The blue sky and white clouds (Panorama) - The picture was made from three big photos and downsized for better quality.
Executive Viewpoint

The Cybersecurity Innovation Mindset

Listen to the article

Cybersecurity innovation defined

Innovation (the verb) is the process of creating and delivering customer value. An innovation mindset is one that deeply understands the customer’s desired outcomes and creates value through new tools, processes, and approaches to facilitate those outcomes.  In the case of cybersecurity innovation, it is not just going to be about ways to prevent loss of integrity, availability, or confidentiality. Security innovation in our Zero Day hyperconnected world recognizes the value of trust, manageability, flexibility, and sustainability as outcomes and finds ways to ensure that customers have those attributes as a reliable part of their experience without the hassle usually associated with implementing security. 

Cybercriminals are using innovation against us 

Our adversaries have a decent innovation mindset. It begins with the value proposition. 
And the value proposition for them is clear: disrupt rival governments, contribute to the decline of social cohesion, and make trillions of dollars in the meantime to sustain their operations.   

Cybercriminals innovate to develop tools, techniques and procedures that exploit changes that come from digital transformation; as an example, ransomware is becoming more sophisticated and evolved to target Linux multi-cloud environments, according to a recently released  VMware Threat Analysis Unit report. Cybercrime cartels are organized and have an effective network of providers and collaborators with financial backing, as well as computing infrastructure from cloud jacking, and a fintech infrastructure that makes it hard to trace the transfer of money.  Their business model is iron-clad and for now, it is sustainable. 

Barriers to security innovation 

Mindset is the biggest barrier to innovation. We think about innovation the wrong way.  People confuse invention with innovation according to Curt Carlson, former President of SRI International, considered by many to be the heartbeat of Silicon Valley. Technologists often come up with a great idea that they love and then go in search of the problem they believe that it solves. This almost always misses the boat on value creation and makes it difficult to have a viable and sustainable business model. From a perspective as a serial CISO, many security inventions filled a short-term need, then disappeared from the landscape of viable products because they solved a problem without understanding the implications of the solution.  An example of this would be an operating system that pops-up with a query for every action initiated by the end user that says, “Are you sure?” The opportunity for the security industry is to imagine what it would take to delight our customers with security products that are intrinsically secure. We need products that solve the problems that customers have and will have, and that are technologically sustainable within the framework of IT as customers experience it today and as it will evolve in the future. 

What innovation needs to flourish  

Innovation works best in community. Let me illustrate with an example from the aerospace industry:   every time the Boeing company produced a new widebody aircraft design, it bet the whole company on its development, design, and production. When Boeing designed the 777 aircraft in the 1990s, it was the first aircraft to go straight from a 100% digital-definition to production. No commercial aircraft had ever been built that did not require a physical mockup and a lot of expensive re-engineering before it could go into the production cycle. Even during production, planes built prior to digital definition required a lot of shims to make ill-fitting parts come together and it added a tremendous amount of weight to every aircraft.The intention of the new widebody 777 was to produce a better aircraft that was more efficient for airlines to operate, was a better experience for crew members and passengers, required fewer retrofits, and was much easier to maintain with less downtime at the gate.  What came out of this approach to building commercial aircraft, and these desires, was a new design-build process that completely revolutionized the aerospace industry. 

The community was key to its success.  Boeing used design-build teams that included participants representing all the people who interact with the aircraft: aircraft maintenance, flight crews, engineering, assembly line, owner/operators, and even passengers. Teams had a high degree of trust and processes ensured that handoffs between teams were effective because teams all throughout the engineering process understood what each other needed to be successful. The opportunity for innovation was also democratized – it did not have to be driven from the top. A small team of software engineers in Boeing’s research and technology division built a VR capability called “fly-through” that allowed a visual walkthrough of all the spaces in the digital aircraft before committing a design to production.  You could say the idea “took off” as the value of this innovation initiated by a small team had impact on the design-build process far beyond anyone’s imagination and it revolutionized the company’s ability to check for design flaws. The process for innovation was not only open to everyone, but it was also encouraged by the open, collaborative environment. At the rollout of the first aircraft in Everett, Washington, everyone in the company felt a part of the first 777 – the first aircraft in history to be digitally produced and go straight from design to production and delivery without a physical mockup. To top it all off, the plane, which went straight into service with United Airlines, was named “People Working Together.” 

What are some lessons from Boeing back in the 777 days that could improve cybersecurity innovation today?  Well, innovation happens in an environment that has high trust, open dialogue, and psychological safety, that fosters a deep understanding of how the customer will use the product, and what it will take to delight THEIR customers. An innovative environment fosters the opportunity for everyone in an iterative cycle of ideation, proposal, critique, and revision. Innovation for cybersecurity deeply understands the framework of identify, prevent, detect, respond, and recover and it builds for manageability, usability, flexibility and sustainability across processes that customers understand. It means we step into the shoes of the CISO and CSO, but also understand the perspectives of the rest of the stakeholders, like the CIO, CFO, Chief Audit Executive, General Counsel and end users. It means that innovators internalize security as pervasive technologically and organizationally and understand that it has an impact on culture. 

What innovation means for customers 

Security innovation produces what I call “future ready security.” We live in a VUCA Zero Day world and that is not going to change, so it is up to us to anticipate and build trust into our systems that enable business flexibility, resilience, and secure  DevOps at scale. It means we create security models that are not overly onerous to implement and adaptable to changing technology and business models. It means that we deeply understand customers’ desires so that we can innovate a solution that they truly need.  It means that we understand the way our customers work, how their organizations are structured, and how roles and responsibilities are carried out. Security innovation is not just technology – it must consider the three-legged stool of people, process, and technology. 

The opportunity for VMware and every other security technology company is to create solution sets in collaboration with our customers – to facilitate the design-build teams so that when we deliver a solution set, they are ready organizationally and functionally to get the business benefit as well as the maximum security functionality that positions them for whatever comes after what comes next, at the speed of business, and at scale. 

Making that mind shift today and tomorrow 

I’d love to see an industry consortium of seasoned security leaders come together and envision what is possible for security in the future. Dream it. Speak it. Do it. Stop thinking in silos and stop focusing on what is broken instead of what we really want. Think in terms of function and then imagine what it would take to get there. A customer-vendor collaboration that understands the present and looks to the future to solve existing challenges without blocking the path to new business opportunities could revolutionize the way cybersecurity is designed, implemented, and maintained. In cyber, as in aerospace, everybody wins when the design-build team works together.