Reframing cybersecurity: Insights from global security leaders

When it comes to cybersecurity, expert panelists at a recent event dedicated to the topic hosted by Iron Mountain in Washington, DC, agreed that we can’t stop the unstoppable. But organisations can work to prevent attacks and, equally as important, plan for resilience. The threat of cybersecurity is a constant and evolving issue, and it’s not a matter of if an organisation will be attacked, but when.

The consensus of the panel was that the concept of “failure” in cybersecurity needs to be reframed. A cyberattack should be viewed less as a failure and more as an inevitable risk to be managed. Such a reframing of traditional thinking about cybersecurity is critical to keep operations up and running even during an ongoing occurrence.

The evolving role of cybersecurity

The panel, which included Chris Inglis, Former White House Cyber Czar and Deputy Director at the National Security Agency; Jeff Buss, CIO of Dexian and former Managing Director EY Cyber practice and US Cyber Command, including protecting the White House; and Bipul Sinha, Chairman, Co-Founder, and CEO of Rubrik, Inc, agreed that cybersecurity is not exclusively about IT, which is often inferred, but rather it should be subordinate to what an organisation collectively cares about. This requires actively breaking down operational silos and sharing concerns at all levels of the organisation to enable inherent resilience throughout.

In addition to the call for collaboration among departments within an organisation, CIO and CISO responsibilities are converging to manage cybersecurity risks and recovery. Cybersecurity reframing requires a comprehensive understanding of an organisation’s digital infrastructure. Knowing which systems operate, and where, provides a defense against bad actors, as an organisation knows those systems better than the hacker.

The acknowledgment that we cannot guarantee security and therefore must embrace defensibility is dependent on three factors: doctrine, skills, and technology. An example of a successful application of this framework is current-day Ukraine: the government invested in technology, has expertise and knows its digital architecture, developed a coalition with other countries, and continues to use cyberspace to make advances for its citizens even while war rages on.

Similarly, the public and private sectors must join together to make necessary investments in cybersecurity, build resilience, and impose consequences on attackers. The panelists were hopeful about the US government investment in cyber, saying it is still a bipartisan, if not a non-partisan, issue.

Fighting tech with tech: AI presents new cybersecurity opportunities and challenges

The speed of artificial intelligence (AI) development is mind-boggling, yet according to a recent article in the Wall Street Journal, only 30% of organisations are using AI while the remainder are hesitant about potential vulnerabilities. The panelists encourage entities to think about the value proposition for its use, yet it should always be subordinate to the human being: humans should be served by AI, not supplanted or controlled by it.

That said, given the volume, velocity, and variability of cyberattacks, it’s time to use AI to fight AI. Defenders have to be accurate all of the time, but attackers have to be right once. Cyber protections were likened to a “tax on our digital world” and the panelists agreed that technology providers should deliver those protections inherent in their applications, not as add-on modules.

The conversation turned to data integrity and data governance. Given that there is now a data “battleground,” the panelists agreed that models should be required to guarantee that data used in AI is trustworthy. Understanding data lineage and managing your organisation’s data hygiene and data supply chain have always been important, but now they are critical in establishing trust in AI-driven output.

A new cyber social contract

The panelists emphasised that reframing our collective approach to cybersecurity should align with the Cyber Social Contract proposed by Chris Inglis and Harry Kresja in 2022. According to the contract, fear-based decision-making should not override the “aspiration to realise cyberspace’s full potential.” We can rebuild trust in the digital world through collaboration to restore its “original purpose” to make the world a better place.