemented and operate with a zero trust assumption. These considerations and concepts are not mutually exclusive, and both can be true, creating complex dynamics around trust. That’s why the “future of trust” is so critically important for the “future of cyber.”
By taking into account these considerations, agencies can amplify the foundation laid out by the EO and continue moving forward into the future of cyber. Rethinking traditional approaches to cybersecurity must start now.
Read more about “Cyber Everywhere” and emerging cybersecurity trends.
We appreciate your interest in this article and are pleased to grant CyberScoop permission to include it in their publication on August 18, 2021.