360 Degree Security: Why Do We Need to Look Beyond Just Cybersecurity?

If you take a look at the media on the subject of security, it is often limited to two aspects: cybersecurity, including vulnerabilities in systems, and personal security services. However, behind the term security we subsume topics that go far beyond this – such as geopolitical influences, changes in the labor market, or new technologies. At my keynote on eco’s Internet Security Days (ISD) on 11 September, we examined the challenges of our time and identified what we should have on our radar when it comes to security.

Rethinking security: A comprehensive approach

Traditionally, organizations have approached security through a narrow lens, focusing on certificates, audits, and processes that often become convoluted and bureaucratic. The policies drafted often go unacknowledged by the very personnel expected to follow them. This oversight leads to a burdensome documentation process that ultimately serves little purpose.

What we need instead is a shift towards practical and operational security measures. The conventional ISO 27000 certification may indicate a foundational capability in security, but it does not guarantee actual safety. A more pragmatic approach that encompasses real-world challenges and operational readiness is vital.

Workforce challenges: The talent shortage

The labor market presents significant challenges for organizations, particularly in Western Europe. According to the Federal Statistical Office of Germany, about 20% of the workforce may exit the labor market in the next three to five years due to retirement, leaving a substantial gap that younger generations may not fill. This demographic shift could profoundly impact various industries, including hospitality and healthcare, but it will also inevitably affect the tech sector.

To navigate this impending crisis, companies must invest in automation and AI technologies to maintain productivity with fewer employees. Deutsche Telekom Security’s investment in automation has allowed it to remain competitive, even against countries with lower labor costs. However, technology alone cannot solve this problem. Companies must also prioritize becoming attractive employers to attract and retain talent. This involves offering competitive benefits, flexible working conditions, and comprehensive training programs to meet evolving employee expectations.

The intersection of workforce management and security may not seem direct at first glance, but it is crucial. If companies struggle to fill essential roles, their ability to maintain security protocols and manage risks will be severely compromised.

Geopolitics: The fragile landscape

In a world increasingly marked by geopolitical tensions, understanding these dynamics is critical for effective security strategies. Drawing parallels to historical periods of East-West tensions highlights the complexities of current geopolitical landscapes, particularly concerning China. The dependency on Chinese manufacturing poses risks; if conflicts arise, such as those surrounding Taiwan, organizations must be prepared to respond.

What needs to be done?

To navigate the geopolitical landscape effectively, organizations should undertake the following measures:

• Analyze dependencies and critical operational risks: Businesses must conduct thorough assessments of their supply chains to identify dependencies on specific countries or regions. Understanding these dependencies allows companies to foresee potential vulnerabilities in their operations, especially in politically unstable areas.
• Establish processes for conflict situations: Developing clear protocols for responding to conflict situations is crucial. This includes having crisis management teams in place, ready to act swiftly in the event of geopolitical disruptions. Organizations should outline communication strategies, emergency procedures, and contingency plans to ensure a coordinated response.
• Conduct risk assessments for countries with production sites: Companies must regularly evaluate the geopolitical risks associated with their production sites. This includes monitoring political developments, regulatory changes, and economic conditions in these regions. Regular risk assessments enable businesses to make informed decisions about their operational strategies and, if necessary, to relocate or diversify their production capabilities.

By adopting these measures, organizations can better prepare for and mitigate the risks posed by geopolitical influences.

Supply chains: A critical consideration

The interconnectedness of global supply chains underscores the need for resilience and continuity management. Regular supplier reviews and the incorporation of security-related factors in supplier evaluations are particularly important. Establishing contingency plans, such as local storage solutions, can provide a buffer during crises and ensure continuity in operations.

What needs to be done?

To enhance supply chain security, organizations should implement the following strategies:

• Securing supply chains: Establishing robust supply chain resilience and continuity management is critical. Companies should develop comprehensive strategies that address potential disruptions and ensure that operations can continue smoothly during crises. This includes identifying critical suppliers and mapping out alternative sourcing options.
• Considering security-related factors in supplier scoring: When evaluating suppliers, organizations must integrate security-related factors into their scoring criteria. This ensures that suppliers not only meet product or service specifications but also adhere to necessary security standards, thereby reducing risks within the supply chain.
• Regular supplier reviews: Ongoing assessments of supplier performance are essential for identifying any emerging risks. Conducting regular reviews allows organizations to monitor compliance with security protocols, ensuring that suppliers remain trustworthy partners.
• Developing supply redundancy concepts: Organizations should create redundancy within their supply chains to mitigate the impact of disruptions. This might involve identifying multiple suppliers for critical components or products, ensuring that companies are not overly reliant on a single source. Implementing redundancy can enhance resilience and flexibility in the face of unforeseen challenges.

The shift away from just-in-time production methods, common in the automotive industry, must also be reconsidered. Companies should explore maintaining stockpiles of essential components to bridge gaps during disruptions, whether caused by natural disasters or geopolitical events. This proactive stance is integral to robust security strategies.

Criminality: Addressing emerging threats

As technology evolves, so do the tactics of cybercriminals, making it essential for organizations to fortify their defenses against increasingly sophisticated threats. Identity theft, ransomware, and other criminal activities pose significant risks to businesses and individuals alike.

What needs to be done?

To combat the threat of criminality, organizations should consider the following actions:

• Further development of protective measures: Investing in and developing comprehensive protective measures is critical. Organizations must enhance their defenses against identity theft, ransomware, and other forms of cybercrime. This involves implementing advanced security technologies, including encryption, multi-factor authentication, and intrusion detection systems.
• Emergency drills and runbooks for crisis situations: Preparing for potential crises through regular emergency drills and developing clear runbooks is essential. Organizations should simulate various crisis scenarios to ensure that employees know how to respond effectively. This preparation helps to minimize the impact of incidents and ensures a coordinated response.
• Raising awareness and training employees: Employee awareness and training are crucial components of a strong security posture. Organizations should conduct regular training sessions to educate employees about the latest threats, safe online practices, and how to identify potential security risks. An informed workforce can serve as a vital line of defense against criminal activities.
• Intensifying exchanges with third parties: Collaborating with public and private sector entities can significantly enhance an organization’s security posture. By exchanging information about emerging threats and best practices, organizations can better prepare for and respond to criminal activities. This collaboration also helps build a community of support and shared knowledge in the fight against crime.

Technology: Addressing the digital landscape

The technological landscape presents both opportunities and challenges for organizations, necessitating a proactive approach to security management. Many organizations lack comprehensive inventory and asset management practices, leaving them vulnerable to attacks. Addressing these issues requires a focus on several key areas.

What needs to be done?

To strengthen technology-related security measures, organizations should prioritize the following actions:

• Inventory and asset management: Establishing robust inventory and asset management practices is crucial. Organizations need to maintain accurate records of all digital assets, including software, hardware, and network components. This visibility allows for better management of vulnerabilities and aids in effective incident response.
• Security patch management: Regularly updating and patching software and systems is vital to mitigating risks. Organizations should implement a comprehensive security patch management strategy that ensures timely updates to address known vulnerabilities, reducing the window of opportunity for attackers.
• Addressing AI – Recognizing opportunities and risks: As AI technology continues to advance, organizations must assess both the opportunities it presents and the associated risks. Understanding how AI can enhance security measures while being mindful of potential misuse is essential for effective risk management.
• Identity and Access Management: Implementing strong Identity and Access management (IAM) protocols is critical for safeguarding sensitive information. Organizations should adopt multi-factor authentication and role-based access controls to ensure that only authorized personnel can access critical systems and data.
• Impact of quantum computing on cryptographic mechanisms/crypto transparency: Organizations should proactively evaluate their cryptographic protocols in light of the potential impact of quantum computing. Planning for future quantum threats and ensuring transparency in crypto mechanisms will be essential for maintaining data security in the coming years.

The evolving threat of organized cybercrime

While nation-state attacks often dominate headlines, organized crime constitutes now pose a far greater threat to businesses of all sizes. The rise of the dark web has made it alarmingly easy and affordable for these criminal syndicates to launch devastating attacks like Distributed Denial-of-Service (DDoS) assaults. The ease with which cybercriminals operate has outpaced organizational defenses.

To combat this threat, organizations must prioritize cybersecurity hygiene, including timely software updates and vulnerability management. Many companies fail to act quickly upon receiving alerts about critical vulnerabilities. An alarming statistic reveals that mass scans for vulnerabilities occur within just hours of a critical update being released. Organizations must therefore cultivate a culture of urgency and accountability in responding to security alerts.

Regulatory landscape: Balancing compliance and practicality

The regulatory environment poses its challenges, particularly for small to medium-sized enterprises (SMEs) grappling with compliance amidst a plethora of regulations like NIS1 and NIS2. Excessive regulation may stifle innovation and overwhelm organizations, pushing them toward inaction.

To address this issue, businesses need guidance on which regulations are essential and which can be deprioritized. Developing practical frameworks that outline key steps for compliance can empower SMEs to navigate the regulatory landscape without being overwhelmed. Simplifying compliance processes will allow companies to focus on core security measures rather than getting lost in paperwork and certifications.

Navigating the age of AI: Trust and verification

The rise of generative AI presents unique challenges, particularly regarding trust and verification. In general, the ability to create hyper-realistic avatars raises questions about identity and authenticity. This technology has profound implications for privacy and security, as malicious actors could easily create misleading or damaging content.

To combat these challenges, businesses must adopt verification mechanisms, such as digital signatures, to ensure authenticity and validate identities. Establishing robust security measures for virtual interactions will become increasingly vital in a world where distinguishing fact from fabrication is growing more complex.

Conclusion

The traditional understanding of security as merely a matter of IT defenses is outdated. As we navigate an increasingly complex and interconnected world, organizations must embrace a 360-degree perspective on security. By recognizing the multifaceted nature of security—encompassing workforce challenges, geopolitical dynamics, supply chain resilience, criminality, technological advancements, and regulatory frameworks—businesses can better prepare for the challenges ahead.

It is time for organizations to take action. By implementing practical strategies and fostering a culture of security awareness, companies can navigate the evolving landscape and protect themselves from an array of threats.

Thomas Tschersich has more than 25 years of experience in cybersecurity. In his role as Chief Security Officer (CSO) of Deutsche Telekom AG, he is responsible for Deutsche Telekom’s operational security issues as well as cybersecurity. He is also Chief Executive Officer (CEO) of Telekom Security. Tschersich is Chair of the Board of Management at “Deutschland sicher im Netz” (DsiN) and is active in numerous advisory functions, including as a member of the Cybersecurity Council and the UP Kritis Council and on the Advisory Board at ENISA.