Open in app

Sign in

Write

Sign in

The how and the why of cyber security innovation

Martijn Dekker
5 min readDec 3, 2022

--

Currently security professionals are struggling with at least three problems. They are facing a big shortage of qualified people to fill the growing number of vacancies in their workforce. They are facing the need to secure a growing attack surface, mostly due to a longer supply chain. And the third problem they are facing is the growing sophistication of the attacks and threats.

One of the strategies any security leader needs to consider is taking a leading role in driving innovation in the security solution space. Next to explaining the ‘why’, I will also provide some suggestions for ‘how’ to do this and call out some essential succes factors. And I will show a succesful implementation.

The hacker mindset

To adress the first problem we should look at the hacker mindset. To attrack people to the cybersecurity field, we need to understand what are the characteristics of people that would be interested to do so and what would make them happy and succesful teammembers.

A simple search on wikipedia yields the following definition of the hacker culture, which in my experience is very true:

The hacker culture is a subculture of individuals who enjoy – often in collective effort – the intellectual challenge of creatively overcoming the limitations of software systems or electronic hardware (mostly digital electronics), to achieve novel and clever outcomes.

The highlighted words (collective, intellectual, creatively, noval and clever) reflect the most important properties of the hacker culture. Any security leader looking to add people to their team, is looking for people that like to work with others, like intellectual challenges and that find joy in discovering new and clever solutions. By providing opportunities to work on innovative cybersecurity solitions you can create a place where those professionals want to work.

Ecosystem security

Security professionals are realising that to secure the assets of their organisation they need to take into account the security of the assets in the surrounding eco system as well. This is caused by the fact that the level of connectedness is increasing and supply chains are becoming longer and extended. This also implies that cyber risks migrate more and more easily from one company to another and from one industry vertical to another. This is means security professionals need to work together with people from other verticals and not just work within their ISAC’s that often are organised within verticals.

Sophistication of threats

As new technologies are being developed, attackers are fast to adopt them and try to attack them or use them to deploy new modes of attack. The rate of change in the threat landscape is growing. To defend against that one strategy is to copy what your enemy does: try to use the latest technology yourself.

Maybe security teams in most organisations are not as fast as their attackers, but they can try to be early and pro-active to still beat them.

Collaborative security Innovation

So a security strategy that includes collaborative security innovation adresses all three growing problems. It attracks the workforce you want. It improves eco system security by connecting security teams of different organisations. And it allows early adoption of the newest technology that helps beating the fast attackers, by being early.

So to make these three problems smaller, or at least slowdown their growth, we need to solve the problem of how to organise collaborative security innovation.

Some succesfactors

In many companies innovation is considered something that can not be managed. And collaboration is considered complex because of release dependencies and cultural differences. Adopting new technology that is not proven yet is considered often too risky.

But these dilemmas can be reconsiled. Innovation funnels and processes have been developed. They are structured and allow for controlled progress. Examples are …

Collaborative partnerships between companies can be done but require strong senior management support to ensure consistency and continuity spanning multiple budget cycles or fair competion with short-term priorities. So ensuring senior management commitment is important. Celebrating, communicating and adopting results are key enablers for that.

Lastly, the risk of using the newest technology is not only a technological issue but it can also be a cultural issue. Via segmentation or isolation and of course solid testing, there should not be a blocking issue for using the latest technology. It might be needed to overcome cultural tendencies or biases in your organisation. For example decision makers that simply do not like to do it or have had previous bad experiences with it. Or colleagues in IT who are struggling with a not-invented-here issue (because CISO produced it and not IT) and prefer commercial software developed by third parties. Good communication, explicit demonstrations of the value in a real situation and perseverance help. All these should be elements of your innovation approach.

A succesful example: PCSI

In the Dutch banking sector, we have a very open and collaborative approach for security. We have a strong ISAC and many collaboration platforms. In 2014 we started a ‘shared research programme’ with participation of the largest banks and a research institute (TNO). After 6 years we decided to start all over and founded the Partnership for Cyber Security Innovation: PCSI. We decided to rename it because we made some major changes in the setup:

  • We opened it up for anyone to join, it is no longer for the financial industry only. We need cross industry-vertical cooperation
  • We increased the amount of time and budget we use for communication and dissemination of the results from 5% to 30%
  • We increased the focus on actually implementation of the innovation in a real production environment. We will take this a next step further going forward.

Since its start in 2020, two new organisations have joined the partnership and many succesful innovations have been launched. Examples are self-healing containers, automatic data labelling and security awareness approaches. You can find more information about pcsi here.

Any security leader should allocate a part of the multiyear security budget or resources to innovation. It is an effective and efficient way of attracking talent and protect your organisation. It requires consistent and continuous senior management support to overcome the resistance or frictions it can cause. But by adopting proven innovation funnel processes, results will be there.

Cybersecurity
Innovation
Leadership

--

--

Martijn Dekker
Martijn Dekker

Written by Martijn Dekker

78 Followers
23 Following

Martijn has a PhD in pure mathematics, is top-executive, scientist and CISO with more than 25 years of experience pushing the limits of information security.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams