A reflection on Cybersecurity awareness
October is cybersecurity awareness month.
The National Cyber Security Alliance (NCSA) kicked off its awareness campaign this week with a day-long global launch event. SAP is glad to be part of the champion organizations supporting this year’s initiative. In this blog post, I will share three takeaways I learned from the event, along with my thoughts and perspectives on raising cybersecurity awareness.
Attackers and hackers are doing a much better job in coordinating than us. Compare to the underworld, we often lack behind in our coordination effort. Look back at any ransomware or data breach this year, we see hackers can often institute large-scale damage within a short period of time. We can blame this as a staged and diligently-planned attack, yet the root-cause is often identified as a lack of coordination (and in almost all cases, a delay in vulnerability patching).
Awareness is needed when Artificial Intelligence cannot replace Human Intelligence yet. Advancement in artificial intelligence and machine learning opens up opportunities to manage cybersecurity via machine in the future. Yet it remains unclear the boundary between human and machine in the future of security. Can machine manages security parameters entirely? This can be an ideal state, because malware is able to replicate itself autonomously after all. Until then, human awareness is still necessary as human intelligence remains an impeccable asset to security.
Security companies ought to rethink their portfolio strategy. Security companies today may be getting security all wrong. Products today often compete against features and amount of data. In the end, customers will lose the big picture when there is a myriad of products they need to manage when these products don’t align with one another. Else, companies are competing on the amount of data, like malware vulnerabilities or exploit data. There is insufficient (and sometimes entirely absent) business insights or analytics to harvest value from data.
Security is not a one-time event, but risks need to be managed continuously. We shall not expect to solve security one day. While at a customer site, I was told by an organization CISO that he knows he will get hacked. He just don’t know when. It’s not a way of accepting defeat. Instead, it’s a paradigm shift we need to recognize that cybersecurity will remain relevant as long as cyberspace is around us. Cybersecurity needs to be managed like a risk profile, with ongoing commitment and as a priority.
The value of awareness goes beyond educating users about the threats and risks in cyberspace. In fact, it is for everyone. In a recent industry meeting, I was discussing the future of security and the role of policy makers in cybersecurity. The discussion soon becomes ‘who-knows best’ to manage cybersecurity. Indeed, our policy makers may face a daunting task to mange too many things at once. Rarely are any policy makers have relevant experience and expertise in cybersecurity. Cybersecurity awareness is a very good venue to educate everyone, including our policy makers, to focus on relevant issues at hand.
In the launch event’s closing remark, Michael Daniel, former Obama White House Cybersecurity Coordinator to the President and current President of the Global Cyber Threat Alliance, suggests ‘Human create the Internet. We create the cyberspace.’
We shall remain optimistic and confident to face the future of cybersecurity. Our aspiration and ability will help guide us to build a secure cyberspace. I encourage you to check out the events at NCSA, where many events are broadcasted over the Internet. There may also be local events on cybersecurity hosted in your respective country in October as this effort is spreading worldwide. Bottom line is to get involved- the more you know, the better.