In our society more and more devices are connected to the internet. These so called Internet of things (IoT) devices are everywhere and most of the time equipped with software. Root cause analysis of cyber-attacks reveal poor-coded software in these devices. And yes, hackers use vulnerable software to misuse these devices for hacks or attacks that have severe impact on organizations and society.
"The urgency to implement more software into organizations under the heading of the “digital transformation”, ads a challenging complexity'. "
Speed & agility
The urgency to implement and enroll more software into organizations under the heading of the “digital transformation”, ads a challenging complexity. Companies want to digitally transform in a secure way but the speed of their business, as well as fast evolving technologies, pose a major challenge. Especially for individuals or bodies such as boards, regulators and senior managers, that have been benefitting by the well-being of the firm, it is hard to maintain the required knowledge. The issue of speed is also challenging for risk, security and compliance officers, responsible for enabling digital transformation. They also need to cope with maintaining appropriate knowledge and skills to understand the risks and to support the decision making process.
Old-school practices are obsolete
The majority of senior leaders is educated with old-school practices with a focus on auditing and compliance. With dynamic cyber risks on the rise, governing and managing the critical assets that reside in the cloud or distributed ecosystems, are requiring a diverse set of knowledge and skills. This is a continuous process, because what is new today will become obsolete by tomorrow.
The domain of Information Security has extended deeply in the first line of companies. With regulatory pressure such as privacy directives (GDPR) and the new Cybersecurity law for critical infrastructures, business owners are made aware they own the data on behalf of their customers so they need to take proper care of them. IT and security professionals need to direct, to support and to monitor the adequate implementation of security controls in order to protect the crown jewels of the business. This process requires deeper collaboration skills and a good understanding of the economic value of the assets in order to quantify the inherent and residual risks a company is facing. This becomes even more important working in agile environments where autonomous teams need to work DevSecOps and everybody in the team takes ownership of building secure software as part of their craftsmanship. The Product Owner for aligning the risk appetite and for drafting appropriate user stories with his/her stakeholders. The Scrum Master for managing security and reliability on the backlog, execution of the user stories and maintaining feed-back-loops. The Developers in the team writing the (secure) code, working on the artifacts and finally, the Engineers testing the code and providing feedback to the team and other DevOps teams to learn. This “feed-forward” learning process across multiple teams is important to continuous learn and absorb new capabilities and eventually improve the cyber resilience of our companies and society.