Two months after the World Economic Forum, three weeks after RSA 2017, and three days after I read an article by Forbes leadership advisor and author Mike Myatt – I am reminded of something I was told a long time ago; “If there is a conversation you have been avoiding, that’s the one to have.”
I think there is a broader conversation that we as a security industry, as well as a tech industry, have avoided, and in some cases have intentionally distracted others away from having. In reality, there are two discussions – one for the creators/users of technology and one for the security industry. Both share a common conclusion that results in harm to others. Beyond that, both problems have a path forward that can address these failings.
Myatt wrote a great piece last month titled Digital Transformation or Digital Free Fall: What Every CEO Must Know.
In the article, he astutely explains, “Innovation has always been synonymous with business survival and that hasn’t changed. What has changed is the pace and scale at which businesses must innovate to remain competitive in a digital world. The speed of technology advances in the market are making the old paradigm of first mover versus fast follower largely irrelevant – every business must now become some version of a first mover.”
He also goes on to point out that “digital transformation is really more of a leadership, culture, strategy, and talent issue than a technology issue. Real digital transformation occurs when business models and methods are reimagined by courageous leaders willing to manage opportunity more than risk, focus on next practices more than best practices and who are committed to beating their competition to the future."
This is where my fundamental disagreement with Myatt comes into play. Courageous leaders in digital transformation realize that business survival is also about managing risk, not just managing or chasing opportunity. Too many organizations today are chasing digital opportunities while risking their customers, and in some cases, society. Richard Rushing, CISO at Motorola Mobility, posted in December a picture from a presentation that read, "We're building self-driving cars and planning Mars missions - but we haven't even figured out how to make sure people's vacuum cleaners don't join botnets."
In my second book, I published a set of 9 Irrefutable Laws of Information Risk. Law #9 states: "As our digital opportunities grow, so does our obligation to do the right thing." I believe this is a crucial point that was left out of Myatt’s piece.
Digital transformation is embedding technology into the fabric of our lives. Typically, these technologies are meant to help or assist users, but one key element is often overlooked: Exploits that take advantage of technological vulnerabilities will increasingly impact the well-being of almost everyone in our society. So, it is incumbent upon all of us to properly shape the way we design, develop, and implement digital transformations to best manage and mitigate the information security, privacy, and other risks that are being generated, while still challenging ourselves to create technology that helps people.
The World Economic Forum 2017 Global Risk Report, published just a short time ago, had Cyber Dependence in its top five risk trends, just below climate change and polarization of societies. It also indicated that "technology is a source of disruption and polarization." I also believe technology is a tremendous opportunity for economic and societal benefit. I believe that technology can connect and enrich peoples’ lives − if done correctly and for the right reasons.
The 2017 Edelman Trust report, published recently, agreed that “we have a trust collapse”, adding, “we have moved beyond the point of trust being simply a key factor in product purchase or selection of employment opportunity; it is now the deciding factor in whether a society can function…The onus is on business to prove that it is possible to act in the interest of shareholders and society.”
A growing digital economy relies on trust. Breaking someone's trust is like crumpling up a perfectly good piece of paper - you can work to smooth it over, but it's never going to be the same. I have said it before and I will say it again: Managing information risk isn't about saying "No," it's about protecting to enable people, data, and business. We have to run towards risk to shape the path of the risk curve. CISO's need to do this, ideally, in front of business and technological opportunities or, at a minimum, inline with them. That is the best way we have to understand the risk dynamics to our organizations, shareholders, customers, and society. That is the best way to prevent risk that is avoidable in a proactive fashion.
If we carelessly implement technology in order to just chase or manage opportunities to simply prove that we can, we won’t be successful in realizing digital transformations that can change lives and protect our people. Instead, we will be setting ourselves up for a digital disaster. However, if we focus on the opportunities and our obligations to implement them right way, we can achieve digital transformation and digital safety so that we can make sure tomorrow is better than today. If done right, we can avoid not only the digital free fall, but also the digital disaster about which Myatt and the other experts above have warned us.