Physical and Logical Security: Joining Forces to Manage your Enterprise Security Risk

Just a decade ago, as security professionals, we could talk reasonably about physical security and logical security requiring different approaches. Five years ago, we might have found ourselves having conversations about the blurring lines between the two types of security discipline, and could have easily pointed to aspects of both physical and logical security that crossed over each other.

Today? In organizations that have embraced even the least cutting-edge aspects of operational and information technological advances (consumer IoT, industrial IoT, cloud hosted services, etc.), we can no longer rationally discuss a strictly “physical” or “logical” approach to managing security risks to the enterprise.

Quite simply, in a world where:

  • Every camera and door lock in a facility has an individual IP address
  • All security investigations must happen in the real and virtual worlds at the same time
  • Even the most visibly “physical” of protective measures – security officers – are networked via trackers and devices to provide instant information and communication
    … there are few, if any, areas left that do not require attention to a holistic and comprehensive view of all security disciplines at once.

What does this mean for the personnel and management teams that are tasked with providing security in this borderless environment? How do we, as practitioners who may have long histories in a single discipline, protect the organization in a security environment where the risks and mitigation tactics have converged, regardless of whether our organizational structures have evolved to match them?

The answer: Enterprise Security Risk Management (ESRM).

ESRM is a risk management model that allows all functional areas tasked with mitigating security risk to operate under a converged philosophy and approach to more efficiently and effectively mitigate security risk across the enterprise, regardless of the physical or logical nature of the asset, or the vector of the potential threat.

Recognizing the Role
ESRM allows security personnel to work together to effectively protect the enterprise from a broad spectrum of security risks by first recognizing that it is the role of the security organization, at root, to manage security risk in conjunction with the business, and to protect assets from harm in line with business tolerance.

The tasks we perform to mitigate risks might be different, but the process of identifying the assets to be protected, recognizing and prioritizing the risks to those assets, and then mitigating the assets to within acceptable levels of business tolerance, are the same. Take a look at the table below, excerpted from the forthcoming book, Enterprise Security Risk Management: Concepts and Applications (Allen & Loyear, 2017). It shows a quick side-by-side of the kinds of tasks that security groups do, and how they are essentially mitigation responses to the same security risks.

The overarching risks cannot be effectively mitigated by only a single tactical function. Working together, under a common risk management framework, all security personnel can more effectively protect the enterprise environment against security risk.

The Benefits of ESRM and Cross-Functional Risk Management Collaboration
Managing all security risks in partnership and under a common ESRM approach can bring the enterprise significant gains in efficiency and effectiveness, even with multiple groups participating in the security partnership. A few to note include:

  • Unified security awareness messaging
    • A partnership approach under an ESRM philosophy allows for the creation of a single, unified, security message that include all facets of security awareness.
  • Single security point-of-contact
    • When all security teams operate under the risk-management approach with the same defined processes, any security incident can be reported to a single point in the company and escalated and directed as needed to the appropriate response team.
  • Operational efficiency
    • Employees with different skill sets can more easily collaborate on incident response processes.
    • Information sharing enables cross-department cooperation during security investigations that require both physical and logical forensics.
    • Streamlined processes save hours and money, allowing diverse security risks to be managed by a single process.
    • Consolidated metrics reporting to business management save time and effort.
  • Optimized risk profile
    • All security risks are identified and managed in an overarching program, making the risk identification and mitigation process more robust and decreasing the potential of overlooked risk.

How Do We Get There?
So, how do we get to the point of converging under a common philosophy, regardless of reporting lines and department structures?

All leaders in the organization with any security responsibilities can align with a risk-management approach by asking themselves:

  • Does my team have clear risk management goals aligned with business risk tolerance?
  • Does my team work with other department stakeholders in the risk decision-making process?
  • Do the members of my team work together with other security teams in situations that cross boundaries of scope?
  • Am I communicating to all areas of the business that my role, and the role of all other security teams, is to manage security risks holistically?

When all the security functions in the enterprise choose to embrace a risk management – ESRM – approach, the outcome is that:

  • All security teams follow a formal and consistent process for security risk decision-making.
  • All security teams follow the same incident response approach, including postmortem investigations and root cause analysis to continually improve the security risk situation of the enterprise.
  • All security teams work in partnership with one another, ensuring open communications and collaboration across department lines.
  • All security teams have the transparency, independence, authority and scope needed to do their work in the right way.
  • All security risks, no matter which team mitigates the risks, are considered part of the holistic security risk management program.
  • All security teams, no matter who they report to, understand that security risk management is everyone’s role.

Rachelle Loyear, CISM, MBCP, AFBCI, PMP, Partner, Security Risk Governance Group

[ISACA Now Blog]

IoT Cybersecurity Act of 2017: A Necessary But Insufficient Approach

The Mirai botnet attack on the DYN network in October 2016 highlighted to many policymakers the potential problems associated with IoT devices. The compromise and concerted use of thousands of webcams and DVRs to disrupt key Internet services focused attention on the poor implementation of security controls on millions of devices newly connected to the Internet.

The introduction of the IoT Cybersecurity Improvement Act of 2017 by a bipartisan group of US senators seeks to address the inherent threat IoT devices pose to federal government services. This bill builds on recent efforts, including the Trump administration’s new executive order on cyber security for federal networks and critical infrastructure.

The IoT Cybersecurity Improvement Act would require the Office of Management and Budget Director to confer with various cabinet and agency officials to define implementation guidance to ensure contracts that enable IoT installation in federal systems meet standards that allow for regular identification and patching of vulnerabilities found in deployed IoT devices across the federal government. The central concept of the bill is the requirement for contractors and agency heads to own the evolving security footprint of IoT devices deployed in their network. This approach is consistent with the Trump administration’s guidance for agency heads to be held responsible for the protection of their networks and critical systems and to include these devices as part of an overall assessment of risk.

While the bill requires contractors to assess deployed “internet connected devices” against vulnerability databases and recommend patching strategies, it does allow agency heads to apply for waivers in cases where devices with “severely limited functionality,” defined as Internet-connected devices with limited data processing and software functionality, can be exempted from the requirement if the executive agency deems it “economically impractical.”

For example, if an agency has deployed 10,000 smart lightbulbs and a vulnerability is found, the head of the organization would be able to request a waiver noting that those lightbulbs have limited functionality and would represent an “undue burden” to replace them with newer models (or push out a patch). It is reasonable for the government to carve out this exception. However, it does raise a fundamental issue. If most IoT devices, including small sensors, lightbulbs, etc., are individually cheap by design (e.g., to be competitively viable as compared to traditional devices), does the introduction of those devices pose an unacceptable risk to the federal agency? Or, in other words, is the agency willing to allow devices that could be used as a relay in a cyber campaign because the devices have “severely limited functionality”?

The bill addresses this problem through the requirement of a risk assessment. In this case, the bill attempts to leverage the current requirement for agencies to develop comprehensive risk frameworks as laid out in the May 11, 2017 US Cybersecurity Executive Order. Those requirements ensure agencies follow the NIST Cybersecurity Framework, which provides organizations with a set of best practices to identify and reduce their cybersecurity risk. This makes sense, yet neither the bill nor the NIST framework provide methodologies for conducting the actual risk assessment. Instead, agencies are left to design and implement their own approaches, which is useful but ultimately problematic, as an inconsistent set of definitions and criteria can be applied.

If IoT devices are structurally incentivized to not integrate robust security controls, and agencies can apply for exemptions to found vulnerabilities, and our application of risk assessment is immature to not fully grasp how those devices can be leveraged by hackers, how can we embrace evolving technology while at the same time protecting the most critical services provided by federal agencies?

The IoT Cybersecurity Improvement Act of 2017 would be a good piece of legislation, as it serves to move the ball forward in highlighting an area of weakness in federal network security. However, the inconsistent and immature processes by which we assess risk to our core services undermines its effectiveness.

Editor’s note: Prior to Dr. Harry’s appointment at the University of Maryland, he spent more than 14 years working in the federal government.

Dr. Charles Harry, Director of Operations, University of Maryland Global Initiative in Cybersecurity, Associate Research Professor in the School of Public Policy

[ISACA Now Blog]

What Does the Future of Financial Cyber Security Look Like?

Today, we trust banks and other financial institutions to safely handle our money and the bulk of our monetary transactions. Successful breaches are somewhat rare thanks to technologies like multi-factor authentication and heavy investment in cyber security, but hackers are always improving their techniques, and tech is always changing. This leads to an ongoing cycle of improvement on both sides: financial institutions keep building better defenses, and hackers keep trying to overcome those advancements.

So, could the financial industry eventually get ahead of the cybercriminals? What does the future hold for financial cyber security?

Consumer trust
Financial institutions’ most important job is building and maintaining consumer trust. Without that, people won’t be willing to part with their money, and the entire system could collapse. That’s why financial companies are working hard to stay ahead of the curve, to inform their customers proactively about prospective threats, explain what they’re doing to stop them, and of course, give them the proof that what they’re doing actually works. Third parties will always be around to rate banks and lending institutions for the quality of their offers, and security will only grow in importance as a factor in the future.

New threats
These are some of the most important threats we need to prepare for:

  • Botnet attacks. The concept of a botnet is relatively simple; a hacker uses a program to gain access to multiple independent devices, usually connected in a peer-to-peer web-like network, and then coordinate those devices to execute an attack. This could come in the form of a distributed denial of service (DDoS) attack, or to steal data, which can then be used to compromise financial accounts.
  • Self-mutating viruses. Standard computer viruses already have the potential to infect a computer, enabling the virus creator to steal information from the victim’s computer or use it as part of a botnet in the future. However, antivirus software often catches and eliminates these threats based on recognized patterns. Self-mutating viruses go a step further; they have the capacity to evolve, sometimes in response to direct threats, making them notoriously difficult to detect and prevent. Fortunately, these are in the early stages of development, and haven’t had much of an impact as a cyber threat thus far.
  • Biohacking. Biohacking refers to a number of different possible actions, all of which focus on identifying important people and gaining access to the biological features that make them unique. As biometrics start to become more heavily integrated, biohacking will grow in both importance and prominence, giving hackers a way to obtain fingerprints or other forms of personal information to gain access to systems.
  • BYOD manipulation. Thanks to the rise of mobile devices, many businesses have now adopted a bring-your-own-device (BYOD) policy, allowing and sometimes mandating that individual users bring their personal devices to the centralized workplace. For cyber criminals, this represents a wealth of opportunities; all it takes is one breached device on a shared network to bring the entire system down.

New technologies
These are some of the ways financial institutions are protecting themselves:

  • Biometrics. Biometrics are a branch of security standards that rely on personal information, such as fingerprints, speech patterns, or even the shape of your ears, to authenticate identity. There are still a number of kinks to work out – such as how biometrics change with growth or significant life events – but if perfected, it could make it nearly impossible for thieves to replicate this information on their own.
  • Quantum cryptography. Typical encryptions use a “key,” which is usually randomly generated, to encode information that can only be decoded by authorized devices and programs, at least in theory. Dedicated hackers could uncover the key and use it to translate messages, with enough effort. However, quantum cryptography takes encryption to the next level, relying on the wave function of elementary particles and quantum physics to encode information in a way that is basically unhackable. The technology isn’t foolproof yet, but someday, it could encrypt information with absolute certainty.
  • Blockchain. Blockchain, the technology used to power the crypto-currency Bitcoin, is already starting to be used in the financial industry. It relies on a peer-reviewed open ledger to record and remember transactions, making it nearly impossible to record fraudulent transactions or “steal” from other participants in the chain. It’s a technology still in its infancy, but it has massive disruptive potential.

It’s hard to chart an exact course for the development of technology, as cybercriminals are always looking for surprising new angles, developers are working on projects in secret, and all it takes is one new revelation to force changes on both sides. Still, the world of financial cyber security will be interesting to watch in the coming years.

Anna Johannson, Writer

[ISACA Now Blog]

Will Blockchain Disrupt the Lives of Governance and Assurance Professionals?

 

The blockchain’s distributed ledger paradigm is serving as the supporting foundation to some forms of digital transformation, including the utilization of cryptographic virtual currencies (VCs) such as Bitcoin. These virtual currencies are actively utilized around the globe, both within and outside the circuits of formal economies of countries, with important financial implications including increased economic disintermediation, financial inclusion and extended digital pseudo-ecosystems that combine people, business entities, and a new generation of smart connected components.

Not only is the whole fintech industry becoming substantially disrupted by the paradigm due to the ability to move money in a decentralized and secure peer-to-peer model, but virtually all other industries are prone to substitute often bureaucratic procedures for more automated and smarter business practices.

During recent years, global organizations including the United Nations system, Multilateral Development Banks (MDB), International Financial Institutions (IFI), and the World Economic Forum, were actively engaged in their respective roles trying to commensurate the impact of this paradigm in the societies and economies of the world.

The World Economic Forum, through its intellectual debate about the Fourth Industrial/Digital Revolution, as well as one of its Global Future Councils focused on the “Future of Blockchain,” has been vocal and active on the topic, stating that “blockchain is more than just moving money. It has the potential to transform our lives, and to make the world a more efficient, frictionless place. The number of people around the world living in either broken systems or entirely corrupt systems is staggering. If done right, blockchain could positively reform entire systems.”

In January 2016, the International Monetary Fund released a first-of-its kind professional paper called “Virtual Currencies and Beyond: Initial Considerations.” This so-called staff discussion note gave a serious consideration to how new technologies are driving transformational changes in the global economy, including the emerging utilization of virtual currencies created as private sector systems that, in many cases, facilitate peer-to-peer exchange, bypassing traditional central clearinghouses. The paper also notes that “VCs offer many potential benefits, including greater speed and efficiency in making payments and transfers—particularly across borders––and ultimately promoting financial inclusion. At the same time, VCs pose considerable risks as potential vehicles for money laundering, terrorist financing, tax evasion and fraud.”

In a separate article, the IMF explores the topic of how “The Internet of Trust” is transforming the financial sector. Per its proponents, Bitcoin’s blockchain technology can be used to transform the financial sector fundamentally, for example by reducing the settlement time for securities transactions. With faster settlement, less money needs to be set aside to cover credit and settlement risks—just as collateral is not needed for a cash transaction.

The Inter-American Development Bank (IADB), the main regional development institution for Latin American and Caribbean countries, in March 2017 released the discussion paper “Digital Finance: New Times, New Challenges, New Opportunities,” explaining the financial implications of distributed ledger technologies applied in the region and around the World. The paper explains that “there is growing consensus in the financial services industry that distributed ledger technology (DLT), also known as blockchain, might just be the answer to the need of more efficient management of collateral [risks], resulting in more firms accessing credit, as well as … freeing up intermediaries’ capital for lending, and potential effects on SMEs’ direct and indirect access to multiple ways of credit.”

Now, coming back to the question of what implications and motivations this new paradigm may have in our professional life, I believe that a new generation of the IT governance, oversight and assurance professionals are called to play an elevated role in future ecosystems, economies and societies.

Similar to other emerging topics such as the advanced application of artificial intelligence (AI), big data, cloud computing, and Internet of Things (IoT), this must occur only by providing an unprecedented new level of verification and trust required by the stakeholders to sustain a paradigm that intends to be intrinsically resilient and secure by keeping distributed copies of the thematic ledger supported worldwide, using cryptographic proofs of data integrity and providing tamper-proof ledger entries.

Extraordinary challenges and opportunities are ahead for the millennials’ generation of assurance professionals, when called to provide both holistic and transactional assurance on increasingly complex digital ecosystems that involve people, processes, systems, as well as connected physical entities.

But the level of disruption to the assurance profession may not stop there. As another report, “Here’s Why Robots could be the Future of Finance” from the World Economic Forum pointed, the traditional tasks of human audit work are also highly subject to substitution by artificial intelligence interventions. Meanwhile, some audit tasks may be better assisted by this advanced application of technology. We, the auditors, will face the challenge of providing assurance to our stakeholders that these algorithms are effectively well designed, implemented, deployed and operating as expected.

In our profession, traditional auditing will remain necessary in many parts of the globe and in many traditional businesses environment for a while. However, and not less importantly, a new generation of millennial auditors will need to raise the bar by providing increasingly complex assurance services in more agile business environments and in support of upcoming digital transformations. A different professional audit mindset and additional expertise will be required to satisfy the expectations of stakeholders and business owners in this new world.

Fernando D. Nikitin, MBA, CIA, CRMA, CCSA, CISA, CGEIT, CISM, CRISC, CISSP, CBCP, TCNA, Principal Auditor, Inter-American Development Bank

[ISACA Now Blog]

The Cybersecurity Canon: The Seventh Sense: Power, Fortune, and Survival in the Age of Networks

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Dr. Mansur Hasib, CISSP, PMP, CPHIMS: The Seventh Sense: Power, Fortune, and Survival in the Age of Networks (2016) by Joshua Cooper Ramo, Little, Brown, and Company: New York.

Executive Summary

Our hyperconnected world, comprised of myriad networks – both machine and human – has brought us to the precipice of a fundamental revolution and redefinition of the human experience and our socio-political and military world order. This is what author Joshua Cooper Ramo wants us to grasp in the book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks.

The Industrial Revolution was a similar event. The advent of the personal computer, which replaced the typewriter, and the subsequent era of enterprise networks were others. Then came the internet era. Now we exist in a mesh of networks, which feature both concentration and distribution, and remarkable levels of persistence and resilience. The old definitions and practices of information security and governance, cybersecurity, and business strategy, developed in the era of the past no longer work.

Failure of executives to grasp this pivotal change, and their concomitant failure to tailor organizational and business strategy to the new reality, is the primary cause of organizational malaise and the massive cybersecurity breaches we have experienced. The author calls for a new breed of digital-native executive leaders who will inherit the problems and need to develop lasting solutions for the future.

We have experienced such revolutions in the past. Each time a new world order was created, decision-making and practices of the old world order ceased to function. Organizations and leaders who practiced outdated thinking were quickly wiped out or reduced to irrelevance. Each new world order also realigned the centers of power.

British imperial power and the subjugation of wide swaths of the world were fueled by superior technology, naval power, and education. Then, when the rest of the world began to innovate for a new era, there was a fundamental realignment of power. Today terrorism, war, cybersecurity, privacy of data, and even human relationships are being redefined by the network.

As the author states, “…networking something fundamentally changes its function.” Executives need to recognize that – yet they are not doing so because they lack the appreciation and understanding of the new networked world order and are still making decisions using models of the past, and both making decisions and developing strategy with the thinking of a bygone era.

Review

I have noticed political and business executives making seriously flawed decisions using models of the past. I have observed them being completely baffled by the hyperconnected new world. The book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks (2016) by Joshua Cooper Ramo helped me understand why. The author helps us understand why we critically need cybersecurity leadership and digital strategy of a new kind.

The book has three parts, which I have broken down for you herein.

Part One explains the nature of the current age. This section explains why hyperconnectivity and the networking of everything, including human relationships, through networks and digital connections needs to be viewed differently. This is similar to recognizing that the world of analog systems and analog networks is gone. Analog thinking is anachronous in a digital world. Similarly, failure to recognize the new hyperconnected era, and failing to adapt to the exigencies of this new world order, can result in existential threats to leaders, organizations, and nations.

Part Two discusses what the author calls “The Seventh Sense,” which is a new way to view everything. Connectivity, as the author states, changes the very nature of everything. Thus, a networked heart monitor or pacemaker cannot be regarded as just a heart monitor or a pacemaker anymore. Similarly, terrorism, crime, pornography, bullying, forensics, and warfare conducted through the digital signals of a global network cannot be dealt with using the knowledge and models of the past. Executives need to think differently.

Humans have developed an intuition for dealing with events and circumstances of the past; some have called this the sixth sense. The author calls upon everyone – especially executives in charge of making consequential decisions – to develop a seventh sense to make strategic decisions relevant for a digitally hyperconnected new world. Business organizations, countries, and societies that fail to adapt to this new world are in real danger of becoming irrelevant.

There are numerous examples of previously powerful business organizations, nations, and societies that dominated in an older world order, but were rendered irrelevant and powerless in a new world – simply because they failed to anticipate, recognize, and adapt as the world around them changed. The author shares examples of such companies as Google and Uber that not only anticipated, embraced, and shaped the new world but were able to find gaps and unfulfilled opportunities, which allowed them to redefine the new world order in a way that benefited them. In doing so, they also became existential threats to organizations that were still living in the old world order.

The author shares how strategic leaders like Steve Jobs were able to imagine the future of smartphones, music consumption, and even movie production in a hyperconnected digital world, while many other contemporary leaders were still dabbling in an analog world. Leaders need to be able to recognize when the playing field has changed. Leaders cannot afford to play chess on a two-dimensional board when the board itself has morphed into multiple dimensions.

They cannot denigrate the new dimensions either – but must embrace them. I still remember the time in the late 1980s and early 1990s when we were building email systems and enterprise networks to replace the mainframes; people in the mainframe world called these systems a passing fad. Today, these very email systems and enterprise networks have become obsolete as new forms of human communications and hyperconnected business networks have become the new normal.

Yet, many enterprise technology organizations and executives have not adapted to the new world and are still focused on perimeter security in a world where there is no perimeter. They wish to control endpoints in a world where these endpoints do not belong to them. These executives are still discussing and demanding security as a static desired state when there is no such thing as absolute security anymore.

Cybersecurity is certainly not synonymous with security. Rather cybersecurity is a process of dynamic, continuous innovation and dynamic, continuous risk management – full of opportunities as well as pitfalls.

Part Three discusses how the power structure is being redefined in this new world. The author details several historical shifts in global power. Control of rivers, water supplies, and other land-based routes determined power during an era. At some point, it was replaced by control of the global waterways. Global naval superiority determined the British dominance of the globe. This was replaced by the rise of American global power through an unprecedented rate of innovation, which led to global domination in air power, military might, and economic strength. Sheer technological and financial superiority powered by an unprecedented pace of innovation unleashed by capitalism replaced all other forms of power.

Today, global power centers are in the process of realignment. A lot of power now resides in knowledge and information, as well as the control and sharing of such knowledge and information. Power will also be determined by the ability to understand and control the protocols and networks used for transmission. In a hyperconnected world, especially with unimaginable amounts of information being fed into the network, false information with rapid dissemination mechanisms can have dramatic consequences. Therefore, Facebook and Twitter have far more consequential relevance in this new world than traditional communication media, such as newspapers and TV.

In such a world, personal and corporate brands, and messaging, can shape people’s beliefs about reality. Once an affiliation with a brand is established, that brand can shape reality through messaging disseminated rapidly using new forms of communications. Failure of leaders to appreciate and harness the power of new forms of communications and develop the strategies, rules, regulations, and even laws that cater to the modern era can have massive implications in determining the winners and losers in the new world order.

Conclusion

The need for executives to think differently and have a digital strategy is acute. Author Joshua Cooper Ramo provides an easy to understand explanation of the new world, along with an analysis of the major epochal shifts we have seen in the past several hundred years.

Personal computers and the network were invented in the United States. In the past, as nations fought for domination of the land, water, air, and space dimensions – since the cost barrier for domination of these dimensions were extremely steep – the economic might of the United States allowed it to quickly overwhelm other nations in these dimensions.

However, global hyperconnectivity has created a completely new dimension, and the cost barrier for entry into this dimension is very low. In addition, the United States has done very little to restrict global open access into its systems. Readily available, low-cost access to technology has democratized the power of communications, influence, and even warfare into the hands of individuals. Therefore, a small band of malicious actors can cause massive damage on a global scale. Most often, their acts are not even regarded as acts of war. While international treaties related to conventional or even nuclear and chemical weapons exist, such treaties related to cyberweapons are non-existent.

In the past, in order to influence political outcomes in foreign countries or expand global power, nations had to fight wars, conduct espionage, and even resort to assassinations. Now, such actions can take a different form. Character assassinations through negative ads (frequently with no basis in fact), and false stories as well as pictures and videos are just as effective as actual assassinations – sometimes more so.

Information war and cyberwarfare are also incredibly cheap. Since laws and international agreements in these new areas are non-existent, foreign nations can influence political outcomes in countries as powerful as the United States or France without even being accused of warfare or crime. They do not have to use bombs to blow up communication systems, roads, or bridges; they can target networks controlling information media, or the networks controlling the national critical infrastructure, and exact far more consequential damage without the expense, stigma, or loss of lives created by conventional warfare.

Large swaths of people and even politicians and governments do not even view such actions as acts of war. Clouded by the thinking of the past, they use mild terms, such as “meddling” or “interference.” Even the active participation of a political campaign to support or benefit from foreign acts of cyberwarfare is viewed mildly and accepted by many as “opposition research.” If the same actions had taken place in a different dimension, such as a land attack, a sea attack, or an air attack, the language used would have been completely different.

Information-based decision-making at both the personal and organizational level is no longer possible using decision-making models of the past. Most of these models are not capable of differentiating between true and fake information. Decisions based on fake information will be seriously flawed.

Whether we call it The Seventh Sense or a new industrial revolution, or a completely new epoch, the old world is gone – and will never return. Executives who recognize, embrace, adapt, and rapidly develop a strategy to address this new world will leap ahead in the future power structure of this new world order. Joshua Cooper Ramo’s book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks is a Cybersecurity Canon nominee for providing us a succinct and convincing analysis of a new world order that we all must understand in order to survive and thrive in it.

[Palo Alto Networks Research Center]

English
Exit mobile version