This article was first published in Forbes by Christine Bejerasco and has been reposted for its valuable insights. The original can be found here. To address cybersecurity talent management at the executive level, please contact Deborah Page, our Vice President of Technology and Government Contracting Practices.
The days when software lives in your device, or even in a single data center, are over. The “as a service” model has swallowed nearly everything—even cybercrime. And many of the services your business relies upon use infrastructure that’s also sold as a service.
And this is just the beginning of the “outsiders” whose security your business depends upon. Once your data flows to a service, it’s usually stored on another service. And nearly every service your company runs on includes some open-source software, which is likely developed and maintained by a vast network of volunteers.
For better or worse, we’re all in this together. If your business thinks it can employ the old model of just protecting your company’s “estate,” you’re in for a very rude awakening.
Putting The “Co” Into Security
Again and again, we see that the failures of cybersecurity are often failures of collaboration and cooperation.
Supply chain attacks have become so effective because communication channels across different organizations either break down or just don’t exist. When a software subscription is purchased, there is rarely a model for continuous communication on software changes with potential security impact. The most customer organizations may get are automated messages on software security updates.
There’s only one answer to the inescapable interdependence we’re all stuck with and will only get more intense as the cloud, powered by AI, swallows almost everything. That’s cybersecurity that prioritizes collaboration and cooperation. Call it co-security, because sticking with traditional cybersecurity as we’ve been doing for the last few decades just isn’t good enough anymore.
Co-security sounds like one of those marketing buzzwords that the cybersecurity industry invents, like “shift left” or “zero trust.” But bear with me, because before they became corny, these terms had a point—and they still have a point.
First, just answer these questions: Can you really secure your organization alone? How dependent is your security on that of your vendors? How dependent is your organization’s reputation on the security that your vendors control?
Your Vendors’ Security Is Your Security
Assuming that you would like to elevate your security posture, you must work with vendors whose cybersecurity ambitions align with yours. Then hold them accountable for the security they promise. Depending on an organization’s budget, this can range from getting your vendor to answer a cybersecurity questionnaire prior to procurement to subjecting your vendor to a security audit with a trusted cybersecurity consultancy.
Perfect cybersecurity is unachievable. Technologies evolve, people come and go within an organization and threat actors continuously find new ways to deploy threats. So even if the organization passed the security audit a year ago, its security posture could have changed today.
Should your organization not have the sufficient budget to subject some of your vendors to a security audit, you can do some quick validation on how your vendor is treating cybersecurity vendors from open information.
For instance, one indicator of a vendor who is serious about continuous security improvements is the presence of bug bounty programs on their websites. This means that they pay security researchers to report vulnerabilities found in their software so that they can fix them. This is important because if these vulnerabilities are instead found by threat actors, or reported to exploit acquisition sites, they can be weaponized and used against the users of those software. So, the vendor who gives researchers the option to do a good deed is doing their due diligence.
We Can Improve Security Together
Many governments have already realized if they’re going to keep society secure, they cannot ignore the security of the digital world. As a result, more and more regulations are created and updated. This process has always been an exercise in catching up. The shortage of cybersecurity expertise means the group that designs the regulations may lack sufficient expertise. Since these will become our laws, this becomes a collective problem.
From what I’ve seen in the past two decades, securing society cannot be left to the private sector. Our work is massively more successful when the law helps drive compliance. So, if this is the most effective way to deploy cybersecurity across a certain jurisdiction, shouldn’t we be working much closer with those who are creating them?
In jurisdictions where digital laws don’t yet exist, shouldn’t we be asking for them?
After all, these are protections for our collective future. We have already seen how differences in how cybersecurity is viewed by one country can impact other countries. Cybercriminals, who operate in a borderless world, benefit immensely from laws that stop at geopolitical borders.
Competitors Have To Be Collaborators
Every industry can be a target. And some threats, like ransomware, are industry-agnostic. However, there are also industries that are cybercriminals’ favorites, such as finance or the energy sectors.
When it comes to industry-specific threats, it’s in the best interest of everyone in the sector to elevate their collective security. Most industries have already been established for decades and already have alliances and communities where professionals gather and build working groups for collective improvement.
If cybersecurity is not part of the discussion yet, it needs to be. This can be as simple as sharing best practices and indicators of compromise (IoC’s). The value here is collective security. If communities within the industry build active cybersecurity groups, they can quickly report vulnerabilities exploited, domains and IP addresses used by threat actors and threats found within their estates. The moment that these threats are exposed, they can be neutralized.
Cybersecurity can, of course, be a competitive advantage, and that’s a worthy goal for an organization. But sharing best practices and elevating your peers isn’t just truly commendable—it’s good for your security. And that’s what co-security is all about.
