Sections

Commentary

Idea to retire: Cybersecurity kills innovation

The “security disables” paradigm plays out in a multitude of ways. Government project leaders leave security requirements off the list within top innovative priority projects and keep cyber professionals off mission-critical teams, thinking that innovation will be slowed. On other occasions, innovation projects may not get priority treatment because of security concerns.

Technology companies selling products and services also fall into the same trap. New application-specific functionality becomes the “must have” priority over security functions. Generally speaking, a “first to market” mindset is articulated, with a view that security can come later. Developers see the biggest opportunity in “cool new features” and business functionality rather than secure code that is penetration-tested and checked for security vulnerabilities.

Although history has shown that both public and private sector business leaders deploy new solutions with the mindset that security slows down innovative opportunities, the reality is the opposite. From Wi-Fi and cloud computing to mobile devices and social computing, security enhancements came long after initial deployments. Had better security been included from the start, the later costs incurred from vulnerability remediation and data breach cleanup would have been less.

One example of this was the deployment of Healthcare.gov, which was launched before proper security was in place in 2014.Critical vulnerabilities were missed, which if addressed could have improved the public’s perception of the overall project rollout.

A new mindset

Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.

Cybersecurity is a primary responsibility for all developers, project managers, and end users. Also, the security of a product is a core functional requirement and as important as the most innovative feature that is marketed. Entrepreneurs who sell to government will be more successful if they sell secure products from version 1.0, rather than holding off and making security a 2.0 or 3.0 enhancement for later consideration.

Too often government leaders think of security as a disabler or an unnecessary evil that limits progress. Many government business leaders see cybersecurity as some else’s job that slows them down and won’t get them promoted or lead to project success. An “us or them” mindset is common nationwide in federal, state and local governments when it comes to working with cybersecurity teams.

Oftentimes, security features are seen as expensive roadblocks that kill innovation or cost too much to implement. Even when security features are available, shortcuts are often taken that disable these capabilities. Integrators and system administrators are regularly asked to turn-off security monitoring capabilities “just until we get things going.” Sadly, audit findings reveal that security is rarely re-enabled even years later.

Too many government technology and security teams spend their precious time recovering from incidents and data breaches and dealing with after-action reporting and response. While this work is important, the age-old saying “an ounce of prevention is worth a pound of cure” applies to cybersecurity.

Security is a critical part of the innovation solution

Changes in thinking are needed by several various groups.

First, executives need to build security into government solutions from the start of projects and throughout the entire lifecycle. They should see cybersecurity as a tool that enables new possibilities to break down old barriers, and provide enough resources to ensure security is done right. While everyone must recognize security as part of their role, security ambassadors need to be included on key strategic project teams. Oftentimes, security is an afterthought for major projects, or security is added only after a data breach. This must change.

Second, an assessment and a prioritized inventory of innovative solutions, potential risks, and tradeoffs should be developed by a combination of technology developers and managers. Both public and private sectors decision-makers collaborating on and sharing this assessment. In addition, staff training and education should be conducted in order to minimize attitudinal barriers identified in the U.K. by Cisco and other studies.

Third, security and technology professionals need to stop saying “no”, and instead strive to:

  • Offer workable alternatives to provide deliverables on time, on budget, with the right level of security.
  • Examine global best-practices and innovative approaches to solve security and privacy concerns
  • Empower new capabilities that will maintain trust with citizens and staff.

History repeats itself regarding technology and security. No doubt, the specific hardware, software, operating systems, frameworks, issues, vulnerability, and threats change daily. But whether we are talking about Wi-Fi or new technologies, the same fundamental challenge remains for technology and security professionals: Are you bringing problems or solutions?

Security teams can build more trust with enterprise staff by using a risk management approach to focus on the most serious situations. They can share compelling stories and real-world examples with end users in security awareness training, newsletters, and tips.

Fourth, new technology deployments in cutting-edge new areas such as big data, the Internet of Things, and artificial intelligence need to include security experts and practitioners from the start. The privacy and security implications of collecting various types of data should be reviewed from a holistic perspective, with experts from legal, HR, technology management, procurement, strategic planning and other business areas playing a role in determining how best to securely deploy innovative solutions.

Simply stated, security is a central component of innovation, as identified by the White House in their move to accelerate innovation in cybersecurity research and development.

There is an unavoidable, symbiotic relationship between innovation and security. The benefits of innovation are not possible without the risks.

However, effective security builds trust and is a win/win/win for the public sector, private sector, and citizens. If we are to improve trust in government, better security is an innovation imperative which starts with a different mindset towards developing secure applications and systems from the start.

The Brookings Institution is committed to quality, independence, and impact.
We are supported by a diverse array of funders. In line with our values and policies, each Brookings publication represents the sole views of its author(s).