About CinqC's future signals
Bringing together expert voices from government, military, legal, business and tech, CinqC's future signals shares news and views you can use with startups, entrepreneurs and small businesses around the globe.
future signals gathers short- to mid-term (18-24 months) perspectives from our signal sources, identifies signal clusters where our experts' opinions coalesce, and highlights outlier signals that may indicate things to come or that you might need to put on your radar. The objective is to share pragmatic and practical advice along with methods you can adopt and tools to help you adapt. These are news and views you can use to create robust future businesses in our ever-evolving world.
The Global Cybersecurity Report, published in June 2021 is available below.
Having organised a series of live discussions with our signals experts at Latitude59, I was determined to find a way to share these diverse opinions on the near future (18-24 months) of cybersecurity when COVID-19 caused the 2021 event to be rescheduled to 2022. Each expert has a different perspective and unique insight on what startups, entrepreneurs and business owners can do to protect their IP, staff, investors and customers and how to create robust future businesses in our ever-evolving world.
Instead of waiting to bring them to Latitude59 in 2022, I interviewed each expert, asking them the same questions, to bring you this pragmatic future signals Cybersecurity Report. The news and views shared by our four signal sources have been summarised and illustrated with excerpts. The report with the full audio recording of each interview is available below.
future signals Cybersecurity Report is created in association with Latitude59 and Startup Estonia and is free and available to all. Please share widely with anyone who may benefit from these expert insights. You can download it here and follow me on Twitter or LinkedIn to receive updates and new future signals reports.
CEO & Founder, CinqC.co
📡 Signal cluster: Cybersecurity responsibility crosses all levels of society, from government to users. But increasingly we need to consider it at an individual level, be it as citizens in society, as employees at work or our private lives as customers and users.
📡 Outlier signal: We are not winning; our cybersecurity adversaries are getting stronger. Collectively, in public/private partnerships and between teams or staff in small companies and startups, we need to be working more proactively towards cybersecurity.
📡 Signal cluster: 'Zero Trust'.
Audrey Tang: When I think about zero trust Sandstorm.io comes to my mind; it is a Free software, with a capital F, so you can set up your own Sandstorm instance. It allows any public servants in Taiwan to self service and install any open source software within the public service. Sandstorm treats each and every of those applications as hostile, and malicious and very strongly sandboxes each application running, actually changing the domain every time a new instance is made to prevent cross site script attacking. Also, it doesn't have an allow list or block list. It's based on capability sharing, so that we always maintain an audit trail of who shared which instance of which document to what person and so on. This allows us to trust verify. In zero trust configurations we don't trust the applications, we don't trust the user at the edges.
📡 Signal Cluster: Understand your business, identify your weak spots and assess your risks.
Dan Shefet: There are some good ideas in the GDPR and one of those is the Data Impact Assessment. This data impact study can be downloaded very easily from the European Commission's platform and tells you, step by step, how to perform this exercise. ; How to produce the flowchart of what happens with data you collect. Where do you get the data from? What do you do with it? Where does it go? Who do you speak with? How do they get in touch with you? In doing this you will probably find out that there's a lot you didn't know, or realise. Once you've done that data impact study you will learn where your weak spots are; then you can start addressing them.
Mike S. Rogers: The number one thing I tell any organisation is you cannot defend that which you cannot see or that which you are unaware of. Everything starts with an accurate picture of what your network structure is, where your data is, what's your supply chain, and your partner relationships. With accurate insights and knowledge you can create cybersecurity strategies that have a much higher probability of success. It's easier to do this up front when you're smaller than it is to wait until you are much larger.
📡 Signal Cluster: Create strategies, policies and awareness based on your most recent reality, and keep them up to date! And create good, clear norms that enable people to follow and build good habits.
📡 Signal Cluster: There are multiple strong signals, from the technical: the need for resilience, segmentation (network, data, access) and randomness, to the human and recognising that we are each increasingly responsible for cybersecurity - that includes not checking our emails and that we’ve had enough coffee in the morning and are fully alert to phishing attempts. There is however consensus that we are each responsible for our company's security. Make sure you also check out the outlier signal on how cybersecurity is increasingly a differentiator in your company's value.
📡 Outlier Signal: You have to bake cybersecurity in at the beginning of your business and build it into your capital development strategy.
📡 Clear signal: Be prepared. Know, in advance, your legal obligations, who you need to contact and who will do what.
Mike S. Rogers: Two things: Don't forget about people. Don't forget about culture.
As a CEO, as a leader, ask yourself ‘What kind of culture do you want?’ and that includes cybersecurity. How do you want your workforce and your team to think about cybersecurity? What sort of messages do you want to send?
The human piece is that, as a leader you will spend a lot of time focusing on getting the right developmental engineers, the right people to develop this value proposition that I've created. I would urge you to spend an equal amount of focus on what kind of people you need to ensure you’ve got the right cyber security moving forward. Don't start by thinking, ‘Oh, well, all that matters is product development’; success in cybersecurity is predicated on your ability to maximise a team, not on if you have the best CIO or CSO, or IT department.
Audrey Tang: To give no trust is to get no trust. In Taiwan we empower the people closest to the edge with the full view of the system. Instead of security through obscurity, we invite everyone to serve as white hats and to report which lines of code cause potential resilience challenges. If you search for HitCon ZeroDay, then you can see the templates and kind of scoreboard; their real-time reports of responsible disclosures of zero days.
We trust our public this way and they trust back by alerting us. I believe a good relationship with the white hat community is essential; in Taiwan, white hats are national heroes, they meet the President! Even as small and medium enterprises, you can still participate in Bug Bounties and other activities to create goodwill with the white hat community.
Chloé Messdaghi: We need to acknowledge that 2 parties exist: hackers and attackers. Hackers are security researchers, not extortionists. Attackers use the same skills as hackers but with criminal intent. Hackers can help and serve you; to protect you from attackers. Vulnerability Disclosure Policies are needed so if hackers do find a vulnerability in your systems they can easily report it to the right people in the organisation. Often when we find a vulnerability we have no way other than social media to reach out and this often ends up on the wrong desk and sometimes even in legal action. I’d recommend every organisation to create a framework for building communications and relations with hackers that is transparent, has limits, and that enables you to work together to help identify and address flaws and to protect one another. You can find examples of best practices of creating disclosure policies at disclose.io.
Also stalkerware is an increasing problem around the globe. We have seen an increase in the rise of use, including from nation-state actors, trying to access and steal IP. Stalking is a criminal activity and online stalking is too. To find out more go to overstalkers.org. We have built this as a resource to help the public learn more about stalkerware, signs of stalkerware and resources and organisations that help victims.
Dan Shefet: Keep training, training, training. Make training and awareness part of your monthly in house meetings using real life security breach examples - it can even be good fun, because these stories can be really very very interesting.
📡 future signals sign out
I'd like to say a big thank you to our expert signal sources for sharing their time, experience and expertise so generously.
Thank you also to the Latitude59 and Startup Estonia teams for sharing this report with their communities across Estonia, the Baltics and around the globe. I look forward to joining you in person at Latitude59 in 2022 -19-20 May in Tallinn, Estonia!
And a special thanks to Maarja P., David T., Gautier D., Jeanne G, Jo P. and Kim C-T. for their help and support in making this first future signals report. 🙏