The primary focus of cybersecurity is typically keeping an organisation’s digital assets safe from theft, leakage or destruction. But there is a growing realisation that securing these assets depends not just on the organisation itself but also on an external community of suppliers, researchers and open source software developers.
Similarly, it is not just organisations that suffer when cybersecurity breaches occur. In fact, they can be more damaging to customers, employees or other third parties.
For these reasons, cybersecurity should be seen as a dimension of social responsibility, as well as self-preservation. At Tech Monitor’s Digital Responsibility Symposium last month, Thomas Quinlan, director of solution architecture at event-sponsor Zscaler, made the case.
The case for cybersecurity as a social responsibility
The primary concern of every cybersecurity leader is protecting their own organisation’s digital assets. That’s unlikely to change but, Quinlan explained, the extent to which that task depends on external parties has become unavoidably clear in the last decade.
NotPetya, the encrypting malware that surfaced in 2014, was an extreme example. Originally targeting Ukrainian institutions, it caused billions of dollars in collateral damage for organisations around the world.
More recent examples include Log4Shell, the vulnerability discovered in open source log management tool Log4J late last year, which revealed the extent to which companies around the world depend on the security of open source tools, and the uptick in supply chain cyberattacks.
These developments require cybersecurity professionals to think beyond their organisational borders, Quinlan said.
This calls for more consideration of external stakeholders, including suppliers and customers, when assessing and mitigating cybersecurity risk, Quinlan argued. “We have to look at risk management overall, whereas previously we may have looked at risk management from just our immediate perspective.”
Viewing cybersecurity as a social responsibility can help leaders understand and manage this risk, he said. “First, it’s generally better for everybody. Second, it’s generally better for the organisation itself. And third, it leads to a more holistic picture of, not only the cybersecurity [risks] they’re directly concerned with, but what sorts of things they can look to mitigate that potentially come in from outside.”
What would cybersecurity that is driven by social responsibility look like in practice?
Taking responsibility for customer data across an ecosystem of suppliers and other third parties dovetails with need for ‘zero trust‘ security architectures, Quinlan argued. “It’s important to pay attention to how you deal with the physical reality of third parties, supply chains, [and external parties that need to interact with your data and services,” he explained. “You have to start pretending that you don’t trust anybody.”
Organisations that produce software must be more mindful of the security implications for users, Quinlan said. “We have to start looking at how our programming practices, the various things that we’re doing around software development, could have impact elsewhere,” he explained. “Because if I release a piece of software, I also have to keep in mind that that software may have bugs, that software may be co-opted to be used in ways I hadn’t considered.”
And, in light of Log4Shell, they should think how they can support the open source projects on which they depend, Quinlan said. One way would be to support the Apache Software Foundation, a non-profit that funds a number of open source projects. “I think corporations also have [a] responsibility to be able to look at the things that they’re using and to move away from the traditional ‘This was not invented here’ syndrome and start to think about how they can give back”.
These are some of the ways in which organisations can move beyond an approach to cybersecurity in which self-preservation is the sole priority. Instead, a position of ‘enlightened self-interest’ can help them protect themselves, their stakeholders and the world at large.