Technology is developing at ever-increasing speeds and becoming more connected as our world is rapidly digitised. This trend has carried both opportunity as well as risk, as improved digital infrastructure, and the exponential rise of IoT devices is driving both increased connectivity and an increased risk of cyber security attacks.
At both a professional and personal level, cyber security is an issue that is top of mind. Every second, more and more devices are connecting to the internet, and with increasing awareness of risks and bad actors, businesses need to ensure that their devices are not left vulnerable and have solutions in place for protection. Breaches can result in catastrophic enterprise risk, with significant reputational and bottom line damage, such as the recent disruption of the USA’s largest fuel pipeline.
As start-ups and tech innovators come up with new solutions to solve industry problems, their focus (invention and improvement) may place cybersecurity as an afterthought or occasionally neglect cyber implications altogether. However, cumbersome cyber security policies in some organisations can also be a blocker, stopping innovation in its tracks.
Security teams need to be able to adapt, to get this balance right between driving innovation and managing risk. Today we delve into how security teams can work with businesses to ensure they are protected, but don’t stifle innovation at the same time.
Cybersecurity: Is it keeping pace with the threats?
Cybersecurity is a field that is developing rapidly and tends to follow overall tech trends. When companies moved to the cloud, security tooling and tactics did the same, focussing on becoming more cloud oriented. The security problems themselves have not changed that much in nature, still related to Confidentiality, Integrity and Availability of systems/data (CIA). However, the techniques to fight hackers are continuously adapting.
Charn Tangson, the Head of Cyber Security & Privacy at Willow, is well versed in the challenges that face asset owners and is confident about the future. “Security is a very tech-heavy field, and I believe the industry generally keeps pace with technology innovation and potential threats.”
How do you ensure a strong cyber security culture, but also ensure businesses are pushing the envelope with new ideas?
Tangson believes that safeguards need to be in place but they shouldn’t hinder ideas and developments. “Security needs to be adaptable and work with the business to ensure that we don’t stifle innovation while still helping to protect organisations.”
“Security teams should be like guardrails in bowling. They should help guide the organisation, and protect the playing field to keep things safe, without blocking anything. You can often bowl faster because you feel safer and confident for your business to operate faster.”
Organisations that don’t yet have a mature cyber security practice, or lack sufficient resources to protect their assets properly, can tend to either take a very firm approach towards security, or conversely, try and side-step it. “The key is to get the balance right”, Tangson warns. “If the approach is too strict, there is a tendency to block everything, which can stifle innovation and suffocate the business, slowing everything down”. However, trying to get around security also has its problems. “Whilst this can enable a faster pace for an organisation, it is clearly unsafe and can build technical debt that must be fixed later on”.
How to protect your assets
The priority for a security team is twofold – protect the organisation and corporate network from cybercriminals, and ensure the environment is secure. “Our priority is to protect our application and product, the WillowTwin™,” Charn says. “Our focus as custodians of clients’ digital twins is on customer trust. We’re building an application security function that ensures our cloud service has world-class security practices backing it and protects our customers’ data and networks. Willow also takes advantage of being able to leverage the enterprise-grade cybersecurity controls of the Microsoft Azure platform.”
Willow works very closely with Microsoft, with all its products deployed in the Microsoft Azure Cloud, which has 15 global certifications, including SOC 2 and ISO/IEC 27001, 14 US government certifications, and over 60 country- and industry-specific certifications. Microsoft spends over $1 billion USD per year on cyber security as well as physical security of their datacentres. The Willow Cloud architecture is fully aligned with the Microsoft Azure Cloud and follows a stringent security and governance framework.
Although his specific security role here relates to digital twins, Charn points out that the issues he faces are similar to cybersecurity practices everywhere.
“Security tends to be uniform across most environments. The key differences are understanding what you need to protect and then building a security strategy around that. Fundamentally, an infrastructure network versus a real estate network has the same goal – protecting the network that operates the physical asset.”
A modern security team can ensure their networks are safe by focusing on the right solutions and procedures. For example, a fundamental way to protect assets is to be able to identify potential problems.
“Visibility is the first step. You need to know what’s at stake in order to protect it. Security tools that help monitor and provide an idea of what vulnerabilities exist in your network might be the place to start”, Charn says. “As owners and operators continue to digitise their assets, the attack surface of their portfolios grows. The risk they face is they do not have comprehensive visibility of what is actually happening on their asset networks.”
Charn’s top tip for starting your cyber journey:
If you are an organisation starting out on your cyber security journey, start by working with well-known industry standards – these are a great place to start (such as NIST Cyber Security Framework, CIS Top 20, ISO27001 or other similar government-specific standards like Australian ASD Essential Eight). No single standard is perfect, but they give a good baseline for those who are not yet tackling the problem.
The media may focus on insecure IoT devices and the occasional infrastructure hack, but the reality is that there are solutions to these problems. Security technology and cybersecurity professionals can counter and safeguard against cyber threats. Less diligent teams may leave simple vulnerabilities – the equivalent of having “password” as a password – but this doesn’t happen if the right specialists are employed, know what they are doing and have the resources and investment to protect their environments accordingly.
As our world becomes more connected, the idea of so many devices linking together can seem alarming, but the industry is keeping pace. Cyber practices are a critical function in innovative contexts and with proper security and procedures, it is a very manageable problem.