Partnerships in the era of digital transformation
More than ever, partnerships between the public sector and private companies are essential for effective cybersecurity. By sharing information and resources, resources and expertise can be better leveraged to identify new threats and develop innovative solutions to protect sensitive information and systems.
At the CXO Plenary held at GovWare 2022, representatives from the industry and the Cyber Security Agency of Singapore (CSA) gathered on stage for a candid, wide-ranging discussion about the role of cybersecurity partnerships in this era of digital transformation.
Specifically, they addressed burning questions such as the relevance of public-private partnerships, why collaboration is the critical linchpin to turn the tide, and key stakeholders in our call to arms of our perpetual digital adversaries.
Our adversaries are extremely good at collaboration. Think about the dark web. Do you think they only sell stuff to each other? I don't think so. They also gift it to each other because they are very good at building fraternity and community on the dark web – better than us.
– Daryl Pereira, APAC CISO – Director, Office of the CISO, Google Cloud Asia Pacific
Understanding the public sector
Though it is tempting to generalise the public sector, Selwyn Scharnhorst, a director at CSA, observed that any government reflects the many varying and diverse needs of the country: “Don't mistake the government for being a monolithic entity. Those of you who come from different sectors, you will know that the rules, the regulations, the way [the government] think about things in those sectors do change.”
“Some sectors are a little bit more IT-intensive, some of them are a little bit more [Operational Technology]-intensive. And so even trying to think about what cybersecurity means and how it works for each of those sectors can be quite difficult,” said Scharnhorst.
Why are public-private partnerships relevant? Scharnhorst says this boils down to the accelerated pace of development today and the scarcity of talent. To access the necessary expertise, it is often necessary to collaborate with those who possess the relevant skills and knowledge.
“There are very few companies that are big enough to have the resource and expertise within themselves to [tackle every challenge by themselves]. Regardless of whichever sector you are in, as long as you are feeling [competitive] pressures, as long as your competitors are digitalising, I think partnerships are going to be an essential part of how you compete and how you differentiate yourself,” Scharnhorst said.
Collaborating for good
Speaking about the low barrier of entry to cybercrime, Daryl Pereira, the Asia Pacific CISO at Google Cloud gave a sombre and timely reminder about the need for white hats to work together.
“People are attracted to making money the easy way. And in the digital world, making money can be extremely easy, because you don't even need to leave your house. All you need is a computer, USD100 to buy a basic training course with video tutorials and templates; that’s the barrier of entry for how to hack,” he noted.
“Our adversaries are extremely good at collaboration. Think about the dark web. Do you think they only sell stuff to each other? I don't think so. They also gift it to each other because they are very good at building fraternity and community on the dark web – better than us.”
“Many of the major organisations have a good corporate citizenship motto or mission. They are the ones you want to lean towards. Because if they truly believe what they are espousing about being good corporate citizens, they are not going to say: I don't want to do this, because it's not going to make us any money, or that's not the right person to partner with,” said Pereira.
The erosion of the perimeter
Dr Yuriy Bulygin, the CEO and founder of Eclypsium highlighted the erosion of the traditional perimeter due in part to paradigm shifts such as remote work as he cautioned that perimeters might well be a thing of the past.
“I think [the move towards distributed environments] will continue to the extent that none of the perimeters will exist, or at least physical perimeters as we understood them for the last 30 years. All environments will become distributed. We are already seeing that with the employees in the workforce right now.”
According to Bulygin, the trend toward distributed architecture is also evident in the move towards edge data centres, cloud deployments, and even 5G infrastructure. And securing this dispersed environment calls for new strategies.
“[We must] completely rethink how we apply our security principles. We cannot no longer rely on any sort of perimeter defence, there must be some validation of each asset that the distributed environment relies on,” he said.
Indeed, the proliferation of digital systems and the interconnectedness of the global supply chain necessitates the validation of every component. “We are all part of one global supply chain because every organisation is building something that others rely on. While building our [own] products, we also rely on thousands of technologies, from software to hardware... we are all part of the supply chain,” said Bulygin.
In pursuit of rightness
How can the industry band together to succeed given these challenges? Partnerships should not be limited to the public sector working with the private sector, but must also include academia and associations, says Pereira of Google Cloud. Academia is the pursuit of knowledge that is neither privatised nor public, while professional associations are volunteer organisations made up of professionals representing their private self, he explains.
“A call to arms to collaborate must include all four components. We are fighting a losing war, the bad guys know how to collaborate better, so why can't we? When all four quadrants lean in together, I think we can come up with a [far stronger] ability to defend.”
Pereira appeals to the sense of justice, or rightness, as a common ground for defenders to work together. “When you see someone get a friend, family member, or random stranger being targeted by a cyberattack… Does it irritate you that these things occur, do you feel outraged, do you feel sad for the victim? If you do, that's the common ground why we are on this side of the [fence]. Having that common thread of moral outrage, and the desire to do right is common human behaviour.”
For those looking to get started, Scharnhorst has a suggestion – work with those who share their common values: “The world is moving quickly. Geopolitics is more complex than before; there’s a lot more uncertainty. You are not going to have all the talent and resources you need to get things done. Working together with someone who shares your common values, who brings a different set of expertise to the game, helps.”