The relationship between cybersecurity and innovation is a balancing act, where teams need the freedom to create — unhindered — but still need to be cognisant of the imminent threat of cybercrime.
Which-50 recently hosted a senior executive panel to interrogate the issue of translating cyber risk for boards and managing the relationship between innovation and cybersecurity.
The panel which was sponsored by information security company CyberArk consisted of Kendo CEO Jim McKerlie, Baker McKenzie partner Anne Petterd, Mastercard’s Director of Digital Identity, Samuel Stewart, and CyberArk’s Regional Director ANZ, Thomas Fikentscher.
Watch videos from the event:
According to Stewart, cybersecurity needs to transform from its position as a “defensive game” — where attackers have traditionally been poised to decide when, where and how their attacks will take place. Instead, prioritising cybersecurity at the innovation stage, he said, will set organisations up to take an active stance against cybercrime threats.
“Bringing cybersecurity and innovation together is important. I think having the two really tightly coupled needs to be at the forefront of the mind of organisations.”
Stewart said that organisations often struggle to allocate the appropriate resources to cybersecurity, particularly when they haven’t yet fallen victim to an attack. But as Petterd said, “it’s not a matter of if, but when” an attack will occur.
When it comes to budget allocation, the panel agreed that board directors need to direct the same level of investment towards cybersecurity as they do to innovation noting you can’t have one without the other, with Stewart noting a mismatch.
“We did some research last year, and I think it was around 40 per cent of organisations had innovation as their top priority — almost half of them wanted to allocate budget to innovation. On the other side, there was only around 30 per cent that were actually allocating or had allocated funding for cybersecurity,” said Stewart.
Security by Design
Discussing the balance between innovation and security, Fikentscher highlighted the SolarWinds attack, where hackers added malicious code to components of the Texas-based company’s software portfolio. This led to 17 thousand companies downloading software that was infected by a Trojan horse.
According to Fikentscher, after an extensive forensic review by the US regulators it was discovered that the hackers had infiltrated the build face rather than the source code, which has resulted in recommendations advocating for “security by design”.
“[Security by design] doesn’t mean that it has to slow you down. It’s about being smart when it comes to using the right toolsets. And from the beginning, working with the software developers and the designers and the default functions to work out where, in between, you have to have certain stops,” said Fikentscher.
“Stop using credentials and hardcode them into your code. Make sure the tools being used are actually checked in terms of where the credentials are sitting, where the API calls are sitting.”
“If you have a security by design mindset and a privacy by design mindset from the beginning, I think you can find that right mix.”
Security Across Supply Chains
As the world catapults towards digitalisation and digital transformation, Petterd suggested that the supply chain cybercrime risks will only increase.
“You might be introducing IoT devices to actually perhaps address a compliance issue and the moment you can’t go to your factory in another country and get boots on the ground and check whether someone’s complying with modern slavery issues or sustainability requirements. What do you do? You put in more monitoring to address that compliance issue. But in doing that, there is the potential that maybe you’re opening another risk with cyber security,” says Petterd.
According to McKerlie, the magnitude of risk has increased exponentially in the last year and is broader than just considering supply chains.
“We’ve had 10-years’ worth of digital transformation in a year last year because of COVID, so the whole world is networked. And I think it’s bigger than the supply chain and digital identity is absolutely fundamental to getting it right,” says McKerlie.
Stewart suggests automation as a key tool to address supply chain risk, allowing businesses to assess the digital footprint of their suppliers and their potential vulnerabilities.
“For businesses, the tangible takeaway is that you need to look at supply chain risk, but you need to do it in an automated fashion, and you need to make sure that that’s ongoing,” he says.
The final message from the panel was simple – with attackers using the most advanced tools, tactics and techniques to achieve their goals, security and risk management leaders must understand the implications and improve their defenses accordingly. This includes identifying critical data and assets and then looking at focused protection, concentrating defences and spending on what is most valuable; and examining all the pathways attackers can take to get to these critical data and assets – including via the software supply chain. Because, as all agreed, even security-forward organisations can be breached if they rely only on generic, perimeter-focused protection.
This article and video was produced as part of Which-50’s Digital Intelligent Unit, the company’s paid content arm.