Someone on LinkedIn said that enterprises can become more cyber secure if they identify, choose, and ensure the firms they choose to conduct commerce have “value” and are cyber secure. (That statement triggered this blog post.)
However, even systems we believe have value will themselves connect to other systems (which we may or may not know about) … and those systems will also connect to other systems which will connect to other systems which will connect …
We don’t live in a world where only a few systems that we know about connect to each other.
We live in a world of systems connected to other systems connected to other systems … and this reality is only going to continually expand in multiple dimensions and multiple directions. All of society’s systems are being interconnected to each other in a variety of ways – that includes systems that enterprises know about and systems they do not know about.
It is not possible to ensure either the value or the cyber security of every system (or process or activity) of every enterprise or person that is connected to the web that “touches” your company in some way. Some of those systems could be your client’s systems, your prospect’s systems’, your outside counsel’s systems, your regulator’s systems’, your …. (I think you get the point).
More generally, even if enterprises know why they are connecting with their ecosystems, they are not in control of the ecosystems that the ecosystem enterprises are connecting with or with the set of enterprises in those ecosystems who are connecting with enterprises in those ecosystems or ….
It’s never a matter of any one enterprise deciding who the totality of their interconnections should or will be. That one enterprise does NOT know, or ever can know, the totality of their interconnections.
The above trigger statement was the response to my statement: I believe that if a company changes its (risk management) thinking; implements risk-based, business driven and integrated risk management initiatives; and complies with SEC cyber regulations, cyber regulations of its industry, follows the guidance of its lawyers (whether internal or outside counsel), and becomes cyber resilient:
That responsible, doing what it should do, firm will continue to be a target to be cyber attacked multiple times. And probably will be attacked more than once.
Enterprises can’t choose and secure – even through legal contractual obligations – all the web-connected entities they have chosen to conduct commerce.
That luxury doesn’t exist in our expanding digital world of commerce.
Why?
It is not just a matter of enterprises choosing systems to connect to and setting up risk management controls for those connections.
Cyber-attack spaces are fluid Nth Dimensional spaces
Cyber-attack spaces are fluid Nth dimensional, never-ending, always-expanding, topographical spaces spreading into infinity.
Every instant a new digital artifact is connected to the web, the Nth dimensional cyber-attack space expands in multiple dimensions and multiple directions.
Every instant a new physical artifact embedded with digital content (or embedded with Telco capabilities) is connected to the web, the Nth dimensional cyber-attack space expands in multiple dimensions and multiple directions.
Every instant an animal with an IP-enabled sensor attached to it or embedded in it is connected to the web, the Nth dimensional cyber-attack space expands in multiple dimensions and multiple directions.
This reality of commerce in the digital world enables cyber hackers to always be ahead of cyber prey.
Rabkin's Opinions 