Humans have been captivated by stories of being transported to sprawling virtual worlds since the beginning of the golden age of science fiction. At its dawn in 1935, writer Stanley Weinbaum first conceptualized virtual reality (VR) in the short story Pygmalion’s Spectacles. In this story, a professor invents a pair of goggles that enables the wearer to immerse themselves in “a movie that gives one sight and sound... taste, smell, and touch... You are in the story, you speak to the shadows (characters) and they reply, and instead of being on a screen, the story is all about you, and you are in it.”
Stanley’s imagination would have to wait 30 years before cinematographer Morton Heilig created the first VR system. In the 1960s, Heilig built the Sensorama, “a telescopic television apparatus for individual use," in which “the spectator is given a complete sensation of reality, i.e., moving three-dimensional images which may be in color, with 100% peripheral vision, binaural sound, scents and air breezes.” While his invention did not enjoy any commercial success, it paved the way for modern VR systems.
Over the decades, VR continued to evolve, viewed mainly as an emergent technology, focused heavily on gaming systems, military applications and niche educational or employer training systems.
All of this changed recently as widespread consumer demand and an increase in enterprise adoption have moved science fiction into reality.
Studies performed by eMarketer indicate that almost 59 million people in the US (or 17.7% of the US population) will use VR at least once a month. Coupled with the explosive surge in consumer demand, PWC’s Global Entertainment & Media practice predicts VR as the fastest-growing content segment from 2020 to 2025, with revenues rising by 30%.
This growth extends well beyond the consumer market. VR is expected to transform significant aspects of enterprise markets as well, as 77% of companies believe that they will increase their spending in VR over the next five years, with an elevated focus on transforming workforce training and improving efficiencies in areas such as engineering and the supply chain.
VR provides organizations with the ability to provide rich, immersive, life-like interactions and experiences, enabling users to create entirely new approaches to interaction and human connection.
As we begin to actualize this new age of unprecedented disruption, VR brings forth possibilities that were never previously imagined. Through creativity and imagination, cybersecurity organizations can benefit from this transformation.
Leveraging VR to Transform the Cybersecurity Capability
The ecosystems in which VR systems operate are commonly referred to as a Metaverse. At its core, these environments are interconnected, hyper-instrumented worlds infused with artificially intelligent thinking systems that cross the digital, biological and physical worlds. This intersection and the accompanying speed and technological development are exerting profound changes for which cybersecurity and GRC workforces are ill-prepared.
ISACA’s State of Cybersecurity 2021 study illustrates this best: “Roughly 61% of all respondents report understaffed organizations. Filling technical individual contributor positions is difficult as only 50% of applicants are well qualified for the positions. With 4 million cybersecurity jobs open globally, it’s critical that we completely transform how we train and upskill our workforce with a special focus on our human skills and mastery of security controls.”
VR offers a real opportunity for us to take a step back and redesign a cybersecurity and GRC user experience. Like all skills, cybersecurity protection and defense capabilities are predicated on a few essential requirements.
Skill = Speed, Adaptability, Accuracy and Form
With the very real adoption of metaverses, cybersecurity skills must now cross into virtual worlds. While the industry is starting discussions around how we define cybersecurity roles and frameworks – the reality is that VR offers real opportunities in the way we design, the way we train and the way we operate.
"With the very real adoption of metaverses, cybersecurity skills must now cross into virtual worlds"
Skilling and Learning: Where we Learn speed, Adaptability, Accuracy and Form
Creators of learning experiences in immersive environments have an almost unlimited ability to design and present interactive content that allows cybersecurity students to digest and apply knowledge quickly. Enterprise metaverse platforms such as EngageVR provide cybersecurity and GRC trainers with a highly configurable virtual environment to teach science and technology, human communication, teamwork and collaboration training, making learning more immersive and experiential and significantly reducing training times.
3D modeling and mind-mapping applications such as Gravity Sketch and Noda give learning designers an immersive, experiential and even tactile platform for communicating complex 2D ideas into 3D. Activities such as threat modeling, application risk assessments and process modeling can be visualized by cybersecurity and GRC workers (and learners), allowing the user to learn and experiment in a safe environment.
Security Operations Centers
Building security operations centers (SOCs) are expensive and require hardware and physical infrastructure investments. Since many cybersecurity roles are remote, hybrid or partially outsourced, replicating the SOC experience at home does not easily scale. While we are a distance away from the holographic interfaces we see on Iron Man, using current virtual environments gives creators the ability to offer an intermediary step in the creation of an “infinite office” or workspace that allows users to straddle between the virtual and physical world.
Platforms such as vSpacial provide insights into how users can operate with multiple levels of various sized screens with the user sitting in the center of a 360-degree desktop.
Risks and Considerations for Cybersecurity & GRC Workforce Transformation Efforts
One cannot understate the early-stage of enterprise VR applications, which means that the security of the entire ecosystem is not always fully designed. Security and GRC organizations need to do proper due diligence when selecting providers and make decisions on the level of access to sensitive information or environments.
A few things to keep in mind:
- Third-party supplier security: Few VR providers have undergone cybersecurity frameworks such as ISO 27001 or SOC2. VR platform providers are increasingly integrating with popular third-party productivity platforms such as Microsoft 365, Google, Slack, Zoom or Dropbox. Care must be taken given the type of IP and confidential information present in these systems, starting with a proper third-party supplier risk assessment. Such requests will also help encourage VR providers to invest in cybersecurity programs and capabilities.
- Identity and access management: IAM is fragmented across metaverse systems, role-based access control is limited and typing in VR is cumbersome, making long, complex passwords painful. For the time being, the authentication experience is not the most user-friendly, and we look toward more investment from enterprise identity management providers.
- Workforce privacy: Metaverse environments can access enormous amounts of PII, which is getting trickier given the patchwork of global privacy regulations. Make sure you analyze how the VR environment records information within metaverse environments. Validate that it complies with your regulatory requirements.
Amy Webb, the CEO of the Future Today Institute, discusses our entrance into the Synthetic decade.
She describes, “A deep push to develop synthetic versions of life is already underway. Synthetic media, such as AI-generated characters, have storylines. Humanlike virtual assistants will make our appointments and screen our calls. AI-powered digital assistants control homes and cars and next-gen network infrastructure speed adoption. Everyone alive today is being scored – we're shedding data just by virtue of being alive. From the food we eat to the feelings we experience, everything over the next decade will be synthesized… blurring the line between what we consider real or virtual.
The cybersecurity and GRC community is at a crossroads. The accelerated pace of technological disruption is pushing organizations to redefine how we approach protection and defense. Designing cybersecurity of the future requires a willingness to explore how technology trends manifest in this future world and define the iterative steps necessary to protect and defend in a world composed of intelligent ecosystems.
Attackers are better than us at adapting to, leveraging and exploiting disruption. We operate in a world bound by rules. Their limits are their own creativity.
It will take our own creativity and imagination to mold and shape our world of tomorrow.