Cyber Canon Book Review: "A Sustainable Digital Economy: Not Fear, but Trust Connects" (2018), by Ad Krikke
Book Reviewed By: Fred Streefland, Regional CSO NEEUR, Palo Alto Networks, 02 January 2019
Bottom Line: I don't recommend this book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
Review:
“A Sustainable Digital Economy: Not Fear, but Trust Connects” is based on the dream of the writer, Ad Krikke, in combination with his real-life experiences. Krikke is the CISO of Royal DSM, a Dutch international chemical company that delivers a variety of business solutions for human nutrition, animal nutrition, personal care, medical devices, etc.
This book tells the story of a positive alternative for escaping the negative aspects of the current digital economy, seen from an information security perspective. The writer explains why fear is a bad advisor in today’s digital world and why the current information perspective approach is far from effective.
He starts his book with his digital dream and jumps into the year 2027, when there’s a sustainable digital economy with hardly any security and privacy issues. The dream starts with checking into a hotel by holding an electronic passport to a card reader that also opens the room. In this case, the hotel doesn’t require storing a copy of the guests’ passports anymore. This is just one of the examples that describes the "new" world. Other examples are describing a data collaboration process for production secrets (intellectual property) and a public-private partnership with governments and startup companies.
After this introduction, the narrator wakes up in current time and asks himself if we’re really stopping digital innovations, seeing cyber and privacy incidents all around, and experiencing an increasing demand for high penalties and strict enforcement. As a result, he begins to introduce alternatives for escaping the negative aspects of the current digital economy. He provides examples from practice to keep the story concrete and simple, but also shows that this digital dream is not an illusion and can become a reality. He describes these examples chapter by chapter.
After this introduction, the writer "returns" to the current time (2018) and realizes that the current information security approach is far from effective. The story of the sustainable digital economy starts with "setting the scene," in which the writer explains that the West experienced huge economic developments after WWII. He describes how in the 60s and 70s, people started to realize that the current situation was untenable and would endanger the continued existence of both the earth and mankind.
Krikke explains how the promise of the digital economy that brings us great wealth, but also cybersecurity and privacy incidents, is the modern equivalent of water and air pollution. In search of quick profits, data is pumped around the world as if it were the new gold. Negative effects aren’t limited to organizations that process this data. Our privacy and personal safety, both fundamental human rights, are at stake. These are the reasons the writer shows us that companies that opt for sustainability (instead of quick profits) as a core value can gain economic and social advantages in the digital domain.
In the chapter, "Fear is a Bad Advisor," fear is described from different views, but Krikke shows us that sustainable leadership may surpass fear. The main message in this chapter is that fear still drives information security and that we are involved in an arms race in the digital world, driven by fear.
The short-term approach, which seems inevitable in today’s world, is also explained. It’s stated that management should guide without fear because that’s the way to engage in long-term thinking and combine new opportunities. It is trust rather than fear that makes the connection we need for collaboration.
This arms race is hindering opportunities because organizations are continuously investing in cybersecurity technologies (tools), experts, processes and awareness courses. All these measures provide a brief increased level of information security, with the emphasis on "brief." In time, all these short-term measures are outdone by cyber criminals and other actors, resulting in new additional security measures, and the arms race becomes a fact. This approach leads to increasing costs, increasing complexity and the danger that digital collaboration between departments becomes more difficult.
Following that, he introduces important elements of a sustainable digital economy and describes innovations that reduce the need for security. Krikke uses different realistic examples to explain the elements of a sustainable digital economy, but especially his "Elephant Honey" example sets the scene for this different way of thinking about security in which public-private collaboration plays an important role. Everything relates to this example because it’s innovative, effective and extremely feasible for a sustainable digital economy.
The example, in short, is about a cornfield in Africa that was terrorized by elephants. They ate the corn and trampled the cornfield. The farmers couldn’t think of any solution other than shooting the elephants, despite this being prohibited by law. But this measure was not very effective, because the elephants would simply come back. Then an activist decided to work with the farmers and introduced the knowledge that elephants are afraid of bees.
The activist and farmers placed bee hives around the cornfields, interconnected via wires. When an elephant tripped on one of the wires, the beehive shook, causing the bees to emerge from the hive, spooking the elephants. By doing this, a win-win model was created because the farmers could produce bee honey, a product with high value in Africa, and the elephant problem was solved.
This example illustrates, in essence, the value of collaboration and the importance of looking for win-win situations. Krikke explains that if the farmers had listened to the weapon suppliers, probably no elephant honey would have been produced, but more and more weapons would have been produced, which refers to the aforementioned arms race.
Krikke notes that the average CISO’s mailbox overflows with emails sowing Fear, Uncertainty and Doubt (FUD) to push the latest cybersecurity measures. He says we should first look to the "Elephant Honey" motif to prevent rather than secure, and don’t let FUD distract us. The main advantage of the Elephant Honey approach is that we prevent the risk of an incident. Thanks to the win-win element, the solution is more effective and requires less enforcement.
Krikke also coins the term "ConnectMe," which he sees as the combination of the one-off data storage, described in the previous chapter, and the unique digital identity. These are both basic conditions for the sustainable digital economy.
He goes on to describe the difference between the seat belt in cars, which is implemented on a level playing field, and protective measures proposed for the unsecured internet of things (IoT), which are not implemented on a level playing field. There’s no digital uniformity, so the risks of all systems aren’t equal to everyone. Standardization makes sense for some measures. A seatbelt is mandatory for every car, but, Krikke argues, a roll cage is only mandatory for cars used in rallies. As with cars, implementing protective measures where there is a level playing field in the digital economy would drastically reduce the number of incidents and keep the costs affordable.
Krikke also introduces the term "Just culture" and describes information sharing and analysis centers (ISACs). In a discussion about the fear of liability and damage to reputation, Krikke demonstrates his experience on the subject of sharing and provides different insights. At the end of this chapter, he combines the "Just Culture" and the "Level playing field" into a new term: "DigiNorm." With this combination, it’s possible to achieve an affordable threshold for security that can adapt quickly to newly discovered vulnerabilities.
In the final chapter, Krikke combines all the various elements he’s included in the book with the "Elephant Honey" approach to make digital revenue models sustainable and inherently safe. The "ConnectMe" technology leads to responsible data use and secure access to digital solutions, and the "DigiNorm" concept provides affordable, effective security of digital systems. Krikke claims that this doesn’t stop all incidents and threat actors, but it’s good enough! The sustainable digital economy isn’t perfect, and it will never be, but it’s a goal, a dot on the horizon that motivates us to constantly improve to a level that we feel is responsible. It’s a journey, not a destination.
At the end of this book, Krikke describes in some "afterburner" chapters the journey and its most important elements, such as the public-private collaboration and the role of the information security officer. These final chapters are also filled with interesting stories from the front.
Overall, this book is an easy and interesting read, not because it consists of only 95 pages, but mainly because it makes you think! It’s an interesting book, written by a very knowledgeable and experienced security officer. My personal recommendation would be: “Just get this book and read it!”
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!