The 4 forces accelerating infosec as a competitive differentiator

After working in the security business for 25 years, I’ve seen my fair share of predictions, trends and fortune-telling. 

Just over a decade ago, when I was the Managing Consultant for VeriSign Global Security Consulting in 2006, I authored a white paper titled, “Security as a Competitive Differentiator.”  Back in the mid-2000s, economists and companies were grappling with the basic question of how to make the internet profitable. While I was coaching clients on critical infosec operations, leveraging security as a competitive advantage was a side note. Security was relevant, but it was not a top consideration while companies were focused on setting up shop in the emerging online marketplace.

Fast forward to 2017: today the premise of security as a competitive advantage is beginning to become a reality, but not exactly how I had envisioned at the time.  Cybersecurity has indeed risen as a top-tier value proposition in the Fortune 500 and on Wall Street as a way to separate the wheat from the chaff.

Although it is true that businesses can use security to gain an increasingly relevant advantage over slower moving competitors, that differentiation isn’t tracked as “ROI” that security delivers.  Rather, delivering trust and privacy to consumers is becoming table stakes for all business, and security is slowly becoming a market-driven assumption, instead of a perfunctory line item on an expense report.

Ideally, traditional market forces would be driving this. However, four trends are accelerating this outcome further and faster than ever before.

1. C-suites, lawsuits and gross negligence

Despite a multitude of regulatory requirements, threats of fines, and additional regulatory oversight, we’ve previously failed to move the needle. However, unauthorized disclosures of protected records that result in class action suits—despite recent attempts to nullify that ability—threats of shareholder action, FTC findings of deceptive trade practices, and most importantly, claims of gross negligence leveled at C-Suite executives are finally getting executives to address security shortcomings.

With these growing risks, one technique used to offset corporate liability is to transfer it to business partners—see: PCI-DSS. Since those business partners are frequently implicated as patient zero in high-level incidents, it makes sense to focus on supply-chain and third-party management.

2. IoT takeover and weaponization

Poorly designed, installed, and managed IoT devices are easy targets for hackers to compromise and use to create enormous botnets that are capable of high-bandwidth denial of service and other nasty attacks.

We are quickly learning that implementing networked control technologies to automate telemetry and traffic/light/heat/power management can be more detrimental than beneficial, unless leadership understands and addresses the lifespan of the technologies.

This starts with procurement, and includes roles and liability for manufacturers, integrators, and operations staff to ensure that predictable time-deterioration of technology does not facilitate further attacks. It is becoming evident that the new normal of a data center in the cloud and IoT junk in the building requires a different way of handling security, starting with our expectations of the security of the products we buy.

Underwriters’ Laboratories has worked (unsuccessfully to date) on a product quality testing standard, and legislators are waking up to the reality that IoT supply chain security must be addressed.

3. Increasing regulatory microscope on third parties

The NotPetya attack, which incidentally caused a lot of damage to businesses, was initiated by infiltrating a Ukrainian tax preparation software vendor. Hackers victimized Sonic Drive-In by compromising one of their point-of-sale technology vendors. Hackers attacked Target by infiltrating an unsuspecting HVAC vendor. Recognizing that these attacks aren’t one-off occurrences, regulatory authorities are beginning to require covered entities to manage third-party security. Notably, the OCC, HHS, and DOD (in the case of its own contractors) have expanded their regulatory purview to include vendors, service providers, and business associates.

4. Creepy ad tracking vs GDPR

Recently, some University of Washington graduate students showed the extent of what interested parties can learn about someone through the purchase and tracking of a mere $1000 in online ads. That’s a nominal fee considering the researchers were able precisely geo-target individuals and track their physical movements.

In a capitalist system, business success is predicated on growth and Google is working hard to increase their ad revenue. To continue their growth, it is certain that Google will find new ways to surgically extract individual online behavioral data to sell more precisely targeted ads and user information to advertisers.

Meanwhile, two companies, Microsoft and Apple, whose businesses are based on product sales and not a trade of a free service for the details of everything you do online, are standing up as advocates for privacy and trust. Their position, along with the upcoming implementation of GDPR’s right to limited erasure, may lead the U.S. to emulate GDPR in some form. In my estimation, that is going to be attractive to American consumers.

Teasing out the trend

Looking at the big picture, the four forces accelerating infosec as a top value proposition are these:

1. Lawsuits and claims of gross negligence have the attention of executives, who now have a strong desire to offload liability onto third parties.
2. Poorly manufactured and deployed IoT devices have many organizations working with the supply chain to avoid turning over command of their technologies to a malicious actor on the other side of the world.
3. Regulators are expanding their purview to include vendors, service providers, and business associates of covered entities – sometimes with the threat of audit.
4. Companies are beginning to differentiate on trust and privacy.

It’s only a question of time before companies start aggressively marketing positively differentiated security. When this shift occurs, we will finally be able to calculate return on the investment from security controls. More importantly, however, we’ll turn a significant corner when the marketplace prioritizes security in modern day society.

When a company claims you should buy their product because it’s more secure than the competitor’s offering, we’ve reached a better place. Market forces alone won’t solve the security problem, but they sure won’t hurt.