October is, of course, Cybersecurity Month here in the EU, and we are in the midst of Cybersecurity Week in Luxembourg.
The semi-official days, weeks and months dedicated to various issues of societal significance have become part of the regular course of business. They are a regular call for greater awareness, solidarity and action in the face of important challenges afflicting people individually or as a group.
Scientific breakthroughs do happen…
For instance: October is breast cancer awareness month, a leading cause of cancer death amongst women despite decades of significant medical advances. Last December, the U.S. Food and Drug Administration approved the hitherto most effective therapy for breast cancer expressing an antigen known as HER2, with some key opinion leaders in the medical community – oncologists whose very bread and butter is sobriety in the face of illness – describing the antibody-drug-conjugate as being “like magic”. Below is a “waterfall describing the effectiveness of Enhertu in women with heavily treatment resistant HER2+ breast cancer:
In this single-group, phase 2 study, the use of trastuzumab deruxtecan resulted in a response in 60% of women with HER2-positive advanced breast cancer who had received a median of six previous lines of therapy.
— NEJM (@NEJM) February 14, 2020
As you can tell – and this is highly unusual in the world of therapeutic drug research – Enhertu induced significant tumor regressions in nearly all of these patients. This is as close to a “silver bullet” as we’ll get anytime soon in this cancer subtype, and we should be grateful to the researchers, physicians and patients who have made such a “miracle cure” possible.
… but there is no silver bullet in cybersecurity
A crucial takeaway for any organization is that, unlike in HER2+ breast cancer, there will likely never be a “silver bullet” in protecting against cyberthreats, for the simple reason that our IT infrastructure, software and ways of doing business keep evolving and with them, in lockstep, so do corresponding cyberthreats. As our partner PWC put it in a recent blog post, “cybersecurity and information security are not constant— in fact, the only constant they have is constant change. Risk and risk scenarios might not change that often, but the defence mechanisms required to mitigate the risks often do, as does the exposure factor.”
In today’s context of supercharged digitalization, not least as a result of the COVID-19 pandemic, cybersecurity is truly everyone’s business, as I described last month.
Specifically in the realm of finance, innovative technological solutions also entail new cyber risks, and our increasing reliance on the digital infrastructure underpinning modern financial services amplifies existing risks linked to said infrastructure. That is why the Commission has proposed, as part of its digital finance package, a dedicated text on Digital Operational Resiliance (DORA), as discussed here, and likewise, is including specific requirements and protections in its proposals relating to crypto-asset and DLT infrastructure.
Resilience has become a real plat de resistance in business lingo since the start of this year, both referring to fundamental economic factors and also, more specifically, to our ability to maintain digital services against ICT vulnerabilities and cyberthreats. In this context, I recommend reading Bernard Marr, writing for Forbes, discuss the differences between cybersecurity per se and cyber resilience, and how to better embed both in your organization. This was also the topic of a webinar led by Fujitsu in the context of Luxembourg cybersecurity week.
Empowering talent, leveraging technology
Another key consideration when thinking about cybersecurity or cyber-resilience in any organization is the role of the chief information security officer and how that role is embedded within the hierarchy. Gartner has a very helpful, concise e-book providing CISOs with concrete suggestions on how best to handle expectations from the BoD, and discussing the growing responsibilities of CISOs and what that might entail in terms of the search for, and formation of, talent. Gartner states: “CISOs are expected to selectively add more than 30 such capabilities to their function over the next 24 months, such as security strategists”. Furthermore, “it takes an average of 130 days to fill an open IT security position; openings go unfilled and teams remain understaffed for many months”. This imbalance between demand and supply speaks volumes to the unmet needs in corporate cybersecurity, and the urgent need for both our educational system and corporates to invest more into the required capabilities.
In parallel, we must embrace technological supplementation and in some cases substitution of the more labor-intensive tasks carried out by IT professionals. A Capgemini report touches upon just that topic by discussing the potential for AI to dramatically decrease inefficiencies in cyberdefense, and it is encouraging to see the financial sector recognize this reality:
Building on a survey among 850 executives, Capgemini further establish that the integration of AI-based solutions significantly increases the speed at which organizations respond to breaches:
The final leg of the AI value proposition lies in the new products and services which vendors may develop and offer to their clients, which is a particularly alluring proposition for cybersecurity startups.
In the face of the pandemic and in the face of our ever-changing cybersecurity landscape – stay vigilant to be safe!
Author: Jérôme Verony – LHoFT Research and Strategy Associate