This is news to absolutely no one: Cybersecurity is becoming more important, cyber crime is on the rise, and the systems we use are more complex and harder to protect.
News or not, let's break this down into smaller chunks.
Cybersecurity is becoming more important. 88% of boards regard cybersecurity as a business risk rather than solely a technical IT problem. This means that cybersecurity is being discussed alongside key results such as revenue and profit, and elements of a corporation's strategic roadmap. In other words, non-IT people are aware, and care enough to budget large amounts for cybersecurity.
Cyber crime is on the rise. A report in Cybercrime Magazine in 2020 predicted that global cybercrime damages would reach $6 trillion in just a few years. An Accenture study from 2019 showed that the average cost of a single malware attack was $2.6. These numbers are continuing to rise, despite the growing budget and market of cybersecurity services.
The systems we use are more complex and harder to protect. A few key points from the Garter report above show that:
Security leaders feel that the trend of distributed ecosystems (remote work, cloud based processing, global B2B partners with significant data sharing needs) is creating a "loss of direct decision-making control."
Leaders not only have to pay attention to their own security, there is a rising need to ensure that organizations they do business with are well protected also.
There is a growing sense of burnout among cybersecurity leaders due to the combination of having to fight for enough budget, dealing with vulnerabilities within and without, and always needing to maintain extreme vigilance.
Given these issues, let's dig into one of the most promising strategies to deal with them: Cybersecurity Mesh. We will discuss what it is, why it works, and the ideal standards for cybersecurity mesh strategy.
What is Cybersecurity Mesh?
Other than sounding like a hacker-proof shirt, what exactly is a cybersecurity mesh? It can be thought of as an architecture or a strategy, and is really a collection of practices that move away from a central firewall and security protocol, and moves toward a number of supportive and interoperable layers of security, identity fabric, and policy. The goal of this mesh is to set up security around each node in a network, ensuring that each node is validated and helps to validate any nodes it interacts with. Further, the mesh doesn't care whether an interaction is inside the company's system or outside. Even external connections must be verified and become part of the mesh system. This is critical because the system must protect itself from all threats, and should not stop once it leaves a company's physical or virtual border.
Think about it this way. In a traditional company, you might be given a security badge that either gets you past the front security desk, or gets you through the card reader in the unguarded side entrance. Once you are in, you can go just about anywhere (except a few offices with physical locks). This is akin to a traditional company's IT strategy, with a large external firewall, a handful of user-based access rules, and not much else. Now consider the company as a series of small cubes and doorways. A user is able to use their pass to go directly to the area they have permission to complete a task. If a visitor comes, they are given a badge with their explicit instructions and their badge will guide them through the building to where they are allowed to go. If you try to go somewhere you shouldn't, the doors in your area shut (presumably there is a trap door that catapults you out of the building). This is essentially what the cybersecurity mesh does. It is scalable to grow as your business does, it is interoperable, and the various identities coordinate with permissions and access.
There's only one problem: The system still depends on your internal cybersecurity team, or an external team to manage it. This does not scale, faces constant budget issues, and ugly though it may be, more than half of company fraud is due to insiders. To combat the scalability, incentives for the ecosystem to keep running, and risk of insider threat, we need strong guidelines. Fortunately, a cybersecurity mesh team may have the guidelines the industry will live by for a stable and secure system.
7 Critical Cybersecurity Mesh Design Principles
Naoris Protocol is a Web3 platform that has been working on this problem for years. Made up of CIOs, CTOs, IT/Cybersecurity pros, software development leaders, and blockchain strategists, the team takes the issues of cybersecurity very seriously and has worked to get the right blend of balance, incentive, and a good dose of a "trustless" environment to build their own cybersecurity mesh platform. To build it, they used seven key principles that they say must be adhered to in order for the platform to be stable, sustainable, and effective:
Unstoppable. The system runs on its own, and participating nodes can join or drop out but they can't get around it, and can't affect the system itself.
Permissionless. This is critical for scalability. Users and builders of the protocol (in other words, companies that use this service) have to enjoy a censorship resistant platform that is accessible by everyone.
Minimally Extractive. The fees for using the platform must be minimal to encourage use, discourage hostile takeovers (or forking, in the decentralized economy), and the funds collected should power further ecosystem development that is managed through a DAO (decentralized autonomous organization).
Valuable. There should be value for those who use the system, and incentives for those that participate as nodes and governance contributors.
Expansive. The incentives should also be structured to reward good behavior, punish bad behavior, and reward looking for and alerting bad behavior. It should also incentivize those who want to build their platforms on the system, thus expanding it and contributing to growth.
Positive Sum. The more the protocol is adopted and used, the stronger it becomes which is an added value for all participants.
Credibly Neutral. The system is built with complete neutrality ensured so it can be used by the widest range of people, organizations, countries, etc.
These principles illustrate the evolution of how our systems will interact as networks, users, and external partners continue to make connections and depend on each other. Naoris, in building their own protocol with this as the compass rose, is going to show the industry a number of key lessons. First, the only way to build a security platform is if it is designed to be antifragile, where risks are converted into strengths. Second, a Web3 platform is necessary for any serious cybersecurity system, as with all the single points of failure, human error, and insider risks, a trustless model is the only model. Time will tell, but it will be interesting to see Naoris' KPIs in 1-2 years as compared to the industry average.
Looking Ahead
By adopting these seven principles, the natural conclusion is that the most effective cybersecurity mesh will need to be a Web3 creation: decentralized, self-sustaining, and community governed. It also needs to be structured in a way that incorporates strong economics and gamification, ensuring that the players involved are incentivized to act in a way that protects and builds the ecosystem. If we can accomplish this, we can eliminate a significant number of the worst threats to our systems, and save potentially trillions in the process.