Emily Mossburg, a principal at Deloitte & Touche LLP, provided information security leaders with some useful insight yesterday into why their jobs are so freaking hard. The occasion was the Mass TLC event on “The Business of Security” in Boston. Mossburg, who specializes in cyber resilience, was a keynote speaker.
“We’ve been focusing on innovation for the last 100 years. We’ve been building up technologies to enable our organizations to do things faster, to do things more efficiently, to enable our organizations to grow in new ways, including new interfaces with third parties, including new platforms that allow us to interact with clients in new ways — all focused on growth and sharing of data,” Mossburg said.
The aim of all these data-sharing innovations was to give companies better information. “And more data is always better,” Mossburg said. But data protection was not part of the innovation equation. IT environments were built to be hacked.
“There was no thought about what are the risks of sharing this data; about what are the risks to individuals, to our enterprises, to our country in sharing this data and making it so interconnected,” she said.
“So right now we are the midst of playing an amazing catch-up game, a catch-up game in which we are taking years of years of legacy technology and infrastructure and trying to make it secure,” she said.
Security by design
To change the rules of the game, information security leaders “need to move to the front of the problem,” Mossburg said, outlining what is now considered best practice in security circles, but is rarely practiced: secure by design.
“We need to move to the front of the problem, to the innovation lifecycle, to the process development lifecycle, to the technology development lifecycle, to the system development lifecycle,” said Mossburg. Cyber risks need to be considered from the beginning — as the innovations are being designed, not after. The process change will also change the perception of security professionals and change their roles.
“By including the cyber security and risk requirements up front, we start to align ourselves with innovation, we start to be part of the innovation stream, we change the dialogue of what it is all of us do,” she said.
Be the innovation. That seemed like good advice.