By Tony Sager, CIS Senior Vice President and Chief Evangelist
May 21, 2020

“The future is here. It’s just not widely distributed yet.”
William Gibson

When we think about the future of cybersecurity, it’s only natural to focus on exciting new technology. However, it’s also important to consider the threats that might be associated with said new technology. For example, 5G brings the opportunity for vastly greater capacity and capability for businesses and consumers; it also induces profound changes in the nature of communications. And, like every hyper-hyped new technology, 5G is rolling out faster than we can make sense of the potential security issues, leaving us with more questions than answers. Will old cyber-attacks still apply? What sorts of new problems will this create? How should we change our security defenses and requirements? How will we know if a new product or service is “safe”? Now, throw in a “menu” like IoT, the Cloud, quantum computing, machine learning, advanced analytics, and maybe serve it with a side of blockchain and a sprinkling of augmented reality, and the list of questions and potential cybersecurity issues becomes even longer.

No matter how exciting or how threatening new technology might seem, it’s only relevant when people use it. What will really shape the future of cybersecurity is our collective decision-making about risk. Every day individuals and enterprise make decisions about risk, often implicitly, sometimes unknowingly.

Over the last few years, we’ve watched and encouraged cybersecurity’s rapid move into the mainstream of enterprise risk decision-making; it’s moved from the domain of techno-wizardry into a core concern for business and government decision-makers. But it’s not their only concern, and they must look at cyber-risk as just one component of a spectrum of risk issues like business opportunity, reputation, and safety. As an industry, we tend to treat these risks as a language or communication problem, with events and messaging like “What Every Executive Needs to Know About Technology,” and “How To Talk To Boards About Cybersecurity.” While that’s a start, we need to do much more.

There’s an emerging industry of security guidelines, scoring and assessment tools, and verification processes to complement traditional compliance-oriented Risk Management Frameworks and governance, risk, and compliance (GRC) methods. Newer approaches, which are often driven by supply chain concerns, try to be rapid and cost-effective to execute, dynamic and continuous in measurement, and more concerned with generating a current operational view based on data and observations (versus document and evidence creation). They also tend to be more naturally integrated into existing enterprise risk management models and processes. While all necessary, they’re not sufficient. These new approaches should be based on data wherever possible, be openly available, and require a high level of transparency.

Our social need is for a means to express and negotiate trust and confidence in cyberspace, in a way that supports decision-makers with the full range of issues they must confront. This transition can make cyber technologists and wizards uncomfortable as it is complex and “foggy.” However, it’s a necessary step to change the economics of cybersecurity from “buy more magic stuff” to “make more intelligent decisions about risk.”

Tony Sager is a Senior VP and Chief Evangelist for the Center for Internet Security. He leads the development of the CIS Critical Security Controls, a worldwide consensus project to find and support technical best practices in cybersecurity. Tony also serves as the Director of the SANS Innovation Center, a subsidiary of The SANS Institute. … full bio