Cyber risk means creating as much transparency as possible

Torsten Jeworrek is the partner and strategic advisor to the Global Software Group (GSG), a leading provider of integrated platform security solutions for developers of consumer and business software.

Torsten Jeworrek: Over the past decade software vendors, such as SAP and Oracle, have progressively relied more and more on selling to large firms for selling to their clients. The market for those offerings has been growing in size and complexity.

After the 2008-09 financial crisis, some of the largest corporations in the world started talking about cybersecurity as a competitive differentiator. Although they were quick to point out that data encryption should not be a priority for small and medium sized businesses, there was a clear shift of attitude in the software industry at large.

Unfortunately, there is no such thing as a clear line between what is a “business critical” application, and which is not. Therefore, much of the discussion in the software industry was in essence about IT governance rather than IT security. The problem is that it is almost impossible to reach a solid level of consent across all companies and organizations, based on a single global cyber risk strategy. For a global software vendor, it’s also really hard to make every corporation that sells to a customer make the same “commitment”.

Last year, the Financial Times questioned whether large software companies sell “readily available” consumer applications, the way Google would. Google claims that they sell their products at a price, that they’re compatible with almost every existing application, and that they remain always-on, and automatic. (Which is right.) This approach is much more complicated to deploy and, therefore, easier to avoid.

To effectively deploy a global cybersecurity strategy, you need to have a common framework. A global cybersecurity framework would identify the basic levels of risk across all companies that sell to customers. What is acceptable by one company could be unacceptable by another. You would then need a common set of global best practices, uniform and neutral, so that you could answer a single question: “Which is the safest business practice?”

Unfortunately, one person’s best practice is another person’s violation of the corporate rules. Therefore, a global cybersecurity strategy might not be directly applicable to all global software vendors.

So, global cybersecurity is a bit like branding. I personally like brands, but my company failed to develop a single global brand. We are now developing global cybersecurity standards, that will deliver a global strategy based on the global standard.

Our goal is to extend governance in to the software industry. For that, we have to have common best practices. We also have to develop a common standard, so that security has a worldwide definition. And finally, we have to have a common standard, so that everyone takes the same risks in the same way. We are also trying to get companies to standardize on the approach. We also want to get to the bottom of which companies are selling to whom, and how. We are organizing a global forum for cybersecurity.

Any solution has to get to this basic level of simplicity.

Tomi-Kaku: Most large software companies emphasize “scale-based benefits.” They claim that if you go through the standard steps, you have a premium that is good to the customer, but not necessarily worth the higher cost of doing business. For software companies, this is a key motivation. Some of them also want to drive value (usually meaning subscription and the cloud). Unfortunately, most of the benefits from managing multiple applications is lost if one application crashes and you can’t do anything about it.

If we are going to have scale-based security, we need to look at why people think scale-based security makes sense, or not. The problems are psychological, not technological.

Broadly speaking, what many people and businesses want from cloud-based services is flexibility, security and ease-of-use. But because of the hybrid mode of services, people get complex. The best way to align this philosophy is the concept of the right balance of flexibility, security and ease-of-use. The principle is the same for any, or all, of the applications. For cloud-based services, the right balance tends to be more security, stronger policies, and slower/lower latency.

Let’s take an example from the United States. The Federal Bureau of Investigation (FBI) developed a cloud-based suite of its own investigations. These investigations are now called “Laptop Tag.” The federal government tested this solution in December 2012. The successful implementation demonstrated that the Federal Bureau of Investigation software can manage investigations fairly easily, securely and quickly.

Leave a Reply

Your email address will not be published. Required fields are marked *