Davos 2018: Hot Topics in Cyber Risk

Greg Day


DavosWith more world leaders attending, and a large fall of snow, the atmosphere and the village were even more intense this year than my first year at the World Economic Forum meeting in Davos. During the week, I was most fortunate to meet lots of amazing people, from academics and business leaders to politicians.   I spoke on the Cyber Future Dialogue panel, organised by Cyber Future Foundation and the Security Innovation Network (SINET), to which I’m grateful for making me a distinguished member. Wrapping up the week, we hosted a lunch to discuss how businesses make cyber-risk reduction a reality.

In this blog post, I wanted to share some of the themes discussed during the week in Davos, as I would suggest these are top of mind topics for many leaders across business and government.

Board engagement: It’s little surprise to see recognition that boards are increasingly engaged in cybersecurity discussions, as digital transformation creates greater dependencies. That’s even more the case with new regulations, such as GDPR, now firmly in the picture. As such, cybersecurity is more frequently being included in boardroom conversations. Connected to this, it was interesting to note that, in Davos, discussions also centred around whether boards should include someone with specific cybersecurity expertise and, if not, how to find those with risk backgrounds and build out their knowledge. Likewise, there are still more expectations on cybersecurity leaders themselves to further improve their skills, including understanding business taxonomies and talking about investment versus risk.

Digital transformation: Pace was another theme that arose frequently, with the realisation that many projects start small, so security is not considered; but as projects quickly snowball into full capabilities, they require cybersecurity to be retrofitted. Outside of the Forum, I’ve been interested to see just how many companies today have informal or formal DevOps programs, yet far fewer have DevSecOps. Are we continuing to make the same mistakes in new technology spaces as in business? The challenge is ensuring that security is baked in from the ground up, even for the small skunkworks projects. However, I suspect that many businesses simply don’t have the volume of security staff to scale for every project, meaning that the task is to better use automation to free up staff currently sustaining existing projects. Only then is it possible to nurture the security mindset across broader teams to reduce the demand on scarce cybersecurity experts.

Cybersecurity futures: One theme that kept coming up was what happens when AI attacks AI. While this is an interesting concept (and I’m sure a great future blockbuster movie), it was clear that the practical implications and value of machine learning and AI aren’t yet well understood. While these capabilities can be used to help deal with big, complex data sets, there’s a much more fundamental issue, which has been around for years, about the fundamentals of cybersecurity: complexity is the enemy and too much complexity creates a lack of visibility. Without visibility how can you expect to achieve good cybersecurity?

As such the question that should be asked is how to simplify cybersecurity and better embed it into business processes to generate consumable intelligence across the business IT systems. If we can’t get the fundamentals right and solve the basics, how do we leverage state-of-the-art AI capabilities against threats?

One interesting point to note is that the World Economic Forum announced the launch of a new cyber centre in Geneva, to drive collaboration and information exchange.

Collaboration: During my time at the Forum, I watched CNN presenter Richard Quest talk about the fractured, versus global, nature of the world. Cybersecurity is no different, with discussions continuing to turn to how to better collaborate. Indeed, Palo Alto Networks CEO Mark McLaughlin chose this as the theme for his recent blog post, titled “Reaching for the Cybersecurity Moonshot.” In recent years, the security industry has made important strides to better work together through such projects as the Cyber Threat Alliance. However, for collaboration to succeed, it needs to scale globally, not just between security vendors.

The issues of trust and regulation were discussed at length, and the interesting question is can and how should cybersecurity transcend these. However, collaboration remains too infrequent, whether that’s because of often misunderstood concerns or something else. Knowledge is perhaps the real issue.

Risk management and metrics: Still, senior executives are concerned by the dilemma of how much cybersecurity is enough, and my impression is that many are feeling a little worn out by ongoing requests. The reality is that the pace of change in IT, and especially cybersecurity, is relentless. As such, how is it possible to find a method of qualifying and quantifying it? This constant flux, which is atypical to most business risks, challenges trust because today’s metrics can be quickly contradicted as the cyber risk landscape continues to evolve. Again, education is a core starting point here, and it’s important to recognise that, in such a dynamic space, we must have an agreed risk range, not an agreed risk. To use the analogy from one person I spoke with: we rarely know exactly how much we have in our wallets; it’s very fluid, but we know roughly how much we have that is relevant to our needs. 

What/Who are the adversaries we should be most concerned by so we can define the right geopolitical responses? With some of the cyber issues in 2017, discussion turned, at times, to who are the adversaries we should be concerned by, as that topic has implications from a response perspective. If the adversaries are cybercriminals, then do we require better and more consistent cyberlaws around the world; and if so, how do we modernise the efforts behind the Council of Europe’s work on cybercrime? Conversely, if the issue is state actors, what are the right political sanctions? It seemed clear that, just as NATO announced, in 2017, that cyber is the fifth domain of warfare, the methods being leveraged are already broad.

Legislation: It’s no surprise that GDPR, PSD2 and other impending new legislations were being discussed. All of the companies at the Forum have extremely large supply chains, which can make new regulations incrementally more challenging. While most had a good grasp on those new legislations that apply to them, there was a sense that the next step is to wait for the legislations to go live to see if their interpretations would stand up once precedents are set around new requirements.

Summary
None of these topics is new; however, the point at the Forum is not to uncover the unknown in cybersecurity. It is to engage and educate different levels of audience, each grappling with an increasingly interconnected world economy (although different opinions were in view on that during the week). Furthermore, as the economies under discussion are increasingly digitally dependent, I observed an increasing thirst to understand more about cybersecurity and how it enables economic growth by managing the risks to growing, digitally driven economies.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42