Phil Quade - The Digital Big Bang

This program will have to include good security policies and architecture review processes. But it will also have to address the new reality that software engineers and application developers can no longer assume that they are building on top of a naturally secure and private underlying network. Secure coding practices must become so deeply ingrained in the philosophy, processes, and deployment pipelines that they simply become a part of the natural practices of the developer. The bar is high here, and these individuals must understand everything from user authentication to data obfuscation and secure data transport. Organizations will quickly see the need to develop repeatable patterns with consistent, standardized, and reusable security code libraries.

In short, addressing the connectivity challenge will require even deeper levels of cooperation and collaboration across an organization, from the coding level up. And to do that effectively requires both funding and expertise. As many CISOs and their teams know, this is a square one reality that they must advocate and evangelize to decision makers in the C suite, and even to the board of directors.

As daunting as organizational and cultural change can be, it is important to start where you are and move forward from there. If a company doesn't have experience and expertise in these areas, there may be an inclination to delay planning. But it is better to take modest first steps rather than to do nothing. External assistance from a trusted adviser will often prove valuable, even if only to provide a roadmap that an organization can follow. Find those outside experts and advocates as necessary and then scale their services to fit the budgets available. If nothing else, doing so will begin to build the network of strategic partnerships that will become increasingly needed and valuable.

Funding limitations are a reality all CISOs and their teams must contend with, but the cost of securing the enterprise is too often considered just on the basis of hard allocations—the tools, time, and resources needed. Intangibles and opportunity costs must be considered as well. Is the return on the investment of resources to build that next application feature greater than the costs of an inevitable breach and the reputation and brand harm it has created? These can be complex and challenging questions for any organization, but they are the types of questions that all companies should become more comfortable answering.

And they pale in comparison to the complexities and challenges of ever-expanding and complicated networks, sprawling outward with more and more consumer-level devices. The longer an organization delays, though, the more difficult the path forward could be.

The telltale sign of a need to focus on these areas is the recognition that you haven't already. Too many companies use a breach as an indicator—perhaps not understanding the substantial risks involved. If you are not already implementing secure coding practices, if you are not already looking for the presence of unauthorized IoT devices joining the network, you are already behind the curve. It's almost a certainty that you have devices and code that are easily compromised. The fact that you don't know for sure indicates how great the risk can be—and reveals how critical visibility, and the insights it provides, is to strategically managing and mitigating the intensifying levels of connectivity in the IoT era.

Brian Talbert – Director of Network and Connectivity Solutions, Alaska Airlines

Brian Talbert leads the Network and Security Engineering division of Alaska Airlines. Brian is responsible for the strategic direction and platform development that secures the infrastructure responsible for flying 33 million passengers per year to over 115 destinations. In the 20 years prior to Alaska Airlines, Brian worked for leading service providers and enterprises building solutions and organizations that drive information security technology.

Chris Inglis, Former NSA Deputy Director

Cyber . Few words enjoy more widespread use across languages and cultures. Used variously as a noun and an adjective, it conveys more meaning in five letters than the vast majority of its counterparts in any language. As a direct consequence of the varied uses of the term, many discussions involving cyber fail in the simplest goal of human communication, namely to ensure that the participants understand or mean the same things in their attempt to communicate.

To that end, this section lays out a foundation for understanding the essential elements of cyber as a literal place—hereafter referred to as cyberspace. Of note, the term cyberspace includes, but is not limited to, the sum of hardware, software, and interconnections that are collectively referred to as the Internet.

One of the most important things that the curiosity-minded pioneers of the Scientific Revolution did was to intellectually (and sometimes literally) peel apart a common thing—a leaf, a parasite, a hillside—to better understand what it was made of and how its parts were connected, trying to understand how each layer worked and helped govern the whole.

Various writers have argued that cyberspace is not a domain, since it is man-made and therefore lacking in the enduring and unchanging properties inherent in domains resulting from immutable laws of nature, time, and space. The case for cyberspace as a domain is found in the simple fact that, on the whole, it has unique properties that can be understood, or purposely altered, only by studying cyber as a thing in its own right. It is a center point that is the result of integrating diverse technologies and human actions, while it also serves as a resource enabling widespread collaboration and integration.

Mention the term cyberspace in any otherwise polite conversation and the mind's eye of the listener immediately conjures up a jumbled mess of technology, wires, people, and communications racing across time and space or stored in vast arrays of storage devices. The resulting rat's nest of technology, people, and procedures then offers such a complicated and undistinguished landscape that, within the context of the conversation, further use of the word cyber could mean anything, and often does. It is important, then, to tease out the constituent parts of cyberspace to describe their characteristics, their contribution to the overall effect, and their relationship to each other. This, in turn, will yield a taxonomy or roadmap that allows focused discussions about discrete aspects of cyberspace that can be considered in the context of the whole.

This section attempts to describe, in context, discrete facets of cyberspace along the following lines: Physical geography, communications pathways, controlling logic and storage, devices, and people. It's important to note that cyberspace is not actually built this way, any more than a human being grows from embryo to adult according to the taxonomy laid out in Gray's Anatomy . But the understanding of the unique characteristics of cyberspace and how it is likely to operate under various scenarios is the goal here, not a description of how to build it anew.

Like any domain, cyberspace is sandwiched between the earth that hosts it and the people who would use it. Given humankind's long experience with both (that is, geography and people), this fact is both a source of comfort and a vexation. To see why, we need only consider each in turn.