Tip of iceberg in cybersecurity
It was a pleasure to work with SAE on their recent book “Cybersecurity for entrepreneurs,” where I focused on the topic of secure communications.
What I liked about the book and the writing team was the focus to entrepreneurs, small and medium businesses (SMB) — the “every man” category of the cybersecurity industry rather just the usual “top tier,” or ~10%.
I spend most of my professional life working with large government, commercial, and academic research organizations supported by specialist cybersecurity technology partners and integrators around STIG, FIPS, NIST, CSfC, HIPAA, SOX and similar regulations.
The focus in the cybersecurity industry is that “tip of the iceberg”, the folks protecting “crown jewels” data and processes in government, finance, energy, and so on in critical infrastructure. Many teams there have decades of professional experience, certifications, and advanced degrees.
In those areas, execs have a few things in common:
1) Doing basic cyber hygiene — many attacks come from well-known vulnerabilities and they recognize the importance of doing the basic things like patching and backup right.
2) Having a proactive stance and leaning into problems across defense-in-depth layers rather than just doing a least effort approach.
3) Exhibiting leadership and urgency in following changes in the industry as threats evolve.
For the wider industry, the larger part / ~90% of the iceberg below the water, budgets, training, and resources are much scarcer.
There the emphasis has to be on getting the (1) basics right and a greater reliance on the due diligence of third party vendors and integrators focused on covering (2) and (3) for large numbers of smaller end customers.
It’s an area where communities of interest (COI) can be especially valuable, e.g., around Information Sharing and Analysis Centers (ISACs).
That responsibility to keep up with emerging threats and mitigations for vendors and integrators is especially important in emerging technology areas like quantum, AI (artificial intelligence), and private 5G.
There the pace of moving along the Gartner hype cycle, from event key notes, pilots, and PoCs (Proofs of Concept) into the production and day-to-day mainstream, is faster than ever before.
There is also today a gallery of interested stakeholders from boards, to insurers, and regulators looking on as both IT and cybersecurity have moved from being general admin and overhead to value drivers (and preservers) essential to the business.
About the author
Simon’s focus is the business of cybersecurity, building and hardening critical infrastructure. He has done this over the past few decades for government and industry, beginning with civilian nuclear energy in Europe, to securing cloud and communications infrastructure in North America today.
He is a Certified Information Systems Security Professional (CISSP), with a BSc Honors degree in Physics from the University of Manchester, England, a Masters degree in Law & Cybersecurity from the University of Maryland Carey Law School, and an Executive MBA degree from the University of Maryland Smith Business School.
