Gartner predicts that by 2020, 60 percent of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.
Gartner has identified five key areas of focus for successfully addressing cybersecurity in digital business:
- Leadership and governance
- The evolving threat environment
- Cybersecurity at the speed of digital business
- Cybersecurity at the new edge
- People and process: culture change
“Digital business moves at a faster pace than traditional business, and traditional security approaches designed for maximum control will no longer work in the new era of digital innovation.” – Gartner
According to Gartner, through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year. This prediction is one of the top 10 emerging risks in cybersecurity.
Here are the six cybersecurity trends according to Gartner for the future digital business:
1. Seek balance: To balance risk and resiliency, security professionals should look to create methods that allow for fast-tracking ways to address security concerns and demonstrating agility.
2. Accelerate skills generation and convergence: For current employees, organizations must identify current skills gaps and focus on creating “versatilists” who are capable of fulfilling these varied requirements
3. Grow a secure digital supply chain: Digital technologies will create a matching digital supply chain using cloud services.
4. Embrace adaptive security architecture: Security leaders must shift their mindset from incident response to continuous response, spend less time on prevention and invest in detection and response.
5. Adapt security infrastructure: Security professionals need to make decisions about equipping the integration points of those networks.
6. Establish data security governance and flow: Begin treating data classes seriously, and focus on device protection and data flow profiling to determine security strategy for the Internet of Things.
By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets. - Gartner
In order to better understand the importance of cybersecurity in the enterprise, Ray Wang and I invited three cyber security and information technology experts and thought leaders to our weekly show DisrupTV.
Dr. Alissa Johnson is the vice president and chief information security officer (CISO) for Xerox, a Fortune 500 world leader in documentation and business process management. In her role, Dr. Johnson is responsible for establishing and maintaining a corporate-wide information risk management program to ensure that information assets are adequately protected. Prior to Xerox, Dr. Johnson served as the first CISO at Stryker, and three years in the White House as the deputy chief information officer (CIO), helping modernize the Executive Office of the President’s IT systems.
How has the role of CISO evolved and changed in 2017? According to Dr. Johnson, the expanding number of privacy and data breaches have elevated information security as a boardroom issue. At the beginning we looked at technology as a business enabler. Today, companies are faced with compliance and regulatory requirements, but they sometimes overlook the security requirements. Compliance is not security, but security is central to compliance. The more trust you need, you more of a security presence is required. The CISO is a critical voice that helps enable technology in business, and also make security a differentiator. Protecting data across mobile devices and connected things is key to successful security framework.
The breadth and depth of the vision of technology enablement, security and use of data are important CISO focus areas.
What lessons did you learn from modernizing the White House? “I didn’t do it by myself, and I was never the smartest person in the room. I was able to get the right people in the room together, to make it all work well,” said Dr. Johnson. How to we information share? How do we collaborate and share our experiences? Dr. Johnson is a fantastic connector and collaborator. She is able to unite subject matter experts and leverage the network to find solutions and transform businesses in a robust and secure manner. Dr. Johnson is learning and applying best practices from different industries. It is about the right relationships. Dr. Johnson shared other very important lessons for business leaders, including executing the very basics to achieve success.
The CISO is a connector and educator. Dr. Johnson spends time educating board members and CXOs. Ability to pull from the government, private and non-profit sectors allows Dr. Johnson to have a multi-dimensional perspective of combating cybersecurity. Dr. Johnson is not a CISO that says ‘No’. “We have to be able to enable the business,” said Dr. Johnson. She says ‘Yes, but, or Yes, and’ you have to put all of these compensating controls or things that mitigate or lower the risk. It’s all about risk appetite and your willingness to securely experiment. By consistently saying no to new technology and innovation, CISOs can hinder your company’s ability to compete and stay relevant.
Security has to be at the beginning of the design process. Security cannot be an afterthought. Security in the very beginning of design phase, you will reduce unnecessary costs and you will minimize the need to re-engineer solutions late in the game. Dr. Johnson encourages her team to think outside the box and avoid overcomplicating security projects by collaborating with cybersecurity experts outside of her industry including startups Silicon Valley, vendor partners and other stakeholders.
We need to start early and educate future security professionals by supporting STEM programs. Dr. Johnson fully supports new college graduates, knowing that today’s young professionals are more technical and digital savvy. Security lifelong leaning has the greatest potential to ensure career longevity. Dr. Johnson was a math major. She believes regardless of your degree and background, all of us have the ability to be creative and have a vision. Dr. Johnson is a brilliant CISO and a must follow on Twitter: @DrAlissaJay.
David Chou is the vice president, chief information office (CIO) and chief digital officer at Children’s Mercy Hospital in Kansas City. Children’s Mercy is the only free-standing children’s hospital between St. Louis and Denver, providing comprehensive care for patients from birth to 21 years of age. Children’s Mercy is consistently ranked among the leading children’s hospitals in the nation. Prior to Children’s Mercy, Chou held the CIO position at University of Mississippi Medical Center, the state’s only academic health science center. Chou’s work has been recognized by several publications as one of the most mentioned CIOs in social media. Chou is an active member of CHIME and HIMSS.
How do you develop your technology and security investment thesis at one of the top hospitals in the world? “The number one priority for the CIO is to align your investment thesis, objectives, strategy and long-term technology roadmap to the organization’s vision and strategy,’ said Chou. Chou established a three year roadmap and information systems initiative that was aligned with the organization. This is how Chou requests budget and manages his team towards the long-term vision and strategy. Prioritizing the programs is based on protecting the market share, improving the customer experience and engagement. Chou’s top priority is to improve patient engagement and experience by being proactive and delivering personalized and intelligent engagement. Chou is investing in mobile, social, cloud computing and analytics to improve the patient experience.
What is the impact of the Affordable Care Act (ACA) in healthcare? According to Chou, the initial push was to stimulate the economy by shifting from paper to electronic methods of storing data. The next push is how to create a better and new experience. The future of healthcare is keeping patients out of the hospital. How do we keep patients healthy? The new healthcare models will shift from volume-based performance metrics to value-based metrics.
Security is not just about checking the compliance box. Most CISO and CIOs do not have formal security programs. One of the biggest risk to security is internal employees. How are you training employees to be more security aware? Most CIOs are not. Are you practicing security – what happens when you have a breach and how do you response? Chou and his team are developing a security program and educating all stakeholders to be security champions.
Security starts with understanding your data. What type of data is coming in and out of your organization? What kind of data do you have access to and analyze? Chou and his team see six million data points per day at the hospital. Analyzing data includes Internet connected devices, sensors, wearables, smart devices including phones and tablets and all other computing devices.
CRM is key to patient experience success. According to Chou, the CRM platform and usage in retail is what the healthcare industry needs to deliver mass personalization at scale with proper context and intelligence. Promoting wellness and proactive personalized healthcare delivery means providers must invest in a CRM platform. The shift from volume-based to value-based metrics will be a forcing function for healthcare providers to invest in CRM. Market consolidation will also be a catalyst for investments in technology to improve the patient experience and deliver meaningful value.
Where do we find the best talent in healthcare? Chou believes we need to attract talent from outside the healthcare industry. Chou is hiring technology executives form outside of healthcare – the CTO is from the media industry. Please watch our video conversation with David Chou to learn more about his views on talent management and the role of technology to improve healthcare delivery.
Steve Wilson is the vice president and principal analyst at Constellation Research. Wilson research focuses on digital identity and privacy with coverage spanning the business research themes of digital safety and privacy, data to decisions, and consumerization of IT. Wilson’s advisory services to CIOs, CISOs, CPOs and IT architects include security practice benchmarking, privacy engineering and privacy impact assessment.
We spoke with Steve about Blockchain myths and realities. Wilson wrote a brilliant and simple 500 word blog about Blockchain with no graphics and analogies – a must read. Wilson describes the importance of the crowdsourcing framework and the importance of trust. Security is about people, process and technology. The genius of Blockchain is that it takes the people and process out of the loop. The trouble is that this framework is only good for bitcoin and purely digital assets. The invention of Blockchain was genius for bitcoin. Distributed ledger technology that was inspired by Blockchain is ongoing R&D and hype free, according to Wilson.
What and where are your assets, and what are you trying to protect? Wilson used a healthcare example with health records; you are trying to protect access to a patient record, protect the pedigree of the record, and validate the proper credentials. Permissions, pedigree, and credentials must be protected. Who is accessing what and why must be well understood. Wilson believes that you need to partner with large R&D labs to better understand the complexity and realistic use cases. Blockchain is not going to change the world on its own. Wilson notes that disruptive technology takes a long time to hit the ground in lasting ways. We need to better define what we mean and expect with trust and consensus. Wilson also notes that administration is the enemy of Blockchain.
Wilson will focus his 2017 research on how we can do security differently and better. Security is always competing with time to market. Security is about attention to detail, hygiene, and complexity. The Internet of things (IoT) and new ways of cloud computing will further complicate security requirements. We need to develop the balance with security and software quality. We need a new type of conversations with competing interests in the boardroom.
According to Wilson, Agile (development process) and minimum viable products (MPVs) are the enemies of security. MVP is about releasing software and fixing the security problems after the product launch. Wilson has yet to find an agile layer that does security well. How do turn this around – knowing pure agile is a problem for delivering a secure solution? Please watch the video with Steve Wilson for his incredible insights regarding Blockchain and security trends for 2017 and beyond.
Cybersecurity will continue to be a top business priority for CEOs. In order for CIOs/CISOs to successfully innovate and drive digital business transformation, they must ensure table-stakes security compliance and capabilities are on the forefront of their investment thesis and long-term strategy.