Is there a new paradigm for cyber security and defense?
The landscape of cybersecurity and defense has undergone a seismic shift in the past five decades.
What was once focused on addressing code errors and system vulnerabilities has now escalated into a trillion-dollar industry as companies have become increasingly dependent on digital systems.
This evolution underscores the urgent need to stay ahead of the curve.
The emergence of machine learning and the advancement of multitudes of large language models (LLMs) have introduced new challenges: on one axis, the real prospect of faster and more sophisticated attacks from more groups, and on another axis, the creation of new unknowns.
Our approach
As a Chief Information Security and Risk Officer (CISRO), you must not only continue asking the crucial questions we are grappling with but also consider new ones to test our thinking and systems.
Imagine the human body's blood as an analogy for a business's cash flow, sales, and ability to thrive. Just as red blood cells carry oxygen, without which we'd die within minutes, a business needs cash to survive and sales to grow. While we can focus on optimizing efficiency and effectiveness, we must recognize the importance of crisis preparedness, akin to the platelets' role in stopping bleeding.
The body's white blood cells represent a hidden immune service, complementing the skin's first line of wall defense, cooked food, clean water, and hygiene. Similarly, our security and defense systems have traditionally relied on barriers, but limited resources have always enabled weaknesses in our defenses.
If we visualize a wall built with a finite number of Lego blocks, it represents these budgetary constraints.
Building it too high makes it unstable, too wide makes it easy to jump over, and too deep makes it easy to circumvent. The challenge lies in striking a balance that accounts for risks beyond just optimization and market logic.
Our understanding
With the emergence of new AI threats, we realize that this time of balancing has passed. Bigger walls in any direction don't work. AI will be faster and quicker at getting past any new walls, creating more unknowns.
Hitherto, a prime approach to security has been keeping out bad actors through walls, screening, and monitoring. However, a new risk emerges with the potential for machine learning and generative AI to impersonate any authorized personnel, compromising corporate accounts and those with delegated authority - without detection. Indeed, the system can be used to hide itself.
Security through obscurity has gone, and we cannot depend on hiding in plain sight because of the volume, as LLMs are surfacing data, and no one knows if it is right or wrong.
For a long time, the right question was, "Is our enterprise security being compromised by the wrong types of agents?" Now, the question has become more nuanced: "Is your enterprise immunity being sabotaged by the types of delegated authority we have?"
We find ourselves in uncharted territory, lacking a roadmap and a clear understanding of the journey ahead. We lack the narrative to explain new threats and risks and determine whether we need to divert existing budgets or request additional resources.
This is no easy task, and heavy lifting must be done. However, only some are willing to invest the time to think and talk about these concerns; others will remain reactive. Are you one of them?
Our programme
Therefore, we aim to create one-on-one calls with CISOs willing and capable of engaging in a half hour weekly calls for an initial three weeks.
During these sessions, we will discuss and explore what "immunity" might look like and how it would differ from our current approach.
This is a first step in equipping ourselves to ask better questions and raise awareness about the budgets, work programs, and focus areas needed for 2025.
Where we place investment has changed from the simpler view of people or tech axis to a complicated matrix, but right now, we lack the data, culture, and ability to get better information to the board on security, defense, and threats.