Last year, cybersecurity became one of the hottest topics in international conversations, and was under extensive discussion at most global summits and economic forums. The United States has elevated the issue's importance to being the most critical threat to national security – even bigger than terrorism.
It is evident that the strategic importance of cybersecurity has become clearer in the minds of both government and corporate decision makers. However, this is no reason to rest easy: the world has not been saved and cyberthreats have not been eliminated. Until now, there has been much in the way of discussion but very little action. National security cannot be preserved and threats against corporations cannot be alleviated by talking, only by taking action.
At the Cyberstrat14 event in Helsinki, cybersecurity was repeatedly said to have three key needs: leadership, drive and trust. To begin, leadership and drive must lead to action and not merely to more discussion. The discussions taking place within organisations and corner offices now needs to be translated into strategies and action plans.
Cyberstrategy is a multifaceted issue and as such there is no straightforward formulation or solution. It is impossible to approach cyberstrategy like it's the icing on a cake - it is not something you can just add on top. Cybersecurity is more integral. Like the egg that goes into the cake's batter: it needs to be whisked in right at the beginning.
Any approach to cybersecurity must be defined in a way that does not hinder a corporation's performance or eat away at its effectiveness. The right level of security must always be evaluated individually for each organisation and each situation.
Furthermore, management and key decision makers don't need to know everything about firewalls and proxies and bits. There's no need for it. The extent to which the chief executive of an aviation company knows how to entirely construct a plane himself is as much as any ordinary manager needs to know about firewalls and virus protection. But what the manager does need to understand is the ultimate objective in terms of cybersecurity in their company. It is about the ability of the manager to understand and share the message and commit the whole organisation. Without the strategic know-how and understanding of the principles behind cybersecurity, it is impossible for management to commit or guide the cyberstrategy within their organisation.
The main responsibility for this rests on the leadership, but everyone needs to participate. Rod Beckstrom, founder of the United States National Cyber Security Center and an advisor of the World Economic Forum, spoke about an organisation in which each and every individual had the right to create a crisis team entrusted to solve a problem - from the onset of a crisis straight through to its conclusion. Everyone has responsibility, and this responsibility requires that power be distributed throughout.
Likewise, the idea of “this is everyone's business” applies to the corporate level as well as the government level. But nothing will advance unless there is leadership that creates objectives and rules. We are in need of goals and action plans spread to each and every level of the organisation.
Matthew Rosenquist, cybersecurity strategist of Intel Security, stated at Cyberstrat that a company can fix their security issues through either leadership or crisis. In the absence of leadership, we are left only with crisis. Hopefully the option of crisis is not the path organisations will take.
International politics is in need of cooperation that goes across national boundaries.
Cybersecurity and trust go hand-in-hand. Without security, there is no trust, and vice versa. Unfortunately we currently live in a situation where trust levels are going down. They can be lifted with cooperation. Balance is the vital operator: we must not trust too much, but is important that we trust enough.
The digital world can never be perfect, just as with the physical world. There has always been crime and there will always be crime.
Likewise, the world of cybersecurity will never be “ready”. Cyberthreats are here to stay. We are faced with a new state of being in which we need to act according to threats, yet preserve the freedom to take advantage of the opportunities this new world brings us. As this new world changes constantly, we need to adapt to it by building trust and security. The ways forward are leadership, cooperation and resilience.
Contributed by Jarno Limnéll, Director of Cyber Security, Intel Security & Lior Tabansky, Doctoral candidate at Department of Political Science and researcher at the Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University.