Interview

As cities face a more challenging future, city leaders need to know the best practices that will allow them to face new threats, tap funding, increase the level of trust among their citizens, and make the best investment decisions. ThoughtLab’s fourth urban research program, Building a Future-Ready City, will provide urban leaders with an action plan for meeting the challenges ahead. ThoughtLab asked sponsors and advisors of our program to share their views on how leaders can face some of the problems ahead. Here is how some of them responded.  

 

1.The recent heat wave throughout Europe and America is a serious reminder of the disruptive effects of climate change. Clearly, a future-ready city will need to be a zero-carbon city. What steps do cities need to take to achieve their longer-term decarbonization goals? 

Bill Cashmore, Deputy Mayor, Auckland Council: Transport must be a primary target for decarbonization; vehicle kilometers traveled must be substantially reduced. Road congestion pricing could be a key incentive for people to move to public transport. Building heat and cooling needs to be powered by renewable energy sources. Manufacturing also needs to transition to renewable energy. 

Kari Aina Eik, Executive Director, United Cities: First, we need to equip leaders with more information and resources to meet these challenging goals. If we are ever going to meet the goals of net-zero cities, we need to build up trust, then develop new processes, and use tools and measures that everyone understands and accepts. Second, we need to build these processes and tools based on available data and technology. If your facts are known and accepted, you can make better decisions. Third, all cities (and all countries) need a digital twin and to start developing model scenarios of cause, effect, and possible solutions. These scenarios and solutions need to be shared and discussed with stakeholders across the board.  

Jayant Kohale, Analytics, Smart Cities, Digital, AI: The impact of global warming has been felt by countries across the globe. The recent high peak temperatures in Europe have resulted in droughts with major water sources drying up. For cities to better prepare for these scenarios, they need to have a declaration and charter which defines and articulates a city’s vision and aspirations to reduce the carbon footprint and to increase the renewable index. In addition, they need investment and development to bring sustainability into the city’s roadmap. 

Bayan Konirbayev, Chief Digital Officer, Almaty City: The problem related to carbon emission basically comes from heating systems and gasoline vehicles. By 2025, the heating system in Almaty should use only gas energy. The problem related to vehicles should be resolved before 2030 by different means,  such as the development of alternative transport, the development of public transport, and the construction of new charging systems for e-cars.  

Andrea Sorri, Segment Business Development, Cities, EMEA, Axis Communications: Cities are becoming increasingly focused on improving mobility, and reducing congestion and pollution, so it’s more important than ever to base decisions on accurate and reliable data. This can be achieved by getting to know the actual traffic flow through clear and analyzable data and the monitoring of individual and group patterns. It’s important when planning and coordinating transport around cities to ensure that any changes and initiatives fit with the way people use services and roadways.  

Weather and air quality sensors can now be co-located with streaming images. This combined video surveillance and weather/air-quality monitoring can give street-by-street observations of actual weather, pollution, and traffic levels. Understanding the link between weather and traffic allows targeted interventions to be deployed to improve air quality. 

Peter Nõu, IT strategist, Uppsala Municipality: Cities need to set stretch goals towards becoming carbon neutral in the near to mid-term. Goals need to be objectively measurable, and the city needs to commit to sharing KPIs. Progress towards the set goals will be measured yearly. Transparency is a given. System boundaries need to be carefully considered. Will the municipality be responsible for the carbon load realized outside its borders through import of goods and services, from the emissions caused by travel by its citizens etc.? Cities ought to collaborate with other cities in developing these KPIs so that the holistic accumulative burden can be assessed as best possible. Sweden is progressive with regards to setting national level climate goals. Uppsala City is among the most progressive climate cities in Sweden having won certain awards three years in a row.

Ramya Ravichandar, Vice President of Product Management, Sustainability & IoT, JLL Technologies: Given that more than 60% of carbon emissions within our cities typically come from buildings, a growing number of city governments now recognize the urgency to decarbonize their commercial and residential buildings.  Technology is likely to be the biggest catalyst of green progress in the built environment as requirements grow for the mandatory reporting, benchmarking, and auditing of buildings’ energy efficiencies and emissions standards. 

2. In today’s era of high social change and low government confidence, what can city leaders do to build the level of citizen trust and engagement they need to drive future change? What do you see as examples of best practice? 

Kari Aina Eik, Executive Director, United Cities: To gain trust, city leaders need to step up in terms of knowledge, understanding, and communication. Cities don’t need super-heroes, but leaders who are open about the challenges now and involve city stakeholders in meeting these challenges. 

Jayant Kohale, Analytics, Smart Cities, Digital, AI: The biggest challenge for city leaders is trust. There is a huge trust deficit with governments across the globe. In these turbulent times, it’s not easy for city leaders to meaningfully engage stakeholders. The initiatives I have seen having an impact are citizen charters, where a group of citizens interacts with a wider city population, shares pros and cons of new initiatives, and discusses their impact and outcomes. 

Bayan Konirbayev, Chief Digital Officer, Almaty City Government: The main problem in emerging countries is the lack of trust in the government. To address the lack of real information, we launched open data access for depersonalized data sets related to city activities, like economic, social, and land use data. Citizens can use this data to better understand the reasons behind each decision being made by the local government. Another instrument is the budget participatory program, under which citizens prepare proposals for city development and vote for certain projects that the city government will finance.  

Mary Nicol, Director of Policy, Chicago Department of Transportation (CDOT): One way to build trust is to bring community and advocate organizations into the policy-making process. CDOT partnered with the Energy Foundation to provide funding for the Transportation Equity Network (TEN), a coalition of community groups, transportation advocates, and other stakeholders that advocate for racial equity and mobility justice. Through the funding provided, TEN was able to consult and help develop CDOT’s three-year strategic plan. 

Peter Nõu, IT strategist, Uppsala Municipality: This question might not be quite as applicable in Sweden where trust in government is still very high (80+%) albeit falling slowly. We consider transparency to be the most trust building that city government and processes need to accommodate, to further this goal. Adhering to shared standards with regards to KPIs in different sectors will allow for comparisons and help citizens and companies in evaluating our progress. There are many already regulated processes for sharing and potentially amending Plans with citizenry. Development is however needed along the outcome/evaluation dimension, after the city is built, and continues to live and develop with its inhabitants and businesses, neighbors near and far.

Liz Van Dyke, Head of Public Sector, North America, JLL Technologies: Our clients want to create spaces that engage citizens and provide healthier, more collaborative environments. Many have some or all of the IT building blocks in place to facilitate this, such as IWMS systems, reservations systems, and IoT sensors, but often these data points are not well integrated or optimized to produce these outcomes. We’ve found that digitizing the entire real estate portfolio management process, including space management, is foundational to designing compelling, inclusive public spaces.

3. To help cities prepare for a more challenging future, multilateral, national, and regional government bodies are offering funding and grants to local governments. How are cities tapping such funding programs, such as the Biden infrastructure plan in the US or grants for environmental initiatives in Europe? What can cities do to stake their claim?  

Bill Cashmore, Deputy Mayor, Auckland Council: Cluster with other cities and share goals, concepts, and ideas. Be flexible. Source government, federal funding to deliver in the short, medium, and long term. Funding needs to be locked in and not vulnerable to political change. 

Kari Aina Eik, Executive Director, United Cities: There is a gap in knowledge in cities both about how to access these grants and funding and about how to deploy this funding in the context of other initiatives and programs. So much funding is available, but not accessed and much is being deployed without effect. To achieve net-zero cities by the needed deadlines, there is no time for overlap and waste of resources. Holistic cross-sector cooperation is the only way forward. 

Jian Liu, Professor, School of Architecture Tsinghua University: The funding and grants offered by multilateral, national, and regional government bodies should be seen as a kind of development guidance for localities which can be well integrated with local development demands.  

Mary Nicol, Director of Policy, Chicago Department of Transportation: It is critical for city leaders to have a clear vision of the city they are trying to build with and for residents. Chicago has a citywide vision of trails and open spaces that will contribute to a network of community-led green infrastructure projects to promote the health and well-being of residents and visitors. The city is working closely with community stakeholders to plan each project and identify funding for engineering and construction, including funds recently passed through Biden’s infrastructure plan.  

Peter Nõu, IT strategist, Uppsala Municipality: Our city is increasingly aware of national and international funding opportunities. There are signs that Sweden as a whole, wants to and will commit to a more decentralized model with regards to robustness and resilience at all levels of society in terms of crisis. How (if) responsibilities for decision making and action will be redistributed is currently an active area of research inside larger national funding schemes, and cities with foresight are encouraged to take initiatives. Our city of Uppsala has such ambitions and one context where we work is the Viable Cities framework program [https://en.viablecities.se/].

4. Even with greater access to public funding, resource-strapped cities may not have the wherewithal to invest in the smart innovation they need to become future ready. How are cities leveraging corporate, professional, and academic partnerships, as well as working with regional neighbors and local communities, to achieve their goals in these tougher economic times?  

Bill Cashmore, Deputy Mayor, Auckland Council: Cities should Invest in private-sector relationships. Incentivize innovation, promote success, and illustrate positive change. Use real people as examples, average people who have changed their habits and their lives for better results as individuals, families, and communities. 

Kari Aina Eik, Executive Director, United Cities: New structures and processes are established in cities around the globe and there is a lot of information exchange during conferences and in meetings. But what is really missing is real cooperation among cities at concrete levels, and practical sharing of experience. What is needed is joint net-zero projects that are scalable and then shared with cities and regions globally. 

Jayant Kohale, Analytics, Smart Cities, Digital, AI: The best way to deal with this would be to leverage the ecosystem. Learn from each other. Share best practices amongst peers. Some city initiatives could have global impact while some could be local. 

Bayan Konirbayev, Chief Digital Officer, Almaty City Government: The budget for digital development will require a lot of resources, which the city by itself will never be able to cover. Our digital public-private partnership model allows private investors interested in the development of the new forms of business, like marketplaces, new digital services etc., to directly apply for financing from the city government, which will cover 20-30% of expenses, while the rest can come from consumer payments. 

Jian Liu, Professor, School of Architecture Tsinghua University: Becoming future ready or implementing smart innovation may not necessarily imply high tech that relies on funding. It can also be achieved through the application of appropriate technology that is not costly. Finding common values can serve as a solid foundation for cities to work together with corporate, professional, and academic partners, as well as regional neighbors and local communities. 

Mary Nicol, Director of Policy, Chicago Department of Transportation (CDOT): Chicago’s climate action plan calls for 2,500 new public passenger electric vehicle charging stations by 2035. To reach that goal, the city will partner with communities to identify ideal locations for charging stations, with the private sector to make investments in the stations, with the utility company to ensure the grid is ready for the additional electricity demand, and with state and federal governments to ensure there is the financial backing for these large-scale infrastructure investments. 

Clay Pearson, City Manager, City of Pearland, Texas: At the City of Pearland, we are partnering with private investment to get the mobility that is underappreciated, but mandatory. We do that wisely with well-researched strategies on economic development, retail trends and gaps, and workforce needs, in partnership with outside experts that care about giving us executable strategies. We think about where and what we can leverage and where we can partner with public schools, business associations, and not-for-profit organizations to achieve success. We bring a light touch to regulation and tend not to impose top-down aesthetic requirements which can stifle, rather than enhance. 

Peter Nõu, IT strategist, Uppsala Municipality: These collaborative dimensions are very important for the Uppsala Municipality. The organization STUNS (“Sustainable growth in Uppsala; at https://stuns.se/en/) is an almost 40 year old collaboration between public organizations, academia and local corporations. Uppsala also collaborates with other Swedish cities in different areas, and with the Swedish capital of Stockholm with regards to developing the corridor north south between our cities. We will build two new parallel train tracks to a total of four, in the coming decade. Very large residential and commercial developments are being planned as a new part of Uppsala, with yet to be decided super ambitious climate and sustainability goals. Breaking of ground is planned to happen in 2023.

Jeremy Kelly, Global Research Director, City Futures, JLL: The magnitude of the climate change challenge and the urgency with which we need to create a significantly decarbonized economy requires the mobilization of resources across multiple stakeholder groups. Ecosystems of partnerships will be crucial in driving progress, pooling resources and knowledge, sharing or copying best practices, and educating and helping scale technology. There is strong potential to leverage the real estate sector’s intelligence, skills, innovations, and financial acumen to help deliver sustainability goals.

5. City leaders need to make hard decisions on where to invest across urban domains to become future ready. Which urban domains are cities prioritizing for investment over the shorter and longer term? What are they doing to ensure a holistic approach to urban development?  

Kari Aina Eik, Executive Director, United Cities: Top priorities are roads, mobility solutions, health, and energy. For net-zero cities, the focus needs to be turned more to renewables, waste management, water, and food security. In terms of real challenges facing this earth and our cities today, I have not heard of a city that is able to implement a holistic approach and is able to do a radical shift to really meet these challenges. If there is one, please let us know so we can learn and share this with 10,000 other cities in need. 

Jayant Kohale, Analytics, Smart Cities, Digital, AI: Sustainable development is the need of the hour. Cities need to focus on their carbon footprints to be future ready. Sustainable development must be all encompassing and benefitting all stakeholders equally. The priorities are building sustainable transit models, more cycle paths, and public transport. Also, smaller airports, community centers, and hospitals or health care facilities. Technology can play a vital role in helping the city leadership in decision-making. Technology can provide historical data pointers, do prognosis, and provide what-if scenario analysis to help city leaders define the road ahead. 

Bayan Konirbayev, Chief Digital Officer, Almaty City Government: Population growth, especially in the big cities, and the lack of infrastructure funding brings new challenges. Our priorities are first, construction and renovation of infrastructure related to the water and energy supply systems. Our second priority is construction and renovation of social infrastructure (school, kindergartens, hospitals). Our third priority is development of digital infrastructure (telecom infrastructure, data centers, new software solutions with data sources flow). Finally, to create an attractive environment for talent, we are focusing on development of creative industries with funding programs together with methodological support and grants for creative entrepreneurs.  

Jian Liu, Professor, School of Architecture Tsinghua University: As a key component of a city’s support systems, investments in social, civil, and green infrastructure should be a long-term consideration. For the short-term goal of decarbonization, investments in energy infrastructure and green infrastructure should be considered.  

Mary Nicol, Director of Policy, Chicago Department of Transportation: Chicago is currently prioritizing investments in historically under-resourced neighborhoods to create jobs, better housing, and more amenities to foster long-term economic development and neighborhood vitality. The initiative is providing support for small businesses, creating public realm improvements, restoring historic buildings, and fostering equity and resilience where it’s needed most. Through a collaboration among multiple city departments, community organizations, and corporate and philanthropic partners, the city has aligned more than $1.4 billion in public and private investment.  

 Clay Pearson, City Manager, City of Pearland, Texas: At the City of Pearland, we have been combining advanced practical technologies along with the hard traditional infrastructure of roads and trails, water and wastewater plants and pipes, as well as facilities necessary to serve our dynamic and diverse community. A key component is both basic and essential – a fiber communications ring. Atop that is a reliable communications and data system upon which the sensing for everything from rainfall to city vehicle location to traffic volumes can be reported and compiled. Our approach is to have smart people inside and partners outside with a clear IT strategy. That gives us the makings of practical success in improving service delivery, economic opportunities, and trust. 

Andrea Sorri, Segment Business Development, Cities. EMEA, Axis Communications: We have identified three core areas that shape smart, more livable cities and keep citizens positive about the urban experience. The first area is urban mobility solutions to help ensure that city residents and visitors can move freely within the city. The second is environmental monitoring solutions using technology to help cities reach sustainability goals. The third is public safety solutions to support a city’s security and emergency response networks. To achieve these goals, the first step is understanding what your city needs, and how small changes within these areas can help achieve bigger goals. Then, map out how city departments can work together to achieve a common goal. Finally, scale up as needed within the same system. The important part is finding a path that is right for the specific priority. 

Peter Nõu, IT strategist, Uppsala Municipality: Our city has outsourced establishing and running some infrastructure to private sector actors, over the last 20 years. Discussions are emerging on whether it would make sense for us to re-enter, inside the framework allowed by Swedish regulations. The aim would be to become more robust in terms of crisis response, to better control climate impact of establishing and running said infrastructures etc. These are very complex issues with large financial stakes, and will be researched thoroughly. Uppsala is Sweden’s largest (in terms of population) rural municipality as well as being the fourth largest city. To us, planning for all of us at the same time, is the way to balance and make sure that we grow responsibly & sustainably. We live in trying times. A potential global recession might hinder some of our ambitious plans, but we are committed to being transparent with regards to goal setting and transparent in reporting.

Jeremy Kelly, Global Research Director, City Futures, JLL: Decarbonization is increasingly playing a core role in city policy and cities’ operations. However, governments must look beyond carbon and balance decarbonization goals with social equity, affordability, biodiversity, and climate adaptation. The best sustainability strategies embrace real estate and adopt a holistic approach in which the drive towards decarbonization is considered alongside positive social outcomes.

In today’s unpredictable world, resilience is essential for urban future readiness. No city today understands this better than Kyiv, Ukraine’s capital city. Just recovering from the pandemic, Kyiv is now facing even a larger crisis: a fight for survival in the battle with Russia. Kyiv’s experience outlines how future-ready digital technologies can help cities stay resilient even during the worst disasters. 

Building digital capabilities 

Before the war began, Kyiv was already far along in its smart city journey, explains Victoria Itskovych, the city’s deputy CIO. The city had been implementing a wide range of smart initiatives across multiple domains, from transportation and education to health and the environment.  

For citizens, perhaps the most visible initiative was the city’s smartphone app, Kyiv Digital, which offers access to an array of municipal services and information. The app has been very popular: so far, 1.8 million people have downloaded it, more than half of Kyiv’s 2.9 million inhabitants and 7 in 10 of the city’s adults.  

In addition to providing access to online city services, the app furnishes information on public transport schedules and arrivals, as well as electronic ticketing. This includes buses, trolleys, and the Kyiv Metro subway system where you can use either QR-tickets or a travel card stored in the app. Users can top up their travel cards using Apple Pay or Google Pay, or connect a Masterpass wallet to save cards for future purchases.  

The electronic payment system makes it easier for users of public transportation, which number over one million people a day. It also eliminates corruption, according to Itskovych. “It makes sure people’s money goes to the municipal budget,” she says, rather than having cash payments diverted by bus and trolley drivers. 

Kyiv has multi-modal mobility options, including a wide network of electric vehicle charging stations and scooter share. Currently, there are seven different providers of scooters, each with its own app. “Our subsequent release of the city app will integrate all seven providers onto one form, so users can see on a map where the nearest scooter is, and the provider,” says Itskovych. The city’s highly sophisticated smart parking system likewise works through the Kyiv Digital app to track time and handle parking payments, using the phone’s location and the car’s license plate number.  

To accommodate those who don’t have payment cards or a bank account, the city offers physical ways to buy transit tickets and pay for parking in special shops. However, Itskovych says, lack of access to smartphones and bank cards is not much of a problem. “On the national level, a lot of government services are now connected to a banking ID, so now everyone has one,” she says. Similarly, the government has a program to provide smartphones to older citizens and teach them how to use them.  

Planning for and responding to crisis 

In a move that proved to be prescient, before the war Kyiv had begun developing a municipal situation center and platform for coordinating municipality owned units, with a system that individual emergency services could use to record incidents and share information with others. “This system became handy for us during the war,” says Itskovych. Similarly, Kyiv’s citywide network of IoT sensors and more than 7,000 video surveillance cameras, which provide data for advanced video analytics, are playing a critical role in the war against Russian terrorist groups. 

When Russia invaded on February 24th, 2022, Itskovych went straight to the city’s data center, where the Kyiv Digital team had been fending off cyberattacks for several days, with help from outside vendors like Cloudflare. “The municipal data center is also the monitoring center for our video surveillance system, which covers the entire city and nearby,” she says, enabling officials to see what was happening and keep law enforcement and the military informed about incursions from soldiers, tanks—and even groups of spies.  

The team worked to restore online services while sealing off the data center from further attack. It also began adding functionality to Kyiv Digital, including an early warning for air-raids, which works more quickly and has a wider reach than legacy sirens. As some businesses closed and residents lined up to buy basic goods like food and medicines, the team added a function for business owners to report when they were open and had supplies. The app then plots these on a map.  

The team further expanded the app to handle digital control passes for city workers that homeowners could check online, and to collect information for extension of Wi-Fi to air-raid shelters in basements and underground carparks, so that people could get vital information and communicate. “In partnership with 20 different ISP home providers, we covered 815 basement areas where people were during air alerts during the first month or so,” says Itskovych.  

What lies ahead 

Even amid the warfare, Kyiv has not lost sight of its future-ready goals. “One goal for 2025 is to have 60% of administrative services online, with 100% by 2030,” Itskovych notes, which is in line with overall national goals for digital transformation.  

Other goals for 2030 include a sustainable, multimodal mobility system using open-loop payments, and a variety of carbon reduction targets. Petro Olenych, chief digital transformation officer for Kyiv, says that one measure under consideration is an addition to the city’s app that will give users information on their carbon footprint when planning a journey by different transportation modes. 

Kyiv’s experience holds lessons for other cities. One is that urban leaders’ future-ready plans should include building capabilities to cope with disasters and emergencies into their smart technologies and systems. Real-time communications and information are key to resilience. “We have learned from this that any unrealistic scenario can become realistic, and that you have to take this into account in your disaster recovery planning,” says Itskovych. “But you have to focus on the main things that your citizens need to survive—food, medications, water, power, shelter.”   

Petro adds that fitting city plans into those for the wider regional or national critical infrastructure is also crucial when considering emergency scenarios. “With that mindset, everything becomes clear—it’s not about profit generation in the first place, it’s about the well-being of citizens and how we can apply technology to help.”  

As cities around the world continue to reel from the COVID-19 pandemic, climate change, and other disruptions, their highest priority has become to ensure a safe, resilient, and economically stable future for their residents. This has heightened the urgency for cities to become future-ready —smart, sustainable, secure, and fully aligned with changing citizen and business needs.  

ThoughtLab’s fourth urban research program, Building a Future-Ready City, is now being launched, and will provide urban leaders with a complete action plan for meeting the challenges ahead. ThoughtLab asked sponsors and advisors of our program to share their views on how cities can become future-ready. Here is how some of them responded. 

 

1. What are the key characteristics of a future-ready city? How will it need to differ from most cities today?  

Dr. Peter Pirnejad, City Manager, Los Altos Hills, California: Future-ready cities need to be progressive, proactive, and dynamic. They must respond to today’s problems but prepare to solve tomorrow’s as well. Most cities are only focused on yesterday’s problems using yesterday’s methods. 

Prof. Joan E. Ricart, Professor of Strategic Management, IESE, Spain: A future-ready city is characterized by being citizen-centric, with a clear vision and strategy, innovative and digitally transformed, connected and highly collaborative, and investing in adequate infrastructure enabled by data, and in attracting talent. 

Peter Nou, IT Strategist, Smart City Infrastructure & Innovation, Uppsala, Sweden: The future-ready city needs to be open to change. “A city” is an overlapping system of systems, and those need to be understood and analyzed in terms of investment horizons and stakeholders. Most cities today are managed inside multiple verticals, with their own resources, problems, and communities of interests. The future requires more wholistic approaches that build engagement and trust over the long term. This is a difficult journey that cannot be micromanaged but needs to be nurtured, often beyond a normal political term. It is not a tech question per se, but much of the transparency can be mediated by technology and clear goal setting at different levels. 

Bayan Konirbayev, Chief Digital Officer, Almaty, Kazakhstan: A future-ready city has multiple components, including a social layer, an infrastructure layer, and a data layer.  

The social layer is the ability of residents and the city administration to accept changes and experiment with new services and opportunities within the city.  

The infrastructure layer includes telecommunication and ICT infrastructure for the implementation of new IT projects, ready-made data centers, distributed FOCL infrastructure, carpeting with video surveillance cameras, and an Internet of Things platform integrated into housing and communal services. 

The data layer involves having a single standard methodology for managing all city data, including rules for managing data of state bodies and subordinate enterprises. Also needed is a structured public data library or database with differentiated access for private companies and state enterprises. 

If we will rate every city from 1-10 based on those three layers, we will see the differences among cities emerge. Because digitalization itself is not only about new technology implementation but also about preparing citizens (using a change management approach) and mature data governance rules, there should be a balance among the three layers. 

Gianluca Galletto, Managing Director, Technology and Innovation Partnerships, New York City Housing Authority: Accessibility is critical. People of all socio-economic statuses and races will need to access all parts of the city seamlessly without visible or invisible barriers. Other characteristics include lots of public space and green areas including on buildings; totally decarbonized; minimal inequality and zero inequality of opportunities; participatory when it comes to making decisions; empowered by their national or regional governments to do what is needed at a local level (many cities are heavily constrained by their national institutional framework); and in tune with the surrounding suburbs and rural areas.   

Kevin Taylor, Segment Development Manager, Smart Cities, Axis Communications: The primary characteristics of a future-ready city are collaboration, modern communications infrastructure, innovation, and an eagerness to embrace open-architecture solutions.

Collaboration is important because no one local government department or agency has all the skillsets, resources, and funding to go at their challenges alone. Through collaboration, municipalities can leverage force multipliers that will enable all stakeholders to accomplish their mission while avoiding redundant expenditures on overlapping technologies.

Modern communications infrastructure is important because data is the lifeblood of not only future-ready cities, but of Industry 4.0. To make informed decisions, large amounts of data need to be continually transported, archived, and analyzed. Municipalities will have to deploy infrastructure, or leverage cooperative partnerships with third-party owners of infrastructure, to accomplish this affordably.

Innovation is key to building future ready. While local governments should always be citizen-centric, therein avoiding the “technology for the sake of technology” euphemism, cities will have to discover new innovative platforms, solutions, procedures, and policies that most positively impact all members of the community. 

And finally, embracing open-architecture technology is critical in future-ready cities because solutions that serve an entire community will be expected to grow large in scale, and will be expected to assimilate within a city’s technology ecosystem which includes other sub-systems. Sensors will be expected to connect to multiple sub-systems, and data from those sub-systems will be expected to benefit multiple stakeholders. There is no place for proprietary or “closed” systems in the future-ready city. 

 

2. What did the pandemic teach us about the future of cities? What steps should cities be taking now to become future-ready?  

Dr. Peter Pirnejad, City Manager, Los Altos Hills, California: The pandemic taught cities how quickly they can adapt when their survival counts on it and how devastating things can get if they don’t. Cities should take the lessons learned from the pandemic and snap forward and embrace the new normal rather than snap back and settle for the old norms. 

Prof. Joan E. Ricart, Professor of Strategic Management, IESE, Spain: The recent pandemic accelerated the necessary transformation of cities to be more sustainable, resilient, inclusive, equitable, and prosperous, and the need to do things differently to reach this transformation. 

Peter Nou, IT-strategist, Smart City Infrastructure & Innovation, Uppsala, Sweden: The pandemic taught us that communications networks need to be pervasive, robust, and safe to allow for meetings and individual contributions to be made from wherever. We also learned that whatever policies are put into place to halt the spread of infectious agents, the public response and ultimately the effectiveness of the measures rely on community engagement, more than enforcement. Trust and communications cannot only be electronically mediated. In our city, we are studying going towards a fractal design, the 15-minute city with hubs for most functions. Meetings, recycling, package delivery, and more. Finding business models that are community focused and/or driven are a clear objective but not yet implemented. Becoming future-ready is a continuous process, not a fixed state at some point in space and time. 

Prof. Jian Liu, Associate Professor, School of Architecture, Tsinghua University, Beijing, China: The pandemic reminds us that change is constant, and a future-ready city should be resilient and adaptable to constant change. For that, existing cities should be redesigned and renovated in view of constant change, of both nature and human society itself, rather than just following a “blueprint” that is conventionally imagined and designed.  

Bayan Konirbayev, Chief Digital Officer, Almaty, Kazakhstan: The pandemic showed us two things: 1) a city’s supply chain can be disrupted, so it is very important to have alternative supplies; 2) the isolation and vaccination process showed city administrations how hard it is to control their citizens, so for every step change management practices should be adopted. The government needs to understand how to work with people. The first and the most important step should be focused on preparing citizens for new changes, whether positive or negative.  

Gianluca Galletto, Managing Director, Technology and Innovation Partnerships, New York City Housing Authority: Public spaces are critical. Effective communication regarding security and health is critical and was neglected before. Although density will still be there because it’s a major asset to in terms of creativity, productivity, etc., we don’t need lots of office space as we needed before, and we should think of better ways to use the built environment and be able to prosper with a little less density and a better relationship with suburban and rural areas. Inequality is a bad beast. The pandemic disproportionately (and highly so) affected the excluded, the unprivileged, the invisible people who are usually essential to the functioning of a city (for example, if you deported all the 600,000 to 800,000 immigrants without legal status in New York City, the city would collapse.)   

Kevin Taylor, Segment Development Manager, Smart Cities, Axis Communications: The challenges of 2020 relating to the global pandemic and to social unrest revealed to us that the two most pressing issues universally relevant to members with a community are health and wellness and personal safety. Strategic initiatives that deal with long-term topics like environmental impact absolutely are relevant and important, but the biggest threat to not only livability, but to survivability, within cities are the immediate needs of today. 

The last two years taught us that when large segments of the community feel their immediate health and safety is either in jeopardy or is deemed to be of reduced value and importance, civility breaks down and cities get burned. For cities of today or cities of the future, the most important thing local governments can provide is peace of mind that individuals can live, work, learn, and play within their community because it is a healthy and safe environment. 

 

3. Which technologies will play a key role in the city of the future? How will these technologies transform urban environments?  

Dr. Peter Pirnejad, City Manager, Los Altos Hills, California: Hybrid and virtual government has proven to not only be effective but desired by elected officials, staff, and constituents alike. Access to services and government has never been so easy. Government buildings have become institutions that provide a venue to engage in work that is more effective in person rather than online. Government buildings will be transformed from being where work is done to where people can share and exchange ideas to improve our institutions. 

Prof. Joan E. Ricart, Professor of Strategic Management, IESE, Spain: All digital technologies need to play a role in the digital transformation of cities. The smart use of data allows the implementation of innovative ways to run future-ready cities. 

Peter Nou, IT-strategist, Smart City Infrastructure & Innovation, Uppsala, Sweden: IoT (sensing the environment and flows of people and materials) is the next technology that will inform us about the pulse of the city. Monitoring city processes will inform city leaders and organizations about constraints, risks, progress towards goals, and more. Sensing infrastructure requires access to pervasive digital infrastructure, and our city is in the process of taking a step forward, potentially owning our own black fiber network that we will lease to anyone at transparent rates or utilize ourselves if the need arises. 

Prof. Jian Liu, Associate Professor, School of Architecture, Tsinghua University, Beijing, China: At least at this moment, digital technology is playing the most significant role in transforming urban environments and will play a key role in the city of the future, by changing the way of life of human beings in the four primary aspects of daily life:  residence, work, leisure, and transportation. Transportation technology will play a significant role in transforming urban environments by changing the mode of travel and the pattern of mobility.  

Gianluca Galletto, Managing Director, Technology and Innovation Partnerships, New York City Housing Authority: New forms of IT to create easier access and communication flows between city government and citizens. Internet of Things for sure. At the same time, better privacy technology and policies to prevent the digitalization of everything becomes a new “big brother” and creates all sorts of other problems – including new forms of backlash and social and political tensions. Retrofit technology for building decarbonization and new infrastructure to provide clean energy and clean mobility. 

Kevin Taylor, Segment Development Manager, Smart Cities, Axis Communications: No single technology, product, or vendor can provide everything a city needs. An “ecosystem” approach is required. Because cities increasingly are relying on data and analytics to make informed decisions, it is reasonable to assume some technologies most critical to the future-ready city are IoT edge sensors like deep-learning enabled cameras, and emerging communications networks like 5G millimeter wave wireless. 

These are foundational technology categories for future-ready cities that enable other platforms like digital twins and visualization dashboards. Additionally, because these foundational technologies also offer real-time benefits, they can be used by traffic management stakeholders as well as within the police/fire/ambulatory emergency response workflow. 

 

4. Which cities today offer good examples of future-ready thinking and solutions? What lessons can be learned from them?  

Dr. Peter Pirnejad, City Manager, Los Altos Hills, California: Rather than looking at cities that offer good examples, we need to look at case studies that offer insights to the future. Take, for example, the town of Los Altos Hills, which saw a major increase in crime. Rather than hire more deputies to patrol its  streets, the town partnered with a vendor that could use AI and automatic license plate readers (ALPRs) to track stolen cars coming into the town. As a result, we saw a significant decrease in crime rates. The lesson is that we cannot solve yesterday’s problems with yesterday’s approaches. We need to be progressive, proactive, and dynamic in our response to the urban problems of today. 

Prof. Jian Liu, Associate Professor, School of Architecture, Tsinghua University, Beijing, China: In China, Hangzhou and Chengdu are two cities that can offer good examples of future-ready thinking and solutions. Hangzhou is particularly characterized by the popularization of digital technologies in the city’s social-economic development and city management, as well as its citizens’ daily life, with consideration to the interaction between the city and its surrounding nature. Chengdu is particularly characterized by the attitude of its citizens to life and nature, with good integration of the city into its surrounding environment, and the broad involvement of citizens in city development and city management through community building.  

Gianluca Galletto, Managing Director, Technology and Innovation Partnerships, New York City Housing Authority: Copenhagen for sure. They have a 13K km of heat networks, and heating uses only 3% of fossil energy. Paris with its increased green spaces, bike lanes, and a real push to become a 15-minute city. New York City with participatory budgeting, ranked choice voting for elections, public-private collaboration for a variety of economic and social programs, strong data-driven policymaking (including policing), extremely tough climate laws, and a series of public and private investment (massive) to become a net zero city. For example, local law 97 imposes strict emission limits on buildings with steep million-dollar fines if it’s not respected, and gas has been banned from all new construction from 2023. There are plans to retrofit buildings, programs to create jobs in the green economy, and massive investments in new renewable infrastructure.  

Kevin Taylor, Segment Development Manager, Smart Cities, Axis Communications: The challenges faced by cities vary infinitely depending on factors such as, but not limited to, cultural, socio-economic, geographical, and geo-political circumstances. In recent years, we have witnessed cities employ innovative approaches using emerging technology in public safety, urban mobility management, and environmental sensing and monitoring. 

For more information, including cases studies, on cities that leverage Axis Communications products and technologies to address the challenges facing their communities, please visit https://www.axis.com/customer-story.

 

5. Why is a study on building a roadmap to becoming future ready so important to undertake now?  

Dr. Peter Pirnejad, City Manager, Los Altos Hills, California: There has never been a time when government has faced so many obstacles that challenge the very foundation of democracy and our ability to govern. Everything from the institutional knowledge being lost as baby boomers leave the workforce to the loss of qualified replacements due to the great resignation. Even the people we govern are engaging in ways that make it difficult to distinguish the vocal minority from the silent majority. Today, government is being challenged as opposing sides get rooted in their objections while taking aim at the institutions set up to foster a democratic resolve rather than the opposition that they wish to convert. We are seeing a loss in faith and trust in government institutions and their ability to govern while we are experiencing a rise in conspiracy theories and alternative facts. Government needs to understand the changes in the people they govern and adapt their systems to respond in more effective and productive ways. 

Peter Nou, IT-strategist, Smart City Infrastructure & Innovation, Uppsala, Sweden: In Europe, war in Ukraine demands our attention at present. At the same time, world leaders are losing focus on climate change, a bigger longer-term issue. Younger generations understand that the need to live a greener life. But only if you walk or bike, not if you are a single driver of a large SUV. There are so many conflicting goals. Pandemic response around the world varied and highlighted different shortcomings at different scales. Many simultaneous crises at different time scales make for so many potential conflicts. Between green and black. Between young and old. Between future and past. Between political class and regular folks. Pandemics, wars, climate tipping points. Cities are where most folks live and where most discussion needs to take place to agree on the path forward. No city’s path will be identical to that of other cities. But the clear story telling of what choices are made, and why, will inform us all.  

Prof. Jian Liu, Associate Professor, School of Architecture, Tsinghua University, Beijing, China: Today, human society might be amid the most critical transition since the Industrial Revolution, except in period of wars, in view of the remarkable changes in the climate, environment, ecology, economy, society, demographics, politics, and technology, etc. It is important to take actions to actively respond to these changes to make cities more resilient and adaptable for the future. 

Bayan Konirbayev, Chief Digital Officer, Almaty, Kazakhstan: We need an understanding of the steps to take, the responsibility of various people, and the relevant KPIs. The roadmap is something we need to have, but together with that it is important to stay agile in order to change your plans according to the  geopolitical situation or technological developments. Big cities have 20, 30, or 40-year development plans, but the world is changing frequently. 

Gianluca Galletto, Managing Director, Technology and Innovation Partnerships, New York City Housing Authority: We are at a historical and dramatic inflection point in terms of how the entire planet can survive, and cities are the place where we need to lead the way. They are the main problem and the main solution to climate change, which is an existential threat for all the planet, no one excluded. The only super ubiquitous threat. They are the place where pragmatism is more important than political partisanship and they can provide examples of (more) effective governance. 

Kevin Taylor, Segment Development Manager, Smart Cities, Axis Communications: Cities are dynamic environments, and the speed of change they are facing has increased to unprecedented levels. A byproduct of this change is uncertainty. Municipal stakeholders are charged with the responsibility of doing what is best for their community while being good stewards of public funds. It is difficult for these stakeholders to perform these responsibilities in the face of so much uncertainty. 

Third-party independent research like this project conducted by ThoughtLab are important information sources local government stakeholders can look to for guidance, for best practices, for encouragement, and for inspiration. 

The invasion in Ukraine has heightened the risk of cyberattacks both from nation-states and non-state actors prompted by the disruptions caused by the conflict. ThoughtLab asked sponsors and advisors of our Cybersecurity Solutions for a Riskier World program to share their views on the fast-moving cybersecurity landscape.  

 

1. Forbes recently noted that suspected Russian-sourced cyberattacks increased 800% in the two days immediately following the breakout of conflict between Russia and Ukraine in late February. What impact is the war in Ukraine and related geopolitical risks having on the cybersecurity landscape? What new or larger risks does it present for companies? 

Gary McAlum, Former CSO & VP, Enterprise Security, USAA: Today’s cyber risk environment has never been more fragile, with cyberattacks increasing in sophistication, intensity, and scope. The current geopolitical situation in Ukraine has only exacerbated the risk implications for companies across the board but especially for critical infrastructure companies and their supply chains. Recent government warnings about the potential for increased cyberattacks have further increased the level of concern for Boards and senior management teams. While larger companies—particularly those in regulated verticals—continue to optimize their security environment, the greatest risk will be to those smaller and mid-sized enterprises where cybersecurity staffing and budgets are thin. 

Cory Simpson, Executive Vice President, Resolute: We have not seen the spike in Russian attributed cyberattacks against liberal democracies that many predicted at the onset of Russia’s illegal war in Ukraine. While the cause for this is currently unknown—perhaps aggressive US government “defend forward” efforts, lack of capacity, or others—what is known is that Russian cyber threat actors are very skilled, and any constraints they may have had previously on their actions are unlikely to continue in today’s environment. In short, we are not out of the proverbial woods, and as CISA (the Cybersecurity and Infrastructure Security Agency) has advised, “Shields Up.” 

Mandy Andress, CISO, Elastic: The cybersecurity landscape is significantly impacted. Cyber is another front in global geopolitical conflicts that’s often invisible, happening behind the scenes. Companies need to be prepared that their industry could be susceptible, or their actions and statements could lead to direct cyberattacks. Companies could also be targeted if they are seen as a means to access another targeted company that is a customer.   

Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: Experts expect that Russia may yet unleash a devastating online attack on Ukrainian infrastructure or in other western countries. The Ukrainian government has taken some appropriate measures to counteract and protect their networks. For example, to protect the Ukrainian railways, a team of American soldiers and civilians have found and cleaned up one particularly pernicious type of malware, which cybersecurity experts dub “wiperware”, which disable entire computer networks simply by deleting crucial files on command. 

Also, companies and institutions in Ukraine and other western communities are likely to face a massive onslaught of “distributed denial-of-service attacks” (DDoS), which are relatively unsophisticated attacks that take down networks by flooding them with demands for small amounts of data from a large number of computers. 

2022 has already seen a concerning number of cyberattacks on ports and terminals. In January, a cyberattack hit major European ports including Rotterdam and Antwerp. A ransomware attack has caused a full system outage at one of the container terminals at Jawaharlal Nehru Port Trust (JNPT) in India. Attacks to ports, terminals, and supply chain networks may further aggravate the current backlogs and bottlenecks in the global supply chains. Looking forward, cyber espionage capabilities and defense strategies are likely to increase significantly, as well as international coordination among countries in order to offset potentially dangerous cyberattacks. Along with cyber threats, Russia is also spreading misinformation about the Ukraine conflict. It seems that the age of cyber warfare is just beginning. And for Russia, the war with Ukraine is likely serving as a live testing ground for its next generation of cyber weapons.  

Steve Durbin, CEO, Information Security Forum: The speed of digital transformation and the consuming of cloud technologies/services (especially given accelerated uptake due to Covid) has made it increasingly difficult for organizations to enumerate their footprints and map these to geopolitical risk areas. It is difficult to say with complete certainty when and if organizations could be impacted by geopolitical events and regional instability. This is a risk hotspot at present. 

Hacktivists and lone wolves are supporting the cause in some cases, picking sides and launching ‘deregulated’ hostile activities against each other and towards the opposite side. Tracking their activities is increasingly challenging as threat intelligence bleeds with regulated OSINT and the poisoning of social and unofficial media feeds by multiple interested parties. 

Organizations who can be demonstrably directly or indirectly associated with political groups and regions involved in hostility could find themselves in the crosshairs of cyber ‘armies’ and hacktivist groups. 

Both direct and unintended consequences of these risks and threats present a clear and present danger across the globe.  Several national and international security organizations have issued ‘shields up’ instructions to industry, and the instances of such advisories will likely increase as digital transformation penetrates further and further into industry and commerce. 

 

2. What are the biggest threats that your firm (or your clients) are seeing and preparing for? Ransomware, denial of service, etc.? Which business areas, such as supply chains and critical infrastructure, are you (or your clients) giving the greatest attention?  

Deborah Wheeler, CISO, Delta Airlines: We are continuously risk assessing our environment and monitoring threat actors and others with an interest in our industry sector. Obviously, supply chains present a risk that we didn’t foresee two years ago (think Solarwinds), and it has caused us to be more specific in our questions of third parties and requires that we spend more time understanding our supply chain connectedness.  

Jamie Singer, Executive Vice President, Resolute: The ransomware epidemic continues to create havoc on organizations—operationally, financially and reputationally. The double extortion tactics of threat actors remain problematic for many companies, which must navigate the one-two punch of an operational disruption with the threat of data leaks/exfiltration. While critical infrastructure organizations—such as healthcare, manufacturing, etc.—continue to find themselves in the crosshairs of threat actors, no industry or sector is immune. Threat actors are also targeting under-resourced and under-prepared public-school districts, local governments and municipalities, and non-profit organizations—many of which have cyber insurance policies and often are compelled to negotiate ransoms.   

Mandy Andress, CISO, Elastic: We are focused on a variety of threats, including ransomware and denial of service, but are primarily focused on overall data protection to ensure the safety of our customers’ information. We are also giving supply chain significant attention to help ensure it is not a threat vector for us or our customers. 

Steve Durbin, CEO, Information Security Forum: Not only does any destabilization provide a convenient front for criminal activity, but it is also wholly possible that gangs and cartels sympathetic to the cause could ramp up operations to provide a line of funding to those involved (for instance, the activities of the ‘Lazarus’ group who provided funding lines for North Korea; a group strongly believed to be supported and bankrolled by the Kim regime). 

The rapid growth of the data economy and volumes of data/relative value has turned heads, with threat actors seizing the opportunity of manipulating data to misinform and misdirect  

Covid has exposed the frailties of supply chains in enterprise and the associated risk of disruption; geopolitical influences are yet another vector for this risk and we are already seeing examples of it. 

Critical infrastructure is becoming a more lucrative target for attack; the footprint of these environments has increased significantly enabled by tech such as IoT and communications innovations such as 5G whilst the maturity of ICS/OT in terms of cyber controls continues to be low. 

 

3. How prepared is your company (or are you clients) to address these escalating nation-state threats? What do you see as best practices to manage risk currently, and which areas are you (or your clients) beefing up, such as threat intelligence, attack simulation, scenario planning, business continuity awareness, and training?  

Jamie Singer, Executive Vice President, Resolute: Robust incident response planning is table stakes for any organization today. And given the significant reputational risks associated with today’s evolving cybersecurity landscape, an increasingly critical component of that process is comprehensive cybersecurity crisis communications planning. It is imperative that organizations invest the time and resources in developing clear and consistent communications protocols, including streamlining internal messaging review and approval processes, to ensure timely and effective communications responses to these complex issues. Executive-level tabletop exercises and trainings are also critical to building muscle memory and gaining internal alignment on messaging and communications strategies, in advance of a significant cybersecurity event.   

Gary McAlum Former CSO & VP, Enterprise Security, USAA: Not many companies, if any, are truly prepared to deal with an all-out, targeted attack by a sophisticated nation-state actor. These type of threat actors are backed by an almost unlimited budget and the very best cyber talent available. Add in the ability to stockpile zero-day exploits and you have an unfair fight, by any stretch of imagination.  Any company that is specifically targeted by a nation-state adversary will not be able to prevent an eventual penetration that leads to an undetected presence on their network.  However, as that actor attempts to exploit that presence, a sophisticated security team may have a greater chance to detect and effectively respond based on a security ecosystem that is overlapping and tightly monitored. 

Mandy Andress, CISO, Elastic: The most prepared companies are the ones that have really focused on the fundamentals of good security hygiene: knowing your environment, updating and patching your technology, changing default configurations, and utilizing layers of security. Being solid on the basics closes the large majority of avenues that attackers leverage to access or move through an environment. 

Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: More efforts are needed to strengthen international cooperation and resources but also scenario planning and simulations. Often the worst-case scenario assumptions in scenario planning process look more like a baseline scenario or at least one that is not truly severely adverse.     

Steve Durbin, CEO, Information Security Forum: The ISF continues to provide support to members in a number of areas aligned to this developing threat landscape and this is something we would consider to be industry good practice. We have: 

• delivered research and a methodology for protecting from, responding to and recovering from, Extinction Level Attacks, with specific materials dedicated to the topic of ransomware that are also available on our PWS. 
• conducted cyber simulation exercises both publicly and ad-hoc for our members, to allow them to understand their limitations and hone their skills following a fictitious scenario.  
• recently released the latest version of our flagship ‘Threat Horizon’ research, providing organizations with forward-thinking guidance on potential future threats, with supporting materials to facilitate the use of the research in the boardroom. 
• a strong offering on managing supply chain risk and is seeing renewed interest in this topic from our members. 

Barbara Kay, Senior Director Product Marketing for Risk, Security, and ESG, ServiceNow: So much is about hardening the weakest links in security programs. Most companies have longstanding investments in prevention and defense – so today’s emphasis is on review and upgrade of response visibility and readiness across systems and organizations. Using the MITRE ATT@CK framework to assess and enhance defense, monitoring, and response is a key element. We are also helping people tighten up their security operations, especially incident response, through automation, prioritization, and structurally linking security, IT, and other teams involved in reducing vulnerabilities and responding to a major incident.  

Since it is a joint responsibility of security and IT, we see investment in general attack surface hardening using established frameworks, and also business continuity/disaster recovery plans to build cyber resilience. There’s been a clear motion in recent years to encourage this collaboration, and ubiquitous, complex digital systems are turning the desirable into the necessary. This is crawl/walk/run country, and every organization is in a different place. The key point is to see where you are, and then build and activate your plan for progress. 

We recommend clients look at resilience and readiness. Every business has different points of failure, so it isn’t one single playbook, and each situation is heavily influenced by industry and maturity.  In addition to the guidance offered by both UK NCSC and US CISA cybersecurity agencies, as well as CIS and NIST, there are copious resources around operational resilience, business continuity management, and vulnerability management. 

 

4. Our survey of executives revealed that 30% of CISOs are becoming more involved in geopolitical risk management. Is that enough? How are companies ensuring their cybersecurity strategies are aligned with their political risk management? 

Deborah Wheeler, CISO, Delta Airlines: I think companies that have both a CSO and a CISO or have separated physical security from cyber need to be collaborating to understand how material physical threats can play out in cyber and vice versa. These worlds collide much more than they did years ago. Companies needs to look at their potential to thwart geopolitically motivated cyber risks before announcing geopolitical positions.  

Cory Simpson, Executive Vice President Resolute: No. Every CISO needs to have an awareness of the geopolitical risk factors in their organization’s operating environment and be a part of the strategy for best mitigating such risk. Just as the role of the CFO has evolved in the last 30 years from a budgetary gatekeeper to a strategic partner of the CEO in setting corporate strategy to manage financial risk in markets around the globe, we need the CISO’s role to quickly evolve in a similar way to help corporate leaders better mitigate geopolitical risk for their organizations. Companies should ensure cohesion between their cybersecurity and political risk management strategies. How this is best done will vary from company to company and market to market, but it all begins by ensuring a comprehensive, inclusive, and collaborative planning process. 

Mandy Andress, CISO, Elastic: Sharing information and building awareness is critical. For instance, share what types of attacks you are seeing with your security peers and your company’s employees. Phishing and social engineering are primary entry vectors. By spreading awareness and education as far and wide as possible we can help everyone be more vigilant for suspicious activities. 

Steve Durbin, CEO, Information Security Forum: This is a disappointingly low number and tends to suggest that the value opportunity of CISOs in organizations is still struggling to be recognized fully, with some CISOs still anchored to the more traditional tenets of information security and risk management. CISOs’ relationship with the business needs to develop further; this relationship is a two-way thing. CISOs need to become more business-aligned and business leaders need to be more aware of the relevance of cyber to their personal and corporate accountabilities. 

• Organizations with a more mature, holistic approach to enterprise risk management are able to bring multiple risk domains together so that they can become more complimentary in establishing an aggregate risk position.   
• Organizations with a maturing risk management framework and culture may still have separation, treating differing risk management domains in isolation to each other with some notable gaps (such as geopolitical risk).   
• Organizations with weak or no risk management framework and culture will be in a reactionary mode when it comes to geopolitical risk and certainly the current situation; likely they are contemplating the challenges of RUS-UKR for example as an operational challenge rather than a strategic risk, which is not effective in the longer term. 

 

5. What advice would you give CISOs for these riskier times? 

Deborah Wheeler, CISO, Delta Airlines: Stay calm; focus on the basics (patch management, access management enforcement of strong authentication, and educating end users about phishing), rehearse your IR plans and stay current on threat intelligence. They should have a good IR retainer in place should they need it and should have good partnerships in place with their company’s legal counsel and management and business leaders. Providing periodic written updates to leadership that address the heightened cyber risk environment and how the company is preparing for or is prepared to withstand certain types of events, allows management to gain confidence in the CISO and their organization, gives visibility to where investments have been made, and can also be used to alert leadership to where certain risks might have greater chance of resulting in an exposure.   

Cory Simpson, Executive Vice President Resolute: Speed and agility. CISOs must ensure they develop their people, processes, and technologies with the speed and agility required by today’s volatile, uncertain, complex, ambiguous, and interconnected environment.     

Gary McAlum Former CSO & VP, Enterprise Security, USAA: In today’s cyber risk environment, the potential for a major incident has dramatically increased. CISOs should be continuously focused on ensuring their security posture is as robust as possible, particularly security patches updated as quickly as possible. However, this is also a time to ensure a comprehensive incident response plan is in place and, preferably, recently validated through a table-top exercise or some other walk-through review. For example, ensuring good contact information for key external agencies, such as law enforcement, is a lot easier to do now than when the balloon goes up.  

Dr. Ivo Pezzuto, Professor of Digital Transformation, International School of Management: Companies, banks, and institutions are paying greater attention to the future impact of Quantum Cryptography, in particular in Canada, the Netherlands, Australia, the UK, and the U.S. Banks are investing in PQC (Post-Quantum Teams) in order to improve their readiness to the quantum migration.  

NATO is aiming to strengthen its internal proprietary network with the use of quantum cryptography. It seems that the algorithms they use in the VPN are not safe enough against quantum attacks, thus they may be subject to data breach and vulnerabilities. 

Steve Durbin, CEO, Information Security Forum: Socialize the topic with business leaders, generate the conversation and offer support and assistance. CISOs are NOT expected to have all the answers, but the value is created when they broker effective conversations between business, technology, risk and security, and offer their subject matter expertise to broker solutions to identified problems. 

Now is an opportune moment to renew relationships with your professional network; the value of knowledge sharing across different organisations and vertical markets cannot be understated in times like this (not to mention the mental health benefit of supporting each other). Resist the urge to leverage the situation to drive a personal agenda, always offer problems AND solutions, not just problems. 

Be accessible to your teams AND your business. Now is the time to show true leadership in your business, not hide in the shadows behind others. 

Barbara Kay, Senior Director Product Marketing for Risk, Security, and ESG, ServiceNow: COVID accelerated usage of digital technology throughout every BU of every organization and throughout every supply chain. Now the security posture and resilience of this extended enterprise infrastructure will be tested by both known and new tactics, techniques, and procedures. Last year’s challenges (Solarwinds, ransomware, and log4j) were a dry run. “Targeted attack 3.0” sophistication will be applied to a “Resilience 1.0” level digital business infrastructure.  

Let’s take all that we have learned, especially MITRE ATT&CK insights, and tighten up our threat recognition and response. Let’s team with IT and Risk stakeholders to turn policies into rules, controls, continuous monitoring, and prioritized management. Let’s collaborate. There’s so much tech and wisdom that is not just possible, but proven, to help any team get stronger. Let’s put it to work. 

Major cyberattacks are fast multiplying globally, impacting businesses, cities, and national governments. CISOs need insights to take a more effective, analytically driven approach to cybersecurity. In this increasingly dangerous digital-first world, they also need to collaborate with their peers and partners to bolster cyber protection across all levels of the company. Cybersecurity can no longer remain restricted to the IT department. CISOs need to be prepared for when, not if, they experience a breach.  

To offer CISOs fresh thinking on how to weather the brewing cyber-storm, ThoughtLab is conducting a multi-client research program titled Cybersecurity Solutions for a Riskier Digital World. We asked experts and sponsors of the study to provide us with valuable decision support and best practices. 

 

As security and resilience become top of mind for corporate boards, what do you see as the biggest change in the role of the CISO?   

Larry Clinton, President/CEO Internet Security Alliance: CISOs need to vastly expand their skill set beyond technical expertise (which, of course, they must maintain). They need to lead a full integration of enterprise-wide security structures and help to develop a full culture of security and work far more collaboratively with other elements of the enterprise, such as audit, legal, human resources, public relations, and others. These all need to be integrated into an enterprise-wide risk management team, and the CISO needs to help lead that collaborative structure.   

Steve Durbin, CEO, Information Security Forum: The role of the CISO varies significantly across industries, regions, and even individual organizations in terms of seniority, authority, budget, team size, and influence. Engagement with CISOs from ISF member organizations has revealed that CISO job descriptions do not accurately reflect the extent of the role being fulfilled. Roles often expand without additional funding, resources, or support. CISOs are increasingly being held responsible, and sometimes accountable, for circumstances beyond their control. The biggest change in the role of the CISO is the need for the individual to balance opportunity with risk and find their own voice within the organization.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: A broadening of the role to think more strategically about the business as a whole and the impact of cyber on the broader business and planning for resiliency outside of just the cybersecurity space.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: The biggest change in the role of the CISO is the need to be a business partner at the board level, protecting the organization’s corporate strategy, along with continued production of food or motor vehicles, acquisition or new market entry, the continuous delivery of safe healthcare with protected patient data, etc. and the need to be the secure digital transformation advisor while keeping the corporate strategy functioning securely.  

Ravi Srinivasan, CEO, Votiro: Security leaders are business leaders first and IT leaders second. Successful security leaders are collaborating with the lines of business leaders in the company to secure new digital processes and enable secure user productivity.  

Mandy Andress, Chief Information Security Officer, Elastic: The role of the CISO has become much more complex over the last 20 years. Responsibilities have grown from leading the team handling real-time threats and mitigation of attacks, to overseeing the security architecture and the protection of the corporate infrastructure, implementing security policies and management designed to foresee and address risk, and maintaining compliance with a growing population of regulations and industry requirements.  

And, so-called “soft skills” have become just as important as technical skills. Creating resilience for a company is also about being a trusted communicator, understanding how cyber risks fit into the business overall, and building partnerships across the C-suite. 

The pandemic has expanded enterprises’ attack surface area, posing greater threat and risk for possible opportunistic or malicious attacks. Ensuring a strong security program in a remote environment will be a top priority for CISOs in the next few years as they work closely with their peers across the leadership team to build employee awareness of security protocols, and invest in appropriate technology to meet the intricate needs of globally distributed organizations. 

Gidi Cohen, CEO and Founder, Skybox Security: CISOs have a starring role in the new normal. Cybersecurity has become a central part of how businesses grow and operate. Their influence with the CEO and board has greatly increased. Radical change brings an opportunity for a dramatic shift in how organizations approach their security programs. The CISO role will no longer be primarily technical. CISOs will broaden their purview to include the ‘business’ of cybersecurity. The modern CISO will make the business case for cybersecurity initiatives and address overall business risk. They will also need to quantify the return on investment of those initiatives. CISOs will be highly knowledgeable about the state of cyber security and the threat landscape. They will share this knowledge with the board in business terms and build proactive security posture management programs that take this global picture into account. 

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Culturally, the CISO needs to be capable of talking to a board of directors in a language that they understand in order to take a strategic, top-down approach to risk management in cyber. One of the challenges here is having the ability to translate cyber risk into financial terms. What will be the ROI from my invest in security? How much risk is the organization carrying? What is our preferred risk posture?

 

Which cybersecurity best practices should CISOs follow to succeed in today’s riskier world?  

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: I am a big fan of the Center for Internet Security’s (CIS) Critical Security Controls. Those controls map well to other standards and frameworks but for a strategic view of what a strong security program should accomplish, the CIS Critical Controls are a great starting point.  

Larry Clinton, President/CEO Internet Security Alliance: The most important point is not to confuse regulatory compliance with actual security. The technical best practices probably ought to be a mixture of the various frameworks (NIST/ISO/FISMA, etc.) but need to be adjusted based on the uniqueness of the organization’s technology, culture, and business plan. However, the organizational best practices that are the most clearly documented as enhancing security are the ones outlined by the National Association of Corporate Directors in their cyber risk handbook (available free of charge at www.nacdonline.org).  

Steve Durbin, CEO, Information Security Forum: Applying an approach which is business-centric, risk-based and value-driven. The ISF Standard of Good Practice (SOGP) provides an effective framework for information security policies, standards, and procedures, and is mapped to industry-recognised standards such as NIST CSF, ISO 27002, CIS Top 20, and PCI DSS.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Start with the basics: patching, patching, patching! Limit/restrict access and require strong authentication mechanisms. Limit your blast radius—if something bad gets in, limit where it can go and what damage it can do.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Answering this from the perspective of OT and IoT—understand the connected assets across their environment and supply chain to assess the inherent risks. Drive programs of increasing cyber posture across their estate; patches and updates to the latest firmware and versions; and secure connectivity. Apply the three lines of defense across their business and connected industrial environments with the first line of defense as the OT environment, second the SOC, and third the GRC with re-enforcement and governance of the audit committee.  

Ravi Srinivasan, CEO, Votiro: Follow the data. CISOs need to shift their focus from infrastructure-centric security to Zero Trust Data Security. Understanding how business-critical data and IP are used in all the new digital processes will help security leaders focus on what matters: enabling secure user productivity and mitigating exposure to data breaches.  

Mandy Andress, Chief Information Security Officer, Elastic: Every security program is unique to the company’s needs. When faced with new challenges, people often turn to new technology, but it’s security practitioners who develop new ideas, threat intelligence, and approaches to prevent bad actors from impacting the systems that are so important to keeping organizations functioning. At a high level, CISOs should consider the following best practices: 

• Train your staff. Make it meaningful for your environment. There should be ready access to training materials as part of your onboarding process and at regular intervals throughout an employee’s tenure to help ensure your employees are up-to-date on the latest and greatest. After all, humans are the most vulnerable points in any security system.  

• Test your system. Send test messages to help train your employees. Hire consultants or have an internal red team to find your weak spots and commit resources to fix those weak spots. 

• Understand your data flows. Security teams first need to understand the data flows in their environments so they can ensure that their data only goes where it’s supposed to go. The tools and processes you use should also provide security metrics and, equally importantly, review the data you collect to identify any patterns that may indicate a security vulnerability or team that needs additional education.  

 The best security programs are simple but effective. It is the responsibility of security leaders to balance the people, processes, and technology to defend their organization. While it is important to choose the right cybersecurity technology, that investment should be proportional to the people running the products and the processes that define their work. 

Gidi Cohen, CEO and Founder, Skybox Security: Avoid the avoidable. There is no excuse not to fix a known vulnerability that is exploitable. Many of the attacks over the past few years were caused by bad actors who exploited known vulnerabilities that organizations had enough time to deal with prior to the breach. By proactively conducting exposure analysis, organizations can identify exploitable vulnerabilities and correlate them with their unique infrastructure configuration and security controls to determine where cyber-attacks pose the highest risk. 

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: There are any number of standards, regulations and best practices that can be followed and organizations need to focus on those that their specific geographies, regulatory specifications and vertical nuances dictate. As a good, general guidance, the NIST and ISO cyber security standards are a good place to start.

 

What single piece of advice would you offer CISOs as they aim to secure their organizations against future cybersecurity threats?  

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: Ensure your security journey has commitment from the highest level of your organization’s leadership chain. Developing and implementing a strong security model that enables the business requires commitment from all parts of the organization. Ensure you have the necessary support from above and across your organization.  

Larry Clinton, President/CEO Internet Security Alliance: CISOs need to embrace some of the modern cyber risk management tools such as FAIR or X-Analytics that move beyond the traditional check-the-box models favored by regulators. While these compliance regimes may be necessary, the effective CISO will be using these more progressive risk assessment tools that include analysis of the economics of cybersecurity and ties security procedures more closely to the organization’s risk appetite.  

Steve Durbin, CEO, Information Security Forum: Engage proactively with stakeholders at all levels inside the organisation—e.g., be forthcoming with the business, drive the conversation with the board, fight for time beyond quarterly meetings where cyber is only a small part of the agenda, help address and answer difficult questions regarding cyber, and demystify misconceptions.  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Focus on the basics of good cyber hygiene. Once the foundations are in place, you can build on top of that to address specific types of threats or tools needed to address unique requirements your business may have.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Implement best of breed control technology. Prioritize risk management and identify critical assets that drive business continuity and minimize business operational risks. Address both your baseline cyber posture, GRC, and monitor the environment for threats. Increase your cyber skills capability and increase cyber awareness training for non-cyber personnel. Leverage the latest threat intelligence and do tabletop exercises on breaches or attacks, including negotiation training with mal actors.  

Ravi Srinivasan, CEO, Votiro: Outsource security operations and response so that you can free up resources to focus internal efforts on securing data and the usability of new digital business services. Evaluate any new security technologies based on usability for new digital businesses, open APIs for ease of IT integrations, and simplifying operational support. 

Mandy Andress, Chief Information Security Officer, Elastic: Focus on the basics. The fundamentals of security hygiene for any environment are still the best protection to today’s threats. Change defaults, disable unnecessary services, default deny inbound network traffic, and patch! 

Gidi Cohen, CEO and Founder, Skybox Security: Don’t focus on threats; focus on vulnerabilities. Threats are changing all of the time, are out of your control, and most are irrelevant to your organization considering your security posture. However, all of your vulnerabilities are yours to address. Focus on what you can control, such as eliminating exposure to cyber risk. This includes assessing, prioritizing, and remediating vulnerabilities on time to avoid a breach. It also includes tightening processes and implementing automation to ensure you don’t open your organization to new risk through misconfigurations or making policy changes without validation. 

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Enlist help from specialists. Do not try to do everything yourselves. Make sure that you have access to world-class solutions, threat intelligence and data through carefully selected partnerships.

 

What is the largest mistake that CISOs should avoid making in the future? 

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: While the concept of a “Zero Trust” security model sounds good and everyone agrees, it is a complex journey that is not easy or cheap. The biggest mistake a CISO should avoid is thinking that Zero Trust can be achieved with just a new technology solution. Reworking the existing security architecture to incorporate more micro-segmentation, continuous monitoring and analysis, and attribute-based adaptive authentication will be a significant investment.  

Steve Durbin, CEO, Information Security Forum: Overestimating or making assumptions regarding the organization’s cyber resilience capabilities and, thus, not testing them (i.e., not conducting regular assurance activities such as cyber simulation exercises).  

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Avoid thinking that all your employees need to come from a traditional IT, computer science, or data management background and that they need a four-year degree. We need creative problem solvers—hackers  do not restrict who can hack! We need to be as “open minded” about the resources we employ to fight the good fight, as the threat actors are about fighting to bring us down.  

Simon Chassar, Chief Revenue Officer, Claroty Inc: Assuming that they will not be breached, attacked, or be a victim of a supply chain impact. 

Ravi Srinivasan, CEO, Votiro: CISOs maintain their responsibilities to govern security policies and compliance, while the lines of business continue to rapidly innovate, migrate, and adopt new technologies and multi-cloud services. CISOs should partner with the business leaders to balance modernizing mid-/long-term initiatives (often infrastructure-centric) with near-term initiatives (data-centric) to secure digital business enablement.  

Mandy Andress, Chief Information Security Officer, Elastic: Learning from my own mistakes, focus on people first. I have always looked at security as the equal combination of people, process, and technology. While I talked about them in that order, I usually focused on technology first, then process, and people last. No technology can fully protect an organization in today’s environment. Having the right people in the right roles that can creatively apply technology to your environment, adapt defenses to new threats, and communicate to your users with a high degree of empathy will further the success of your program more than any technology or process. 

Gidi Cohen, CEO and Founder, Skybox Security: Don’t underestimate what is required to transform cybersecurity programs. Buying more point products won’t solve your problems. This creates a false sense of security. Instead, you should focus on maturing your security programs to a place where it is at least properly managed and monitored, if not continuously optimized and improved. Tighten your processes to manage the products you do have, ensure you are getting the full value from those products and put the right talent in place to manage your entire security estate. 

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Taking a “technology first” approach to risk mitigation. Start with business strategy, governance and gap analysis. Technology needs to be deployed in line with these and not in a reactionary way.

Digital innovation is a double-edged sword: while necessary for driving performance, it exposes companies to much greater cyber threats. The COVID-19 pandemic opened even more opportunities for cybercriminals, who adapted their attacks to exploit vaccination mandates, elections, and the shift to hybrid work, while also targeting organizations’ supply chains and networks. With such criminals becoming smarter and more resourceful, cybersecurity is no longer just an IT issue: it is a strategic imperative for the C-suite and government officials. 

To understand how companies are addressing these issues and beefing up their cybersecurity defenses, ThoughtLab is conducting a multi-client research program titled Cybersecurity Solutions for a Riskier Digital World. We asked experts and sponsors of the study to offer their perspectives on how the pandemic has affected cybersecurity and the implications for their businesses.  

  

How has the pandemic permanently changed the cybersecurity landscape and agenda for companies? 

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: The pandemic has driven organizations to a more dispersed and distributed employee model as well as exposing supply chain dependencies. For many companies, the risk equation has changed for the worst, driven by a dynamic threat environment that has increased in frequency, intensity, and sophistication. 

Larry Clinton, President/CEO Internet Security Alliance: The pandemic has altered cybersecurity, although it is far from the most important change. If confined to the pandemic, I would say the most notable change is the evolution of a substantial work-from-home community without adequate consideration of security procedures, which has spurred a tremendous increase in vulnerability for the entire system and a resulting significant increase in cybercrime. 

Steve Durbin, CEO, Information Security Forum: The pandemic has resulted in masses of employees working from home long term, personal devices being employed for corporate uses, and spikes in social media usage rates, among other changes, which have broadened the attack surface.  

This shift in landscape has required organizations to reprioritize strategic objectives and key risks—e.g., accelerating digital transformation programs and migration to the cloud.  

The Internet Organized Crime Threat Assessment (IOCTA) 2021 report highlights that COVID-19 has resulted in a sharp increase in cybercrime. Cybercriminals have been identified to be employing the following attack vectors: malware (e.g., ransomware and mobile malware), payment fraud (e.g., sim-swapping, mobile banking trojans and ATM attacks), social engineering, and phishing. 

Deborah Wheeler, Senior Vice President, CISO, Delta Airlines: Ransomware and malicious cyberattacks rose significantly during the pandemic and impacted many industries. Demand for cyber talent has increased and the shortage of skilled resources has driven the cost of that talent much higher. As a result of the types of attacks seen, many industries are seeking talent that perhaps before, they thought they could get away without hiring or with hiring one or two resources. Now they realize teams of cyber experts may be needed because these threats are here to stay. 

Simon Chassar, Chief Revenue Officer, Claroty Inc: The pandemic affected the cybersecurity industry because of the implications of remote working and isolation from traditional hands-on configurations and installations. The remote office created a need to re-architect or accelerate to secure access service edge (SASE) within Software Defined Wide Area Networking (SD-WAN), with cloud and full corporate security policies for email, data, and access beyond the officer perimeter. This permanently changed the approach and accelerated the need to design in cybersecurity for all solutions; and cybersecurity with COVID became the enabler of digital transformation acceleration—Secure-by-Design. The further need to build in resiliency into business operations has increased the drive to public cloud, multi-cloud, and hybrid cloud, with remote access and software-defined security controls. 

Ravi Srinivasan, CEO, Votiro: Cybersecurity is no longer enterprise IT’s jobs. The accelerated digital transformation of back-office processes, rapid application migration to multiple clouds, and modernization of the data platforms have brought the business and security leaders to collaborate on new cyber strategies and execution. The pandemic has changed the landscape, shifting the focus away from infrastructure to data-centric security approaches. As enterprise users have experienced the risks of cyber, there’s heightened awareness of the need to be vigilant. CISOs will prioritize investments in more cloud-native, usable security services—not large security platforms—to enable secure digital business.    

Mandy Andress, Chief Information Security Officer, Elastic: The pandemic transformed the role of the CISO virtually overnight – from forcing a shift to remote operations to rethinking how to best support employee productivity. Now that companies have weathered the initial changes, CISOs are reassessing their IT security practices, tools, operations, and employee processes for long-term stability and growth within a distributed environment.  

The pandemic has expanded enterprises’ attack surface area, posing greater threat and risk for possible opportunistic or malicious attacks. Ensuring a strong security program in a remote environment will continue to be a top priority in the next few years as we work closely with our peers across the leadership team to build employee awareness of security protocols and invest in appropriate technology to meet the intricate needs of globally distributed organizations. 

Gidi Cohen, CEO and Founder, Skybox Security: The reality is that current security practices are not keeping up with the changing security landscape. Attack surfaces grew significantly during the pandemic. Accelerated digital transformation, cloud migration, and increased remote working all contributed to this growth. Further, the pandemic put to test many of the systemic failures of the cybersecurity industry. Organizations are plagued with massive, fragmented networks, decentralized, inconsistent configurations and change management processes, unsafe cloud and network configurations, and the continual increase in vulnerabilities.   

As the economy recovered, the great resignation had significant implications for cybersecurity programs.  Already resource-constrained, organizations are losing the institutional knowledge and talent needed to run cybersecurity programs effectively.  As a result, security organizations suffer from loss productively, inefficiencies, and risk of human error.   

Cyber security organizations are making significant changes to address the expanded attack surface, fragmented and complex environments, and loss of talent. They are increasingly focused on moving from reactive approaches to proactive security posture management.  Gaining visibility across hybrid, multi-cloud, and OT networks has become a top priority. And they are embracing automation at record levels to optimize workflows, implement changes, and validate network security policies.   

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: We are yet to determine precisely how the move to remote working will change working practices in the long term but we are sure that the balance between office work and remote working will not return to previous norms in many industries. This has implications for cyber security as enterprise attempt to make their employees and their data as secure when accessed from home as it is behind the company firewall. In addition, communication practices have fundamentally changed and this dynamic offers cyber criminals new opportunities and a plethora of new attack surfaces.

 

What do you see as the biggest cybersecurity challenge that companies will face over the next two years?   

Gary McAlum, Former Fortune 100 CSO and Military Cyber Officer: As cyberattacks continue to increase in scope and scale, the government is taking a more active role in defining and prescribing new security regulations. In addition, data privacy laws are becoming more rigid and complex. In already regulated sectors, the requirements are increasing even more. Balancing compliance with the day-to-day reality of operational cybersecurity challenges will be a huge challenge.  

Larry Clinton, President/CEO Internet Security Alliance: The biggest challenge for companies is that they are being vastly over-matched by the growing sophistication of the attack community. Not only nation-states and state-affiliated attackers but also criminal syndicates are accessing increasingly sophisticated attack methods and technologies that will be very difficult for private firms to compete with. 

Steve Durbin, CEO, Information Security Forum: There are three challenges organizations will increasingly face over the next two years: 

1. 1. Being confident in the level of cyber capability currently protecting the organization, in terms of people, processes, and technology, and whether they ensure risks fall within the organization’s acceptable risk tolerance.
2. Dealing with significant levels of technical debt from legacy systems and proprietary systems. This is a burden to the organization as it can often be more expensive to update an outdated IT estate compared with replacing it completely. 
3. Meeting the ever-changing and more complex compliance obligations. Upcoming regulations, such as requirements aiming to improve the reporting of cyber incidents to authorities, can distract CISOs, and have implications for incident management teams, resourcing (workforce), and budget allocation. 

Simon Chassar, Chief Revenue Officer, Claroty Inc: The biggest cybersecurity challenge will be the continued increase in the sophistication of threats for financial gain across a broad increased and connected threat surface. This means that lateral movement of malware is a real concern. We have seen a huge increase in the volume of malware impacts on industrial environments, from oil and gas and water to healthcare and manufacturing. These environments have been increasing in connectivity in OT and IoT due to automation and optimization of production for efficiency with real-time demands. This has led to an increased and unprotected environment because of legacy systems and unfamiliar protocols. Therefore, I believe that industrial environment protection or cyber-physical systems will be the biggest challenge over the next two years.  

Ravi Srinivasan, CEO, Votiro: Remote/hybrid work is here to stay. Security leaders need to focus on protecting digital data and files wherever they are used. This will drive the growing adoption of Security Services Edge, but SSE adoption will hit some operational headwinds as leaders need to address more data risks from the realities of multi-cloud, hybrid IT infrastructures, and usage of more cloud applications.  

Ransomware fatigue will increase. Ransomware attacks are here to stay. Crypto is a force to reckon with and, as business leaders debate to pay or not to pay for ransomware incidents, security leaders will shift focus to prevention approaches and outsource the detection and response efforts to managed services providers.    

Hyper-digital connections will create more data risks. Digitizing old business processes leads to the use of more supply chain connections, exposing more homegrown applications in the cloud and increasing users’ access to new services from outside the traditional enterprise network.  This leads to bad actors exploiting these new digital services, such as weaponizing files used by employees, applications, and data platforms; misconfigurations of application and data platforms in the cloud; more high-profile supply chain exploits; and increased personalized phishing attacks.  

Too many security frameworks lead to too many tools in use. Enterprise and security architects will need to rationalize and adopt frameworks based on a business-led security strategy: securing what matters most for the businesses (data and intellectual property) and adopting security as a service. 

Mandy Andress, Chief Information Security Officer, Elastic: While the threat of malware, ransomware, and data breaches will only continue to rise, the biggest challenge in front of many security executives is finding the next generation of cybersecurity professionals. While cybersecurity is a technology issue, it’s also a human one and an organization’s employees are the first line of defense.  

In its Cybersecurity Workforce Study 2021, industry body (ISC) finds that 2.7 million information security jobs remain unfilled worldwide. While this number is down from 3.1 million in 2020, we’re a long way off where we need to be. In the face of increased digitization and a rising tide of attacks, the current cybersecurity workforce of 4.2 million people globally needs to grow 65% to keep up with the demand for its skills. 

In other words, we’re going to need to draw from a wider talent pool to plug the gaps. 

Our industry’s over-reliance on specialists with the ‘right’ qualifications and educational backgrounds might actually be a weakness — a point of view reinforced for me by David Epstein’s 2019 book, Range: Why Generalists Triumph in a Specialized World. In the book, Epstein argues that generalists with wide-ranging interests are more creative, more agile, and able to make connections that their more specialized peers can’t see, especially in complex and unpredictable fields – a description that is a good fit for cybersecurity.  

Many of the hiring challenges in cybersecurity can be alleviated by taking important steps to diversify the talent pipeline, which not only expands the talent pool but also contributes to a healthier overall cybersecurity culture. 

Gidi Cohen, CEO and Founder, Skybox Security: As the economy continues to recover and cybersecurity budgets increase, there will be increasing pressure to develop strategic approaches that increase cybersecurity efficacy and not just tactically react to pressures during the earlier days of the pandemic.  Organizations will focus on strengthening their cybersecurity controls, processes, and compliance programs to reduce risk and exposure to cyberattacks.  This requires a fundamental shift in mindset from reactive to proactive cybersecurity.  Security by design will become the focus and the challenge.  Organizations will rethink security architectures to unify and better optimize security across hybrid, multi-cloud, and OT environments. In tandem, security leaders will need to decide how to approach zero trust and address the architectural implications. Secure cloud adoption and migration will continue to be a challenge. Organizations will also need to manage and consolidate fragmented infrastructures that include disparate security products with sub-optimal use. And processes will need to be optimized and automated to avoid catastrophic errors and address resource constraints.  

Darren Thomson, Head of Cyber Intelligence Services, CyberCube: Ransomware. Anybody that believes that ransomware, as a malware type, is a passing trend is mistaken. Ransomware will evolve and become more impactful and devastating in the coming years and organizations need to understand better how to protect themselves from this threat.