Cybersecurity Now and In the Future – Our Shared Responsibility
October is Cyber Security Awareness Month when participating governments and private industry jointly sponsor advocacy campaigns to promote awareness and ensure that every person around the world has the proper information and resources to be safer and more secure online. As a founding member of the National Cyber Security Alliance (NCSA), Cisco has actively participated in and helped to promote Cyber Security Awareness Month since its inception in 2003.
This year’s Cyber Security Awareness Month theme – Our Shared Responsibility – underscores how we must all be responsible, accountable, and work together to improve our online safety and security. I encourage you to participate in the weekly themes and take continuous action to improve your online security.
Though I’m immersed in all things ‘cybersecurity’ throughout the year, Cyber Security Awareness Month is a strong reminder – a chance to stop and think about the world in which we live and to envision the future, while taking stock of what we’ve done in the past.
I think about the implications of our increasingly digital and connected lives. Whether I’m viewing it through a business, economic, or technological lens, the drive towards digital innovation – and the need for greater cybersecurity at its core – is explicit and pervasive. Not just for today or the near-term, for our very future. The result? Taking stock, developing a plan, and building for the future.
Are We There Yet?
Some might say our future is digital. My opinion is that we’re already there. Digital services, such as online healthcare, e-Government, and collaboration are all commonplace in our daily lives. Digital devices are found in all walks of life: from civic video cameras for our safety, to indicators showing how transportation flows through a city, to sensor grids determining air quality, when soil is prime for planting and produce is ready for harvest.
Today, connected devices are generating almost 300 times more data than all the people connected to the Internet. We connect 30 million new devices to the Internet every single week. That’s more than 4 million new devices per day! 2015 was the year that the Internet of Things (IoT) took off – the tipping point when IoT went from backrooms of the technology world to mainstream. The Internet of Things is not of the future… it’s here and now.
Think back to just 5 years ago. If we had these capabilities then, where would we be today? Now imagine digital occurring in every industry, in every business, in every government and every institution… because that is what’s happening around us. We will hit a point where we don’t know how to live without our digital systems.
Sounds Great, Right?
Not so fast. Our challenge is that the drive to digital and the securing of our systems and infrastructure are linked. The opportunity to go digital is ahead of the strategy of keeping it digitally safe.
If we fast forward just four years to 2020, we project there to be 5 terabytes of data per person and 50 billion devices, not just shipped, but fully connected, enabled, and active… almost double what it is today. What does that look like from a cyber-threat standpoint? How do the services using these sensors ensure their resiliency and data protection requirements? The data, devices, and services must be managed and secured.
We Protect, At Scale
At Cisco, we have nearly 200,000 networks that we protect every single day, which extrapolates to hundreds of thousands of customers in businesses, governments, universities, and other organizations with tens of millions of users. Our more than 300 threat researchers and other security professionals work tirelessly on the threats that are occurring on the Internet right now. We have hundreds of threat analytic engines that pull in and analyze 100 terabytes of threat telemetry data from about 3 petabytes of data every single day.
We block about 20 billion malware, spyware, virus, and other attacks per day. To provide a sense of scope and size, that’s almost three times as many people as there are on Earth. It’s greater than the total number of daily Google searches. That’s how important and how serious digital and cybersecurity are. That’s why we take it seriously at Cisco and why it’s equally important to you.
Evolving to Embedded Security
I believe we can do things differently today to attain our desired future outcomes, yet we need to make a significant leap forward. Though challenges are inherent and time is of the essence, industries, governments, and educational institutions alike must adapt and evolve. To make that leap in this digital world, organizations must embed cybersecurity purely into the fabric of their organization. It has to be a fundamental part of every organization’s purpose and strategy.
In the future, I believe that every institution will just do cybersecurity as a part of business – not as an adjunct, or an operational tax, or not do it at all. It has to be central in the strategy, planning, and execution of the organization. Cybersecurity also needs to be a core consideration for those who will bring new ideas, innovation, and answers to the new challenges we’re creating in this future. It’s all about infusing security into the very culture of how and what we do.
Tackling our Technical Debt
We build and create services and systems, and too often, leave them open to attack. Similar to driving on a road that is not quite up to par, IT has its version of an infrastructure problem going on right now and it’s a latent indicator. We’re taxing the assets of our infrastructure, leaving them vulnerable. So why are we surprised when we’re running outdated systems or not using the latest threat defenses that we find our systems, data centers, networks, and infrastructure vulnerable to attack?
Aging infrastructure exposes organizations to unnecessary and unacceptable risks. Of the devices across the Internet that we know are running today, 92 percent have an average of 26 vulnerabilities. Almost one-third of them are no longer going to be serviced, and 1 in 20 is no longer being recognized by the company that built them that they even exist. This is the Internet today, and it cannot be our tomorrow.
Controlling the Controllable
Now, extrapolate that growth as we progress in the digital era. That’s why we have to get our systems and infrastructure under control. And, it is under our control. It may be financially challenging for some, but we control it and the cost is greater if we don’t. Attackers are doing what they do because we’re leaving the door open, making it easy for them. Organizations must take steps to modernize their infrastructure to reduce vulnerabilities, protect critical assets, and prepare for digital transformation.
Controlling that which we can control is key. Most organizations simply don’t know with certainty what’s connected to their network and why it’s there. We are not developing mature processes yet, but can, and this calls for the strategies and the training that will create a maturity in this lifecycle. Patching may be hard work, but it’s essential and controllable.
We need to simplify while establishing individual norms of connecting myriad new devices to the network. While reducing complexity is important, speed is vital. Technology is changing every 1-2 years. Software releases are continuous. Every 6 minutes an update occurs, and those updates are what may save you. Acceleration is key to keeping pace with digitization. If you’re afraid that speed kills, it does… if you wait.
Building for the Future
In the 29 years I’ve been in cybersecurity, I believe this is the most critical time that this industry has ever faced. Business leaders today must stop and ask, “How do I do digital right?” “How do I get cybersecurity right?” “How can I be successful for the next 5 years and beyond?” And possibly the most important question we must ask of ourselves is: “What am I going to do differently?”
Cybersecurity is our shared responsibility. Because we all have a say in our business and technology, we must also view security as an inherently essential part of our organization’s purpose and strategy. We at Cisco knew that we needed to do something different, so we put money, people, and time into doing cybersecurity differently. We’re committed and building for that future… especially because that future is now.
I invite you to check back to this Security Blog regularly throughout Cyber Security Awareness Month as we cover weekly topics that will provide insights about security, safety, and privacy. You can learn more about National Cyber Security Awareness Month in the US, and European CyberSecMonth across the European Union, as well as other corresponding cybersecurity advocacy campaigns around the world.