Collaboration between organizations and even countries might be the only way to have a positive impact on cybercrime, according to one expert.
Ken Xie, founder, chairman of the board and CEO at Fortinet, does not pull any punches in his World Economic Forum commentary Four key challenges for cybersecurity leaders. He starts the post with these points:
Cybersecurity must be built into every product and system;
Achieving this will pose four challenges for business leaders; and
By overcoming them, we can create a truly protected digital world.
Xie stresses the need for cybersecurity to be part of the initial design. “Cybersecurity cannot be an add-on,” suggests Xie. “Rather, it must be built into every product and system from the moment it is conceived.”
SEE: How to build a vulnerability response plan: 6 tips (free PDF) (TechRepublic)
4 key cybersecurity challenges
Next, Xie addresses the four challenges facing business leaders.
Real-time information sharing: Put simply, lag times between recognizing cybersecurity issues and addressing them are too long.
Speed is fundamental to an effective cybersecurity strategy, as is keeping up with the volume of internet traffic.
Quick reaction times are vital, as cybercriminals take advantage of long lag times.
So how does one improve lag times? “To act fast, we must share threat information in near real-time,” explains Xie. “No single organization, public or private, can have a complete view of the entire cyber landscape. Senior leadership must insist organizations share information to put the pieces of the puzzle together.”
Widespread collaboration in cybersecurity: Xie is not the first to suggest widespread collaboration, but he places a great deal more emphasis on its importance. It will enable collective organizations to create what he calls a “hive mind”–a platform that learns rapidly, allowing consistent expansion of the collective competency.
“Deep collaboration means making everyone smarter and creating knowledge repositories that are part of our operational systems,” adds Xie. “It means collaborating on threat-intelligence sharing and on education.”
Xie also suggests that tangible results could happen quickly–if organizations work together. “More than 92% of malware is delivered via email,” writes Xie. “With the right awareness campaigns and policies, as well as diligence in practice, we could eliminate more than 90% of malware simply by teaching new skills that overcome ingrained behaviors.”
SEE: 3 crucial security policies you need to strengthen your network defenses (TechRepublic Premium)
Creating and promoting a common vision for integrated cybersecurity: Leaders from the public and private sectors need to cooperate when creating a common vision of integrated cybersecurity; the North Atlantic Treaty Organization (NATO) exemplifies what Xie is talking about.
“This vision for integrated cybersecurity must anticipate the next actions of cybercriminals rather than reacting to them,” suggests Xie. “Just like NATO’s well-trained armies and constantly-evolving battlefield strategies, the common vision must be operational and address the technical challenges of effective cybersecurity.”
It’s going to take more than an organization’s upper management embracing Xie’s vision–all individuals within the organization must be onboard as well. “Cybersecurity education and training should be part of everyone’s educational development,” adds Xie. “Without such efforts, we will not have enough experienced soldiers to fight this war.”
SEE: Hiring kit: Cybersecurity Engineer (TechRepublic Premium)
Promoting the technology platform we need to make this work: Xie believes cybersecurity has not been a must-have consideration when developing much of the world’s current digital infrastructure, and that must change. He thinks additional computing power is needed in order for cybersecurity to work. He’s also convinced cybersecurity capabilities internal to devices must fit into an integrated platform that distributes workloads over the layers of a system.
The integrated platform concept applies to all parts of the network. “Instead of looking only for the fastest path, security-driven networking takes the risk of each path into account and moves traffic over the fastest safe path,” explains Xie. “To make this work, the networking devices all need to share information about the speed and the risk of each network path.”
History has Xie concerned; he suspects the concept of an integrated and optimized platform across organizations and countries will be viewed suspiciously. “Organizations like the World Economic Forum’s Centre for Cybersecurity must continue to educate product designers around the world about the need to build cybersecurity into their products, and best practices in doing so,” advises Xie. “In some cases, this may lead to a product refresh, while in others it will lead to a redesigned ecosystem.”
Xie suspects both changes–refreshed and redesigned–will be required more often than not. He also hopes for more widely-accepted standards, protocols, and public discussion about cybersecurity components having a common communications protocol.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
Xie, not mincing words, fully believes the only chance of having a protected digital world is when true integration occurs across all borders–national and geographic–as well as within each organization that has a digital presence.
Something else Xie feels strongly about is that government leaders have a responsibility to guide us toward a safer world. “In a climate permeated by lack of trust and poor cooperation between established industry leaders, the only winners are cybercriminals,” he concludes.
Across-organization/nation-state integration of cybersecurity makes good sense, but the obstacles seem enormous. IT leaders should address these issues head-on.