As the digital landscape becomes more complex and cyber threats continue to evolve, organizations must employ a comprehensive and adaptive cybersecurity strategy. This often involves integrating a wide range of applications and security solutions, regardless of the software company that developed them. Interoperability enables the seamless sharing of information and the integration of security systems from different vendors. It is the key to achieving this integration, as interoperability allows organizations to create a holistic cybersecurity approach that adapts to their unique security architecture.
Although the objective of achieving comprehensive cybersecurity measures is not a recent one, it remains an ongoing challenge. Software developers frequently view cybersecurity as a potential market opportunity, motivated to develop an integrated suite of applications that they believe can satisfy their customers’ security requirements. In this pursuit, interoperability with other software is relegated to a secondary consideration and is given inadequate attention during the development process.
Corporations often hold different perspectives on cybersecurity. For these entities, cybersecurity encompasses the entire company’s security architecture, which can be complex due to the diverse business needs of multiple units that may not integrate easily. This is particularly relevant in critical national infrastructure, such as power plants, where automation systems are utilized and may be compatible with some cybersecurity solutions, but not others. As a result, these systems must undergo rigorous validation processes to ensure operations won’t be affected by the installation of new cybersecurity solutions.
One approach to addressing interoperability challenges in cybersecurity is to redefine the concept of “cybersecurity architecture” and think of it as if it was a single, comprehensive “cybersecurity product.” This can be compared to building a car, where the end product is not just a collection of individual components (such as windows or an engine), but rather the fully assembled vehicle. Unfortunately, achieving this level of integration has proven to be a significant challenge for the cybersecurity industry, mostly because the ultimate nature of the “cybersecurity product” is still undefined. In other words, there is no clear consensus on what constitutes a truly comprehensive cybersecurity solution, and as a result, new products are continually being developed with claims of addressing novel security concerns.
Interoperability is a necessary requirement in cybersecurity precisely because the problem of cyber threats remains unresolved. Even if all available cybersecurity software is integrated, new vulnerabilities are discovered daily, prompting the need for innovative solutions. In the previous example, a car solves the problem of mobility, whereas cybersecurity applications cannot entirely rectify the problem of cyberattacks. It is possible that a future may exist where the problem is mostly resolved, but that day has not yet arrived.
Because of this unresolved cybersecurity problem, organizations are less likely to settle on a single solution when they invest in cybersecurity solutions. While it’s in their best interest to do so, they worry they will need the newest features advertised by the newest companies coming into the marketplace. Or worse, they fear that if they are subject to a cyberattack, they will have to answer to the court of public opinion for not implementing the latest solutions.
When asked about this in a recent survey, 77% of respondents stated they would like to see more support for open standards, and 83 percent believe that a product’s integration capabilities are important (ESG & ISSA Research, 2022). Yet, in the cybersecurity market, two costly mistakes are commonly observed. First, competitors frequently develop similar functionalities to offer a comprehensive solution that displaces all other options. Second, these companies fail to recognize that their competitive interests often hinder their own innovation processes, resulting in the development of software that is neither new nor innovative. This approach creates a “moat” around their solutions, which ultimately slows down the development of additional solutions by other third-party providers. In the cybersecurity industry, there is often a disconnect between the intended audience for cybersecurity software and who their vendors believe the customers at the organization are. While many agree that IT personnel should be the primary end-users of such software, we can’t have IT people everywhere; cybersecurity is needed. For instance, certain organizations, such as critical national infrastructure and industrial systems, rely on non-IT experts to run their cybersecurity programs. It’s also important to recognize that the ultimate end-user of the “cybersecurity product” is neither IT or other operations personnel, but rather corporate executives and government authorities who conduct cybersecurity investigations.
Even so, many Chief Information Security Officers (CISOs) are primarily trained to focus on new software features and assume that if a solution works for IT, it works for the organization as a whole. This approach is misguided and will need to be corrected. Cybersecurity is not merely about features; it is primarily about ensuring compliance, managing risk, and mitigating liabilities. In addition, cybersecurity plays a critical role in helping authorities prosecute cybercrime cases. As such, if a cybersecurity solution doesn’t work for these authorities, then the solution doesn’t work at all.
While corporate executives and government authorities are ultimately responsible for ensuring effective cybersecurity measures, IT personnel are crucial in configuring and maintaining complex software solutions. In other words, IT is an essential component of the “cybersecurity product” and not the end-user—it’s part of the car, not the driver of the car.
In addition, cybersecurity measures are essential for ensuring the security of national resources and maintaining critical infrastructure, such as the availability of electricity, water, and communication services. If the national infrastructure is not protected, the country may be unable to defend itself in future conflicts, thereby impeding the growth of the entire cybersecurity ecosystem.
About the Author
Juan Vargas, Cybersecurity and Engineering Consultant, Artech L.L.C. A graduate of Carnegie Mellon University, Juan Vargas started his career doing data analysis at Intel Corp before focusing on automation and control systems at Emerson Electric and finally becoming a cybersecurity expert for those systems. He has worked with most control systems in power generation and on various projects for the top 10 utility companies in the United States.