Tech Lasso

As in most Mexican families, football is part of Sunday lunch conversations and last week was no exception; after all, “Football is Life.” As I struggled to predict who will win this year in Qatar, I was struck by the idea of how much life has changed since the last World Cup. In just four years, many of us have witnessed the large-scale impact of the digital economy and how it has transformed our day to day.

Stimulated by 2020’s pandemic, digitalization has become the foundation of how we connect with each other, how we work remotely, how we consume services or even how we attend a medical check-up. Social distancing compelled organizations to redefine their strategic plan and to shift investments toward technology-led initiatives.

Most of us in the technology business frequently hear IT staff talk about digital transformation as the panacea for today’s business challenges. IT departments suddenly came across the Super Mario golden star and none of the other business units seem to be able to slow it down. Does this mean that all organizations driving digitalization will produce profitable growth and disrupt their respective market? No, definitely not.

Even if technology has built positive momentum with senior management, there is still an outcast in the family that is fundamental to the success of digitalization initiatives: security. Organizations accelerated the pace at which new technologies, like the cloud, were adopted; however, cybersecurity and information security were constantly left out of the equation as many executives failed to recognize them as business enablers. I am sure many readers may want to challenge this idea because cybersecurity budgets have multiplied in recent years; nonetheless, these investments are rarely executed in a top-down approach involving not only technology but also security governance.

Let’s take the recent security breach on customer engagement platform Twilio as an example. With multibillion dollars in revenue and a recent acquisition of data security platform Ionic Security, we could all suppose that a successful security strategy was established and that they were ready to take on any of the malicious actors that make up today’s threat landscape. Unfortunately, hacking group “0ktapus” proved all wrong when they were able to trick Twilio employees into handing over corporate credentials, including multifactor authentication codes generated by the IT department. This elaborate social engineering and phishing scam exposed the importance of people and processes to the security strategy of any organization. At the time of this writing, Twilio’s stock had plummeted to its lowest level in four years and it is expected that this breach will damage the company a great deal, not only in remediation costs but also in the cost of brand reputation and customer trust. Even after building a disruptive business model over the past 14 years, this security incident may be a decisive factor on where the company heads next. 

This breach also reaffirms that responsibilities do not end in your corporate perimeter and that security posture is dependent on your weakest link. The shared economy compels us to constantly share data with third-parties in favor of enhancing customer experience and conveniently scaling our operations through omnichannel initiatives. Permanent collaboration with partners and suppliers creates an extended network and a chain of trust that sophisticated adversaries have determined to leverage and exploit to their advantage. Hackers behind the Twilio incident were able to access the data of more than 160 Twilio customers, including secure messaging app Signal, two-factor authentication app Authy and authentication company Okta; yes, the irony. Risk management should be practiced beyond our corporate network and include the many cloud services that are being consumed in today’s operations, sanctioning all vendors and double-checking how their security hygiene will improve trust and overall security posture.

The truth is that any company will be targeted sooner or later and that threat actors have become highly sophisticated and motivated. Nation-state threat actors and organized crime have the time, the technology, and the intelligence to execute large-scale attacks that can cripple anyone. Even if digital transactions have soared in recent years and new revenue streams can be leveraged through technologies like AI, big data and cloud services, success in the digital economy is highly dependent on business resilience and cybersecurity risk management.

In recent months, we have worked closely with Mexican organizations that have gradually experienced a rise in webpage transactions but a drop in sales and customer engagement. We identified that behind this problem lies malicious BOT campaigns that steal customer data, commit online fraud and degrade the customer experience, effectively hindering the digitalization strategy. A lot of money and time has been poured into product development, analytics and digital marketing so that true potential is never achieved.

BOTs are here to stay, as they make up over half of today’s internet traffic. Most companies have been unable to control these attacks, mainly due to a lack of security awareness and communication barriers within management. By having cybersecurity expertise on the board, business, IT and security departments could truly align expectations. These players  could also  collaborate more effectively by deploying cross-functional teams pursuing common goals, such as digital transformation. 

Transforming a business is not an easy job and technology alone will not solve the many challenges that will emerge on the path from vision to execution. Leaders must inspire a cultural change so that security teams are no longer seen as representatives of Shelbyville and are finally acknowledged as business enablers and allies. There are fantastic security professionals and great security platforms out there, so why not leverage them through a holistic plan that delivers what modern society demands: resilient digital services with security and privacy top of mind.

Just like with any national football team traveling to Qatar, strategy must not be evaluated by intentions but by results and I am sure we all want to win the World Cup.