If I could sum up the last 18 months with one word, it would be resilience.
Whilst pandemics are nothing new, the world was not prepared for an event of this magnitude, and it forced many organizations to operate in ways that may have seemed incomprehensible just a few years ago.
As organizations contended with waves of lockdown, there was a rush to ensure services remained available and accessible. Despite the closure of many physical locations, digital services had to remain open as demand soared.
As the weeks turned into months and the first anniversary passed, apprehension eased, and stories of defiance started to appear.
The rhetoric of ”we can’t do this” gave way to ”we must do this.” The risk-averse became the risk-tolerant.
If there is one thing we know about humans — when faced with major global events and extreme adversity, we bounce back stronger and rebuild. To do so requires us to continuously innovate.
But despite every opportunity that presented itself for organizations, they also presented opportunities for attackers.
Attackers don’t respect boundaries
As many organizations revised their policies, such as enabling personal devices or collaboration tools to keep people online, cybercriminals took advantage of the situation. We witnessed a level of recklessness by the attackers and a willingness to test the boundaries of the defenses, to push further than they had dared before.
Changes to working practices, technology and infrastructure opened a variety of new and evolving attack vectors. These are no longer just focused on disruption but also destruction. It’s a reality that we can’t ignore, as we consider the effect of deliberate and sustained sabotage on an already weakened supply chain.
A world without boundaries should not mean a world that is not secure.
It means our evaluation and perception of risk must continue to evolve. It requires a shift in mindset, from “it may happen” to “it will happen.”
Rather than fear the change, let’s embrace it.
Crossing the boundary of technology and cybersecurity
We often talk about hybrid, as the divergence of legacy and cloud infrastructure. But to go beyond boundaries, we need to consider hybrid more holistically.
No longer can CIOs and CISOs just consider the security of IT infrastructure. With opportunities for digital innovation extending further into the physical and biological worlds, they should also secure IoT/OT/ICS and robotics, combined with augmented and mixed reality and AI.
This fusion, known as the internet of everything, is an ever-expanding ecosystem of digital connectivity and smart technologies that enables enhanced consumer and employee experiences and engagement. In parallel, it introduces additional risk and attack vectors that can be exploited.
This intersection requires us to consider the interplay between digital security and safety, where the traditional need for confidentiality, integrity and availability also requires us to build for quality, endurance and reliability.
To be safe and secure in this digital world, you must start from a position which assumes you are neither safe nor secure.
We must therefore design for and assume failure, by thinking of the myriad ways in which it could be physically and logically accessed by exploiting vulnerabilities. Having an assumed compromise/failure mentality requires that safety and security controls be deployed to counteract this.
This is an evolution for chaos engineering, which is designed to test against these severe (but plausible) and turbulent conditions — pushing it beyond its boundaries.
Modernize with longevity and sustainability
We know that no system is infallible and that risk is relative. Hence, it needs to be dynamic and constantly evaluate and react to the changing landscape. Speed and agility are of the essence, along with built-in digital protections that reduce complexity and provide longevity for our investment — especially considered against the backdrop of an economic downturn.
It sounds scary to re-imagine a world without boundaries, but what we’re really building is a frictionless, trusted and integrated network, where siloes are removed and complexity is reduced by having end-to-end visibility of each interconnected touchpoint.
Many organizations are already re-imaging themselves to be digital organizations, opening new lines of business, supply chains and experiences for employees and consumers. To do this in a safe and secure manner requires a network of trust. This means adopting an identity of everything mindset to explicitly verify and validate each entry and data point.
Forging new links between the physical and digital worlds dramatically increases the scope of enterprise security and safety. This is perhaps the next step in the evolution of zero-trust, where we re-imagine a trusted network without boundaries that enables us to operate end-to-end to explore the art of the possible.
About the author
Microsoft Chief Security Advisor
Sarah Armstrong-Smith is Chief Security Advisor in Microsoft’s Cybersecurity Solutions Area. She principally works with strategic customers across Europe, to help them evolve their security strategy and capabilities to support digital transformation and cloud adoption.
Sarah has a background in business continuity, disaster recovery, data protection and privacy, as well as crisis management. Combining these elements means she operates holistically to understand the cybersecurity and compliance landscape, and how this can be proactively enabled to deliver effective resilience.
Sarah has been recognised as one of the most influential women in UK Tech and UK cybersecurity and regularly contributes to thought leadership and industry publications. She is passionate about pushing boundaries and challenging the status quo.
Interested in next publications?
Register to our newsletter and receive a notification when there are new articles.