Technology - 6 December 2021
Misconception n°1: Using modern/nextgen technology makes you safer
Photo by Jason Blackeye on Unsplash
Why is this misconsception false?
In January 2019, Accenture showed that 79% of digital transformation projects did not include cybersecurity at the right level. Since then, the Covid situation and its accelerated transformations, have largely exacerbated the phenomenon.
Unless adopted correctly, cloud architectures, containerization (docker and kubernetes), the extended use of open-source libraries such as npm packages, or APIs (even in GraphQL), and microservices, without forgetting AI and NLP libraries, if they allow an accelerated time to market, or offer a certain fluidity of deployments in the face of traffic variations, do not guarantee any cyber security. Their proper use remains complex. And they require an architecture that is both well thought out and efficiently executed. Their maintenance is just as frustrating. Conversely, lighter technologies such as no code or headless architectures are not always a solution.
We employ these technologies in our Captain Cyber innovation. We are well placed to talk about it... Moreover, only a few cybersecurity experts are fully aware of these technologies that are increasingly common in the digital world. But, despite the deployment of devsecops approaches and tools (which integrate security at the heart of development and operations), development teams and cyber teams do not often work together. Their career paths are increasingly distinct, and bridges are rare during their careers.
Innovation and CISOs: a complex relationship
For a long time, CISOs (Chief Information Security Officers) have been resistant to the cloud. This is probably one of the reasons why 86% of CESIN members (CISOs), questioned in the survey published in January 2021, still consider that the tools provided by cloud providers do not allow to secure data. Despite the significant rise of these cloud providers on the cyber subject, the architectures and services they offer, largely industrialized. If we put aside the subject of sovereignty in the decision-making process. Despite the stakes, the discussion does not seem to systematically engage between cloud and cybersecurity: in the latest Accenture study, 32% of companies indicate that cybersecurity is not part of the cloud discussion... and 18% indicate that involvement is limited. In 50% of large enterprises, collaboration between cloud and cybersecurity teams is not a given. It must be said that CISOs are generally not very open to innovation. This is what the same CESIN survey shows, but with an improvement over the previous year. Only 55% of CESIN companies use "innovative offerings from startups" (of which 51% occasionally). This use of innovation is far from being systematic. But it should be systematic.
Because innovation is not the priority of CISOs, if not the priority that is set for them. Yet this is a real problem. Not only are some CISOs a hindrance to innovation projects, but also their weak innovation culture (such as the practice of fail fast and learn) limits the effectiveness of their cybersecurity strategy. One of the characteristics of leading cybersecurity companies, according to Accenture, is "the ability to evaluate, pilot, and test new cybersecurity capabilities (in lab or pilot)". These companies identified as cybersecurity leaders spend 29% of their cybersecurity budget on these innovation activities, which is very significant. Identifying, testing, and deploying innovation at scale must therefore become a standard activity for cybersecurity functions. In short, the opposite of the usual "compliance" approach. This also implies decommissioning old technologies and tools just as frequently, by dedicating a budget to this less "flashy" but equally vital activity.
Is blockchain the ultimate secure technology?
However, many decentralized finance platforms (DeFi) have been attacked. Totaling more than 1.5 billion USD in losses as of November 30, 2021. With, since then, already 3 companies attacked. Less than a week! While it is their core business to handle, on a daily basis, transactions that total a volume of several million or tens of millions of euros. Even the platforms that indicate they have benefited from 3 audits by companies with expertise in blockchain cybersecurity, are concerned.
What to remember
Moral: without taking cybersecurity into account, in many digital transformation projects, every day, companies create themselves (quite involuntarily) the conditions for tomorrow's cyber attacks (I'm not talking about the day after tomorrow, but tomorrow or... this Sunday!).
Once this awareness has been achieved, training, both initial and ongoing, for CISOs and Chief Digital Officers (CDOs), will eventually close these gaps. Fortunately, it is possible to put in place strategies and tools that will help remedy this situation without delay.