This second article focusses on another core topic of the Digital Transformation Expo in London: cyber security. Like the previous article, the text below is my personal interpretation of the sessions I attended, so not necessarily completely factually correct. The key take-away for me: cyber security and defense is primarily about people, not about technology and processes.
It’s all About the User
There were dozens of vendors present selling solutions dedicated to hardening applications and the underpinning (cloud-based) infrastructure. According to Gartner, companies and governments will spend an estimated $124 billion on information security products and services in 2019, an increase of almost 9 percent compared to 2018. That is an amount similar to the GDP of Ukraine in 2018.
So, the question is warranted whether that money is well spent.
The sobering news according to Verizon’s 2019 Data Breach Investigations report is that 81 percent of the confirmed data breaches involved weak, stolen or default passwords. Regardless whether the data is hosted in a) the companies’ own datacenter, b) by an external service provider or c) in the cloud (e.g. AWS, Azure, Google), most serious attacks start with collecting user data.
By the way, with ‘user’ I mean anybody from the CFO, intern, developer, supplier, contractor or customer who has in one way or another access to part of your restricted or confidential data (see illustration).
During the expo, several red team engineers demonstrated how publicly available data, data and tools available for sale on the ‘dark web’ and weaknesses in the application and/or infrastructure can be combined to slowly but surely enter your IT environment. Every internet-facing interface (e.g. Outlook web, active directory federation services, self-hosted Lync servers, web VPN interfaces) provides The Bad Guys with an ‘attack surface’ to turn snippets of user data into access to the companies’ IT environment.
The user is the most successful attack vector, not technology.
A Bigger Wall is Not the Answer
Hence, building bigger virtual walls around your data should not be your sole objective. It is equally important to be safe to fail. Like the Maginot Line failed to keep the Germans out in WWII, companies have to assume their fortifications and obstacles will one day be circumvented by an attacker.
Also similar to the Maginot Line is the need for an uninterrupted flow across borders for ‘non-combatants’. Customers, business partners, suppliers and users expect a frictionless user experience and, in the process, ensure part of your data already left your premises. Slack, Teams, Dropbox, Box, OneDrive, public email (e.g. Gmail) and other collaboration tools ensure some restricted and confidential data leaves your company and consequently your control. Even worse, who prevents your business partner or supplier from storing data you consider confidential on a non-encrypted USB stick or laptop?
As said, you can ‘harden’ your own devices (e.g. encryption, two-factor-authentication (2FA), password policies) until your users pull their hairs out in frustration, but one day sensitive information will slip through.
As you cannot reduce your cyber risk profile to zero, what can you do?
Business Value Drives Cyber Defense Approach
All data is equal, but some data is more equal than others. Customer data, intellectual property, employee payroll data and passwords are valuable corporate assets, not mere ‘data.’ For starters, this implies that it is the business and not IT which should be in the lead when classifying data. The business knows the context and thus value of your documents, emails, presentations and other data points. Secondly, data protection is more than GDPR compliance as your product designs, chemical recipes, source code, customer contracts and cost structure may be more valuable than the reputation damage and fines related to a breach of Personally Identifiable Information (PII).
Hence, when defining your cyber defense approach, look beyond GDPR compliance (and other regulations).
With the value of your data driving your cyber defense approach, data classified as ‘key company asset’ should be under strict centralized business and IT governance. You preferably also don’t want this data to reside in multiple, geographically distributed data centers, or hosted by different public cloud providers, as each has its own cyber defense do’s and don’ts. Experimenting with different technologies, cloud providers and so on is crucial from an innovation perspective, but not so much when safeguarding your golden eggs. With the latter you want to invest in specialists with deep skill sets instead of generalists.
For key data assets, users are more likely to accept that they have to jump through additional burning hoops to access the data even though user experience remains important as users will find ways to circumvent the controls if they are perceived as unreasonably restrictive. And let’s not forget: a product design or other piece of intellectual property has value only when you can actually use it. Risk is only one side of the coin, the other is benefits (e.g. more revenue, margin or customers). A fact often overlooked by the CISO and other risk management professionals when designing a risk mitigation approach they consider appropriate.
Talking about user experience, another topic covered in London was the end of the password (hooray!). While counterintuitive, passwordless authentication eliminates one important weakness: weak passwords, passwords on Post Its, passwords stored as documents on the desktop and so on. Biometric authentication, pattern-based one-time passwords, tokens or single-step 2FA are solutions gaining traction for data with medium value.
Value should not only drive user experience, but your whole cyber defense approach as depicted in the illustration below. Both at industry level and business line/process level, every company should make a conscious decision what the integral cyber defense maturity should be. Full-blown Security Operations Centers (SOC), Cloud Access Security Brokers (CASB) and Red Teaming are expensive as are company-wide two factor authentication and security segmentation at application level (‘micro segmentation’). They require a solid business case.
Expect other cyber defense practices, like the Zero Trust Model, to enter mainstream adoption soon regardless of the industry the company is in as it is all but impossible to distinguish between internal and external users. Suppliers, contractors, customers and students need access to some data but not to others with devices you may or may not know. And let’s not forget the impact of Artificial Intelligence as The Bad Guys already embraced it.
Artificial Intelligence to the Rescue?
As mentioned in my first article on the visit of the Digital Transformation Expo in London, Artificial Intelligence is going to cause serious waves in the years to come. Attackers will turn to AI to automate their attacks and make them more complex (e.g. deep fakes, social media manipulation). At the same time, concepts like Smart Cities, Smart Medical Devices, Smart Building and the Internet of Things (IoT) in general will dramatically expand the number of targets and attack vectors. Combined, they leave companies with little choice but to invest in AI-based cyber defense mechanisms. Due to their nature, AI systems can scale more easily than humans can to cope with the growth in number and diversity of smart devices. AI not humans can detect new unknown patterns in millions of data points, countering the bad guys who use AI to help them evade detection.
In other words, the same cat and mouse game continues.
Platform companies are all the rage, but for most older companies it is enough to rent or build a substantial platform component to stay in the game. For now, as platforms are merely a wave and what matters most is learning to surf.
While the popularity and proliferation of platforms like Android, iOS, Facebook and Amazon is easy to understand, most fail with an average lifespan of less than 5 years. Social network platforms Google+, Friendster, Myspace, Vice and iTune’s Ping came and went. Others, like Facebook, Amazon, Google and Apple became so successful they are now scrutinized for monopolistic behavior.
More importantly, while platform companies are the fastest growing sector of the S&P 500, both in market capitalization and media attention, most listed companies come from a more traditional background. They often produce a physical asset (e.g. chemicals, cars) or require complex customer-supplier interactions (e.g. building cruise ships) and operate in mature and therefore often heavily regulated markets. All indicators the straightforward platform strategy used by ‘born digital’ platform companies like Twitter, Uber and Dropbox won’t work.
Incumbents have to play another game and turn this seeming weakness into their greatest strength.
Platform strategy for incumbents
John Deere began in 1836 as a farm equipment manufacturer until it launched its MyJohnDeere platform in 2012. By connecting both equipment (e.g. crop harvesters, tractors) and stakeholders (e.g. farmers, dealers, third party software companies, consultants), John Deere enabled farmers to lower their operating cost and increase their yields. The Predix platform from General Electric, the HeatlhSuite platform from Philips and Disney’s Disney Plus streaming platform are other examples of old companies which understood that the ability of platforms to concentrate customers, business partners, data and consequently value could not be ignored.
What they also have in common is the time and talent required to turn the companies’ existing strengths into a complementary platform strategy.
Is time on my side?
Blockbuster bought MovieLink for its movie streaming platform in September 2008, eleven years after Netflix initiated the market disruption. It was too late and a halfhearted approach, two fatal mistakes in a market which suddenly flowed at a much faster rate. Blockbuster filed for bankruptcy protection in 2010.
Before anything else incumbents have to embrace that time flows faster in hybrid and digital markets. Employees of Samsung or other smart phone manufacturers are active in a market shaped by the constant fear of falling behind. They closely follow each other’s moves, always seeking that new differentiating feature that will make the next product launch a success. It is a race that never ends as Microsoft found out after winning the ‘browser wars’ in 2004. After capturing a market share of 95%, the product team responsible for Microsoft’s Internet Explorer lost its edge, allowing Firefox and later on Google Chrome to tip the scales in their favor. However, adopting speed-to-market as a strategic metric is by itself no guarantee for success.
While Google got caught off guard when Apple introduced the iPhone and iOS in 2007, it had enough time and financial resources to catch up and eventually even surpassed Apple in number of smartphones running its operating system. Huawei is in a far more awkward position. It leveraged on Google’s Android platform to quickly gain traction in the smartphone market, but every advantage has its disadvantage. Huawei does not own and thus control the Android platform, Google does. For Huawei, the decision to rent platform capabilities instead of building them suddenly became a liability when it got caught up in the middle of the trade war between China and the United States.
While both Samsung and Huawei sensed the strategic risk associated with renting platform capabilities and tried to mitigate it by investing in Tizen OS and Harmony OS respectively, it is yet to be seen whether customers are willing to board a platform which joined the party ten years late. The decision to build or rent platform capabilities is therefore one of the crucial topics for any incumbent defining its platform strategy.
Do I have the talent?
Platform-related technologies themselves are inert. Revolutionary or not, technology needs a compelling relevance to a customers’ life. Talented people understand that a large marketing budget cannot compensate for a lack of need. They possess the capability to turn the inherent value of technology into realized business value. In contrast to born-digital companies, the team driving the platform transformation at an incumbent faces an important additional challenge: combining the opportunities offered by these technologies and the existing strengths of the company.
Established companies already have a customer base and brand, financial resources, deep market knowledge, committed employees, and an operational backbone. Supplemented by company-specific differentiators, these form the foundation upon which to build the desired complementary portfolio of digital products and platform components. However, the older, larger and wealthier the company, the more likely digitalization initiatives face a mismatch in sense of urgency, cultural fit, governance approach and metrics. Mitigating this risk by organizing these initiatives completely outside the existing corporate structure prevent them from utilizing the available deep market knowledge and operational backbone. Hence, the relative ‘looseness’ between the existing operating model and digitalization initiatives should be a key attention point when defining and implementing the platform strategy.
The right digital-savvy leadership team also recognizes something far more important: platform-thinking will eventually be replaced by something else. No one yet knows when or by what, but noting is impervious to the impact of time. More important than defining a solid platform strategy is therefore creating and nurturing the organizational capability to be successful beyond a single wave.
Learning to surf
Every innovative business model or emerging technology commoditizes and eventually fades into the background after being replaced by something new. Even the decision by John Deere, General Electric and Philips to invest in platform components is merely a step in the right direction. Artificial intelligence and distributed ledgers are pushing the value of first-generation platforms towards the next level, promising personalization-at-scale and improved efficiency throughout the whole value chain. Linking brains directly to devices and platforms may be part of the third platform-related wave. That is, if a yet to emerge technology wielded by talented people does not disrupt the direction we are currently heading.
To be successful beyond a single disruptive wave, every member of the company, from the leadership team to the people manning the front lines, has to embrace a permanent state of ‘divine discontent’. Nokia and BlackBerry failed because their leadership teams missed the transition from selling phones to platform-thinking. It is the same intrinsic motivation to continuously improve and challenge the status quo which determines whether Zara, Apple, another incumbent or a yet to emerge new entrant will dominate the convergence of technology and fashion.
Time is a constant source of small, large and occasionally ‘freak’ waves and the future belongs to those companies that learned to surf.