Why Cybersecurity is Still Elusive
Over a decade ago, we were told the cloud was not just a “secure” cloud, it was a “trusted” cloud. Today, cybersecurity companies are still playing detectives and cloud platform vendors and service providers are acquiring them for billions of dollars. In the end, can we trust chief risk officers to do the right thing and invest in protection after they have exhausted all detection alternatives? While detection is a valuable and necessary forensic analysis tool, not including protection as a strategy in the digital tool chest is a fatal oversight. Protection is what you do before detection becomes a necessity.
Adopting new approaches is a matter of “willingness” to change and the “ability” to handle change. It requires both. Willingness is the belief that unless we do something different, the outcome will not change. You are focused on changing the outcome (the bull’s eye) with a different approach. Ability is a matter of cost – capital and operational expenses, and whether the expenses are justified – recoverable through sales or mandated by regulatory compliance to stay in the game. When either the willingness or ability is lacking, status quo and quick fixes win in the heated battle of wits.
Why is it that security is such a liability to pay for? Fundamentally, end users (consumers) don't understand the consequences. A lost, stolen or damaged device is all end users care about. Whether the device is trustworthy is just not in the calculus. Are you watching the shows on your television or is the television watching you? Is your neighbor, or a stranger sitting next to you, or your Uber driver listening to your conversations or a hacker? Are home security systems monitoring intruders or you and your family? Is loss of privacy the price of security? Or should you protect both your privacy and your data? Consumers expect their device vendors to protect them from becoming victims, just like car seats for infants and air bags for adults regulated by insurance policies. Continuing to play detectives is like waiting on victims to perform forensic analysis on, to serve as a warning to future potential victims. It does not address the root cause that protection is a womb to tomb supply chain mindset. Regulations in cybersecurity have been structured to be vendor friendly, and not consumer friendly.
As device vendors and service providers embrace the emerging opportunities of 5G to widen the data pipes into your home and work, and edge computing to bring computing to your neighborhood, perhaps it is time to ponder. This is also the age of the Smart Consumer, who pays for “daily value” of goods and not “cost” of goods. The major changes in our lives over the past two decades have been driven by entertainment media, mobile smart phones and cloud services. The “ability” challenge is the consumer’s out of pocket costs. Consumers want fair pricing – not promotional discounts, which is where pay-for-use usage-based billing rather than device-based billing is the winning value proposition. You pay for the service you choose to use, whether it is an advanced feature, a compliance checkmark, or a premium service that is valuable to you in your line of business. This is where protection becomes a services play and not something any device vendor can afford to absorb upfront as a value-added-tax. The device vendors and device owners/operators are victims of cyberattacks and cannot be expected to pay for the crime.
One broker in the middle, between device vendors and device owners/operators, is the managed security services provider with the detection toolkit. Another broker required is the protection service provider with the platform to offer cyber protection as a service, that includes a chain of trust that begins with the manufacturer, and persists through the supply chain of providers and publishers of content to the device. A tamper-resistant self-defending posture establishes a state of trust. This trusted state must then be preserved with protection controls to reject content with tamper-evidence, and measured for proof of trustworthiness. In quantum physics, entangled particles remain connected – so actions performed on one affect the other even when separated by great distances. Albert Einstein called it "spooky action at a distance". If content entangled with a device is tampered anywhere along the supply route, the device is tampered. So, to make the device tamper-resistant, one has to protect against spooky actions at a distance.
For vendors of cybersecurity solutions, it is not about taking on competition – the only competitors here are the hackers who will always be one step ahead in this game – but about building a “security task force” with an arsenal of weapons to take on the enemy that is disrupting our daily lives. As Einstein famously said – the questions have not changed, but the answers have. The risks have not changed, but the consequences have.
Mocana helps device operators bridge the adoption challenge between device vendors and service providers, to enable digital transformation with the emerging 5G network, edge cloud and SD-WAN. We protect the content delivery supply chain and device lifecycle for tamper-resistance from womb-to-tomb, with root-of-trust and chain-of-trust anchors. We measure the device for persisted integrity for trustworthiness of operations and data to power AI/ML analytics. Our team of security professionals work with semiconductor vendors and certificate authorities to integrate with emerging technologies to comply with data privacy and protection standards. The goal of Cyber Protection as a Service is to eliminate the initial cost of modernization for device vendors and empower service providers to offer subscription-based services for effective and efficient digital transformation of things.
Mocana’s core technology protects more than 100 million devices today and is trusted by over 200 of the largest industrial manufacturing, aerospace, defense, utility, energy, medical and transportation companies globally www.mocana.com.