I am very proud to have the privilege of attending and participating in the NACD’s Global Cyber Forum. I really enjoyed the opportunity to speak about how to think about security at the technological frontier with my esteemed co-panelists @Richard Spearmanand @Matthias Bossardt.
While technology has always been at the core of security, it seems as if the technological frontier has recently come close to my heart. My graduate studies were focused on encryption (specifically the encryption infrastructure underlying modern-day e-commerce), one security technology core to a data-driven digital transformation.
I thought it might be valuable to share my perspectives on this topic and frame some of the key issues and questions that I shared with the NACD.
First, it’s important to think deliberately about the strategic objectives that embracing a given technology is intended to achieve. To take an oft-discussed example, AI/ML is a very shiny object for many organizations – the financial sector began leveraging machine-learning to prevent payments fraud since the 1990s – but the first step to running any sort of advanced analytics (including AI) is setting one’s “data house” in order.
Second, a decision about embracing a technology should not be independent of security considerations. Many next-generation technologies companies are looking to embrace are contingent on developing greater trust with consumers in order to productively leverage their data. A decision to relax or subordinate security concerns to speed technology adoption will eventually be self-defeating.
Third, Board-room decisions about IT security are often framed as a tradeoff between security and innovation, with greater security coming at the cost of innovation (and vice-versa). In some cases, this is an explicit choice whereas in others it’s implicit in tradeoffs created by a finite information technology budget, where security is often treated as a subset of information technology. Perhaps I am biased by experience, but the security-innovation tradeoff strikes me as a short-term trade-off, if that. Security defends and even enables innovation. Security helps protect increasingly valuable intellectual property as well as an increasingly important intangible asset: individual specific attributes provided by user and customers which forms the basis of personalized advanced analytics.
Finally, because embracing security requires judgments across functional domains and organizational boundaries, leaders need to drive security as a foundational question.
One of my favorite examples of the leaders championing security even as they embrace technology comes from Amazon’s success in the Internet-of-Things market and specifically, the now ubiquitous smart speaker, the Echo.
Jeff Bezos is the wealthiest man in the world perhaps overseeing the perhaps most complex portfolio of projects ranging from providing computing infrastructure on earth to building out infrastructure in space, not to mention a newspaper business with growing revenue (!). And yet, he has carved out the intellectual bandwidth and intentionality to understand the security controls of the smart-speakers produced by Amazon:
We’ve done something a little unusual with Echo. It would be no different from your phone, but we went one step further than what’s done on a phone. When you hit the mute button on Echo, that red ring comes on that says the microphone is turned off. That mute button is connected to the microphone with analog electronics. You have to come physically tamper with the device. You couldn’t do it with a computer virus.
– Jeff Bezos, Vanity Fair Summit, 2016
To be sure, analog controls – which have been verified and tested in numerous teardowns – probably came at the cost of some user convenience for remote control. With that said, the caution and deference to security with which Amazon (and its leaders) have approached security is likely to be at least partially responsible for the speed at which customers have been willing to adopt and engage its products.
Recent events have also vindicated that approach and highlighted the risks associated with “move fast and break things”. In light of disclosures surrounding the careless treatment of user data and subsequent distrust, Facebook has been forced to push back the release of a competing line of smart speakers.
To parenthetically quote my colleague @Ralf Dreischmeier, innovation without cybersecurity is a train wreck waiting to happen.