One of the more memorable conversations I had this year was with Tony Arcadi, associate CIO for enterprise infrastructure at the U.S. Department of the Treasury. I met him at Gartner’s annual gathering of IT leaders, Symposium/ITxpo, at Walt Disney World in October. We had a long discussion about new technologies such as blockchain, the cultural changes brought on by cloud computing and how plain exhausting it is to hike from one far-flung Disney resort to another in the Florida heat.
Arcadi served up the baked confection as a metaphor for the cybersecurity approach organizations should be taking in an age marked by increasingly sophisticated attacks. Cybersecurity should be present from the start of any tech initiative.
“It’s not an ingredient you can add to the top; it’s not frosting on top of the cake,” Arcadi said. “It’s got to be an ingredient that you put in a cake and mixes in with all the other ingredients.”
Cybersecurity should be blended into an organization’s operations — like an egg stirred into cake batter, Arcadi said — and everyone, not just the CISO and the IT security team, should work to maintain it. “I think that’s where we need to move our cyber to versus the current approach.”
(Arcadi stressed that his remarks did not represent the views of his employer, the Treasury Department.)
I spoke to Arcadi barely a month after credit-reporting agency Equifax announced it was the victim of a data breach that exposed the personal information of 143 million Americans — a “catastrophic event,” he said. And yet are we as a society the wiser for it? Have we changed our cybersecurity approach?
“I don’t know that we’re doing anything any differently today than we were when that happened — or have any plans to do anything differently.”
Some may look at the Equifax breach and countless others in 2017 as justification for bringing on cutting-edge technologies. Arcadi cited artificial intelligence (AI) as an all-the-rage foil to cybercriminal treachery.
Indeed, it’s the tack taken by major tech companies, as Nick Coleman, global head of cybersecurity intelligence at IBM, says in an article by SearchCIO’s sister publication, Computerweekly.com: “The threats are becoming so serious that we need to embed AI and automation into security processes so that we can be more intelligent and efficient in our response.”
AI may very well bolster cybersecurity, Arcadi acknowledged, but the larger problem is AI will be available to the bad guys, too.
“Their AI is going to hit my AI; my AI is going to their AI. What levels this off and causes this to decline?” he said. “Somebody much smarter than me needs to come up with the answer, and I will be happy to implement it.”
In his role as CIO at the Treasury Department, Arcadi is doing his part, helping craft a cybersecurity approach that’s “more integrated and less layered.” That layered opened the oven door on the cake metaphor once again. Cybersecurity needs to be baked in — again, it’s the eggs, not the frosting.
“That’s what I’m working toward — trying to bring it into integration,” he said. “Let’s not produce this thing and then send it for cyber review. You know, ‘Hey, cake’s done.'”