Where Cars and Cybersecurity Collide (Pun Intended)

A few years back, I was in the market for a new car. As I looked, I realized the features I love most — technology and performance capabilities — are not easily found together in the automotive industry.  Most vehicles are generations behind the electronics in our pockets when released, then rapidly outdated as time progresses. 

Ultimately, I went with a Rivian: a new, USA-made, adventure-focused EV company with a  consolidated approach to vehicle software. Unlike other manufacturers, each part of a Rivian  connects to a central processor through just two wires, reducing the number of components that  can break or fail, and reducing the cost to maintain. This approach allows Rivian to easily combine  capabilities to deliver integrated functions. So when you approach the car, it unlocks the doors,  starts the HVAC system, powers on the lights and audio system, and adjusts the seat.  

Rivian’s approach got me thinking about the parallels to the cybersecurity industry. Today, many vendors create capabilities to solve a single or small set of problems and the customer is left to  integrate the systems themselves, rarely, if ever, achieving automated system operations. Most networks run as a sum of their parts, but security leaders can achieve greater visibility and  simplified operations by taking a page from the Rivian playbook and embracing platformization to  best defend against threats targeting mission-critical operations.  

Just as most cars have 70-100+ components to control internal systems, most federal agencies’ security  landscapes are dependent on a mess of disparate solutions, often 70+, each with unique  vulnerabilities and opportunities for exploitation. That’s because leaders often opt for “best-of breed” point products that require individual monitoring and patching. However, the lack of  visibility between departments and solutions only furthers segmentation.  

This inability to monitor for potential points of attack can be devastating to an organization’s  security. If a gap exists, bad actors will exploit it. Over 23% of data exposures involve critical IT and  security infrastructure, suggesting threat actors are adapting their methods to identify and take  advantage of common holes left in piecemeal security architecture. They understand disconnected  architecture is hard to defend, and therefore easy to infiltrate. 

Public sector as a case study 

Government organizations are heavily siloed, and as a result their IT landscapes are too. This  challenges visibility across the whole organization and can create holes in the attack surface for  threat actors to penetrate. Despite this, public sector IT teams have trailed their industry  counterparts in creating holistic approaches to cybersecurity. 

This is concerning, as government agencies in particular are often prime targets for threat actors  given their access to high-value information and systems that malicious actors target through  malware, ransomware, and DDoS attacks. In more extreme cases, agencies have been the target  of cyberespionage attacks from nation-state threat actors, especially in tense times like major  elections. These types of attacks are made easier by larger attack surfaces and disjointed  operations. 

Best practices for public sector platformization implementation  

The first step in implementing a simplified approach to cybersecurity is to take stock of the  solutions currently deployed within the IT landscape. An optimized cybersecurity approach will  focus on agency outcomes, not products or merely compliance activities. All security leaders, no  matter the industry, need to take holistic and routine assessments of their technology stacks to  identify siloes and redundancies. From there, you can make decisions about what can be  streamlined and consolidated, and where new investments are needed. A good place to start is  with automation; anything that can be automated should be automated, with the end goal being  full autonomy to the greatest extent possible. 

Next, eliminate any single-use solutions unless absolutely necessary. Vendors should have the  capability to integrate with other solutions and orchestrate multiple applications. When it comes to  IT teams, work to see whether current processes can be done in fewer steps to remove  unnecessary middlemen.  

The final step is communication. Share your goals and reasoning for simplification with your board  and educate employees about the importance of sticking to pre-approved solutions. The IT team  alone cannot be expected to protect what they can’t see, so encouraging a transparent culture is  paramount. Everyone — regardless of their role — must understand that when it comes to security,  less is more.  

Bottom line: keeping it simple keeps us safe, whether on the roads or in our security infrastructure.  Just as Rivian decided to simplify and integrate technology, we too can take similar disruptive steps  in the security industry. Threat actors get more sophisticated, unified architecture will be key in  mitigating threats to critical missions and keeping your agency’s valuable data safe from  adversaries. Rivians are better today than the day they are purchased, shouldn’t our cyber security  solutions adopt the same mindset?