What are the biggest technology challenges facing companies today?
All of them.
The list of challenges has grown so long, so complex, and so interrelated, that it can be hard to keep track, much less to prioritize them. And this acceleration of complexity applies across domains: from IT modernization to the technical dimensions of cyber defense, and from personnel training and policy revisions to understanding the overlapping requirements of legal regulations in the United States, the European Union, and elsewhere around the world.
What’s a CIO to do?
In this era of ever-advancing cyber threats and the constant stream of news about sophisticated attacks from nation-states and the ways in which malware can be adapted and evolve in the wild, clients often ask for my thoughts on what might come next, and how they can manage the risks to business operations, reputation, and personal data that come with cyber incidents. Of course, every situation is different, and each client has unique needs. But in broad terms, if I had to make a list of priorities for the next few years in data privacy and system security, predictions for cybersecurity trends, they might look something like this:
"Focusing on high-impact-low-probability threats is only of limited value if the basic principles of risk management get overlooked"
Focus on fundamentals. No organization wants to be seen by malicious actors as an easy mark, as a target whose done the cyber equivalent of leaving the front door open and the safe unlocked. With this in mind, I routinely advise my clients to continue to focus on fundamentals. Yes, there are a sophisticated actors out there in the cyber environment who are creating zero-day exploits that any organization would be hard-pressed to defend against. But far more companies are at risk from opportunistic threats such as scanning websites for well-known vulnerabilities, and from targeted spear phishing attacks that rely more on social engineering than on esoteric software engineering. I often remind clients that focusing on high-impact-low-probability threats is only of limited value if the basic principles of risk management get overlooked. In other words, for many organizations, it’s a sound approach to strive first to be brilliant at the basics, and then consider preparing for the rare and highly-specialized threats.
Pay attention to the unique challenges presented by the intersection of cyber and physical things. The widespread attack surface of the Internet of Things expands the risks posed by cybersecurity incidents in ways we hadn’t previously had to consider. Whether it’s the risk of a hack on medical devices, or remote sabotage to a power plant or pipeline, or malicious control of buildings and their appliances by unauthorized users, there is more opportunity than ever before for cyber attacks to bring about damaging–or even catastrophic–effects in the physical world. This complex interaction between connected devices and the world around them means that companies should be looking more closely than ever at a holistic approach to risk mitigation strategies. Vendor contracts are a critically important source of risk, as well as an opportunity to mitigate that risk by making sure that vendor proposals include information about their cybersecurity practices, and by negotiating vendor contracts to include representations and warranties regarding the vendor’s cybersecurity practices, and including indemnification and other clauses that make clear which party assumes liability–or enjoys limitations of liability–for various kinds of cyber events. Insurance coverage is an increasingly important component of cyber risk management as well, and organizations would be wise to consider carefully not just what kinds of cyber coverage they may need, but also how their cyber policies will interact with their other policies in the event of a cyber-caused event that triggers multiple types of damages (such as bodily injury, property damage, environmental clean-up costs, etc.) and various types of litigation (consumer class action, shareholder derivative litigation, and so forth).
Keep an eye on shifting legal obligations. We’ve seen a trend in recent years towards more comprehensive legal obligations: it’s no longer enough to avoid a data breach, companies are now expected to have robust data management practices, and in some industry sectors, to adopt comprehensive cybersecurity programs. In the early days of data breach laws, companies in the U.S. primarily had to concern themselves with the obligation to notify individuals, and sometimes state regulators, if the company’s holdings of personally identifiable information (PII) was compromised in those states that imposed legal obligations. In a select few highly regulated industries, such as health care, additional obligations applied. But by and large, companies whose operations were focused in the U.S. primarily had to concerns themselves with outcomes, not with processes; if there was no breach of PII, then companies owed no particular obligation of access, transparency, reporting, or other requirements, either to government agencies or to consumers. Within a relatively short timeframe, all 50 U.S. states, along with the District of Columbia and Puerto Rico, had adopted data breach laws, and those laws are expanding to include biometrics among the types of data whose compromise triggers a reporting obligation. Meanwhile, the European Union’s General Data Protection Regulation, which took effect in May of this year, is already having a global impact on the ways in which companies manage their data. In defining “personal data” very broadly, and granting individuals a number of specific rights with respect to the collection, processing, retention, and use of information about them, the EU has taken steps that could transform the ways that many private entities handle personal data. (Because the EU lacks competency over national security matters, the GDPR does not impact the ways in which governments can collect and use personal data for purposes such as national security and prevention of serious crime.) The GDPR’s influence has been seen not only in its operational impacts on U.S. entities, it has also influenced the development of new data protection laws around the world, including within the United States, where the newly passed California Consumer Privacy Act (CCPA) carries distinct echoes of the European approach to individual privacy rights.
Effective cyber security is a team sport. It’s no secret that today’s cyber environment is more complex than ever, and effective approaches to mitigating those risks will require buy-in and support from across departments and at all levels of an organization. It’s easy to think about the IT department and legal counsel’s office. But those two organizations, although key to good cyber planning, shouldn’t be operating alone. The C-suite should be recognizing this as a key component of organizational health; the Board should be engaged and asking for regular status reports and updates; the chief financial, compliance, privacy and risk officers should all be paying attention to cybersecurity; human resources and procurement should play central and important roles.
The details of the cyber landscape keep changing: new threats, new laws, new challenges for organizations to meet. But many of the core principles of an effective cybersecurity program remain the same: sound cyber hygiene practices, routine–and regularly updated–personnel policies and training, a frequently tested cybersecurity incident response plan, a program for vendor management and an assessment of insurance needs. Whether these functions are carried out in-house, or supported by the myriad of well-qualified consultants who are available to advise organizations on their technical and legal cybersecurity risk, organizations that continue to strive to be brilliant at the basics will also likely find themselves well-positioned to face up against new and ever-evolving cyber threats.