Why you need a holistic, integrative medical approach to cybersecurity

  04 May 2018    Read: 6444
Why you need a holistic, integrative medical approach to cybersecurity

It is time for a new metaphor for Cybersecurity, one that draws from the principles of holistic, integrative medicine and focuses on health, well-being, and safety rather than pathology.

In a fascinating conversation I had with Mark Nunnikhoven, VP of Cloud Research at Trend Micro, he mentioned that the job of security shouldn’t be to solve problems, so much as to enable businesses to do what they have intended to do. This made me realize that what cybersecurity needs is a new principle to guide it. Those principles should be inspired by holistic, integrative medicine rather than the current approach, which is more like western medicine.

A Medical Approach to Cybersecurity

This year, when you walked the show floor at RSA, it was like walking through a massive textbook on the pathology of the disease. Every single product is about a certain pathology and most of the products take a western medicine approach to cybersecurity: namely, they aim to treat the symptoms of a pathology with the hopes of eliminating the problem or to erect a preventative shield.

Anti-virus is a prime example. In many anti-virus systems, you allow the potentially infecting content in, examine it, and the stop it if it is diagnosed as bad. Is this the only way?

Of course, many of the solutions are preventative, and attempt to stop the cyber-infection from occurring. There are others focused on detection and still others on remediation. But in all of these approaches, the pathology is the focus.

What would an Integrative Approach Look Like?

But while all pathology-focused cybersecurity technologies attempt to work in a way that is as minimally invasive as possible, what’s lost in this strategy is being able to help the business do what it should be able to do. Instead, we need a system that is based on a holistic view of the entire business. This view is designed not to treat pathologies, but to promote health and well-being that allows an organization to maximize performance and thrive in a healthy and safe way. The starting point should not be the pathology but the mission of the business and the activity that supports that mission.

As Andy Ellis, Chief Security Officer of Akamai said in his keynote at RSA 2018, “The goal of cybersecurity should be to enable the business.”

But what does this really mean in practice?

In my view, it means a holistic approach would be based on the following approach

  • Understand the core activities that are needed to operate a business.
  • Understand the benefit of the activities to the business.
  • Craft or refactor the cybersecurity approach to be minimally disruptive.
  • Use the systems created for cybersecurity to add value to the business.

Refactoring Work with Cybersecurity in Mind

This sort of thinking leads in unusual directions that refactor how people work and change the nature of a cybersecurity portfolio.

For example, Ellis in his keynote described how Akamai has developed a two-factor no-password approach to cyber security that works as follows:

  • When a user wants access to an application, each device authenticates seamlessly to each application, which then triggers a user notification.
  • Then, a notification message is sent to the user’s cell phone. The user responds and gets access.
    No passwords are used.
  • This approach stops a variety of cyber attacks based on stealing passwords in its tracks.

Another similar refactoring is part of the Authentic8 product that refactors problem of antivirus protection by preventing anything bad getting into your system in the first place. Scott Petry, the CEO Authentic8, told me that he believes the model of antivirus is broken cause you concede so much upfront — companies let the bad stuff in and then try to combat it. Authentic8’s solution runs the browser on a remote server, so when a virus attacks this, it doesn’t get inside the core computing infrastructure. This refactoring simplifies the problem of antivirus in many ways. While it introduces the risk of usability problems, as all browsers then run like virtual desktops, in most instances this will provide a superior solution to other antivirus protocols. Authentic8’s approach is thus not about symptom treatment, but preventative wellness.

But these sorts of refactorings are just the beginning. I’m interested in thinking this through more completely and attempting to define what a comprehensive holistic approach would be.

From Cybersecurity to CyberSafety

I left the conference with the perspective that consolidation needs to happen (or perhaps must), and that the path towards such a consolidation of all these component systems lies through a vision of holistic and integrative cybersecurity. Perhaps this needs a new name, because, as one person suggested to me, the idea of cybersecurity has missed the point. We don’t talk about automobile security, we talk about auto safety. We talk about public health. Maybe that’s what we need to have in the world of cybersecurity: we should speak of cyber safety that enables the business to do what it must do in the safest manner possible.

 

Read the original article on Forbes.


More about: cybersecurity  


News Line