Franklin Donahoe, Chief Information Security Officer at Mylan, talked about the potentially dire consequences of security breaches in a thing-driven world.
Donahoe kicked off the first keynote of the day at the 2016 Chief Information Security Officer Leadership Forum Fall Event held on October 20 in New York by announcing, “We’re living on the brink of a technological revolution that affects not only how we protect data but how we protect people. IOT is ushering in an era in which some of our daily tasks are performed without us. We’re already experiencing this—many of the functions of our houses and appliances operate themselves,” he observed. “We’ve entered the era of ubiquitous computing. By 2020, the number of connected objects will be in the tens of billions.
“As a cyber community, we have to ask ourselves if we’re ready for this change. Unfortunately, I think we know the answer is no. Hackers have taken control of cars, baby monitors, television sets, and medical devices. As these failures in cyber physical devices make the news, some are asking if the benefits outweigh the safety and security concerns.”
Donahoe believes it’s entirely possible to develop secure, ubiquitous computing. “However, unless we, in the cybersecurity profession, think and plan, we run the risk of danger or disaster. We must do security right.” To Donahoe, this means following these three maxims:
• Look back, and keep what’s worked.
• Look ahead, and plan proactively for this burgeoning technological trend.
• Look from a different angle, and shift our thinking to embrace new paradigms for the connected world to come.
“In the data-centric approach, we concentrate on assuring the data is secured wherever it may be and however it’s used. We’ve implemented layered defense strategies, which were based on a clear understanding of threat vectors and attack vectors. In our complex world today, this is difficult, and we’ve seen the decline in some of our most trusted defenses—the death of the firewall and the efficacy of antivirus protections. Hackers will continue to use evasive techniques. They’re well funded and highly motivated,” he pointed out.
“In the data-centric approach, we concentrate on assuring the data is secured wherever it may be and however it’s used.”
Donahoe emphasized that in this new world, information security professionals must involve themselves in the most basic business decisions. “This isn’t technological or sexy,” he observed. “It’s things like procurement. We must insist on vetting the connected items our company considers purchasing and looking at the manufacturers’ practices to make sure these devices are already secure before adding them to our sensitive networks. Relying on the strength of the secure systems we’ve set up to protect our data isn’t going to be good enough. In the coming cyber physical world, it’s the things themselves that act as portals to our network, and that’s where the security actually begins.”
“In the coming cyber physical world, it’s the things themselves that act as portals to our network, and that’s where the security actually begins.”
For this, said Donahoe, there must be a shift in our paradigms. “No longer can our security strategies center on systems or data. For the thing-centric era, we need thing-centric security. I’m talking about resilience, not impenetrability. We need to design our connecting objects and sensors for resiliency to limit the damage a breach can cause. We know people are the weakest link in the cybersecurity chain, and that won’t change. The buck won’t stop with the end user,” he said. “It will be up to the designers and manufacturers of the things around us to protect our privacy and our safety. Most of all, it will be up to us, the information security professionals, at the companies making these devices as well as the organizations purchasing and installing them to assure the job is done right.”
“For the thing-centric era, we need thing-centric security. I’m talking about resilience, not impenetrability. We need to design our connecting objects and sensors for resiliency to limit the damage a breach can cause.”
In response to a question from a member of the audience about how the CISO will evolve in the next 10 years, Franklin replied, “I see the CISO role evolving to become one of making risk-management decisions—who we’re going to connect with and do business with. We’re going to know more about security risk than anyone else in the company.”
ABOUT FRANKLIN DONAHOE:
Franklin is the Chief Information Security Officer for Mylan Pharmaceuticals, where he manages the Global Information Security Office (GISO) function. The GISO provides data security and privacy for 30,000 employees and protects systems that enable marketing in 145 countries and a portfolio of around 1,400 generic pharmaceuticals and several brand medications.
Franklin began his career in military service as a United States Marine. He has served as a security leader with companies such as Costco and T-Mobile USA. While with Deloitte, he consulted across many industries and is known as a thought leader regarding information security and privacy technology process implementation and maturity. Franklin has a proven track record of re-engineering security and privacy processes and applying security technologies effectively in order to complement and support governance. He has a BA from the University of Washington and two Masters Degrees from Carnegie Mellon University.