Trend 4 SECURE US TO SECURE ME #TECHVISION2019 Addressing this knowledge gap is paramount. Leaders whether that is an attacker or a partner. Doing so evaluations are only done annually; and few have any must develop an organizational competency for improves both threat intelligence and understanding of mechanism for integrating new partners’ controls and evaluating the cyberthreats they and their ecosystem risk exposure—and strengthens their resilience. It alerting into the company’s enterprise management. face. The most resilient companies will be those that enables companies to identify critical dependencies best understand, prioritize, and remediate not only the that demand immediate hardening, or vulnerabilities To address these problems, companies are building threats they face, but also those challenging their that represent potential damage to a partner. new organizational mechanisms to ensure security is a ecosystem, while recognizing the business impacts dedicated part of any corporate strategy. GE has CISOs those vulnerabilities pose to partners. Enterprises can learn lessons from the newly assigned to specific regions and business units, to help 14 established New York City Cyber Command, a inform decision-making at a more granular level. And One way enterprise leaders can better understand the government agency tasked with defending the city’s AT&T established its Security Advisory Council, a board risk they and their ecosystems face is by expanding information infrastructure. The group worked with of cross-functional business and security leaders who their approach to threat modeling. Many companies researchers from Wake Forest University and the meet regularly to discuss the most pressing issues 15 practice threat modeling today, mapping out potential University of Maryland to establish a threat modeling facing the organization. threat actors, vulnerabilities, and vectors of attack, procedure for the unit. Within 30 days, the participants then linking those to the business risk each possibility developed 147 unique mitigation strategies, more than In ecosystem-driven business, enterprises must presents. Yet few, if any, are modeling through the lens 60 percent of which were new to the agency. Within understand the challenges faced by every participating of their entire ecosystem. four months, the agency implemented these strategies company. Reframing risk to account for ecosystem to prevent more than 500 unique intrusion attempts, relationships and proactively making security a part of Consider how Strava, a fitness app, had to suspend thwart privileged account hijackings, and close web business discussions will help companies begin to view 12 services after it was discovered that the app’s server vulnerabilities. their own business the way attackers do, leading to anonymized activity map was inadvertently uncovering better preparation overall. But reconsidering what classified US military sites as soldiers tracked their Threat modeling will help companies expose and constitutes risks for the ecosystem is just the 11 workouts. The data did not present significant risk to understand immediate enterprise and ecosystem risk. beginning. Security and IT operations teams can spend Strava or any privacy risk to individuals, as it was But businesses do not stand still—and neither does days fighting the wrong fires if they do not understand aggregated and not personally identifying. But it was risk. Ecosystem partners are changing constantly, the business impact. this very aggregation, coupled with free access to the bringing with them new business ambitions, priorities, information, that generated substantial risk for a subset and operational maturity—yet assessing security risks is of the company’s customer base—and, in fact, for a a step that is frequently bypassed when these business large group of non-Strava users as well. relationships change or grow. Only 38 percent of businesses report including the chief information Threat modeling across an entire ecosystem lets security officer (CISO) when considering new business 13 organizations put themselves in someone else’s shoes, opportunities. Even among those that do, most 63 TECHNOLOGY VISION 2019 THE POST-DIGITAL ERA IS UPON US