Cybersecurity Maturity – moving beyond ABC
Vishal Salvi, SVP & CISO at Infosys, explains the need for organizations to adopt a more sophisticated approach to cybersecurity, moving beyond the basics. In a second interview with Bill Mew, Digital Ethics Campaigner and CEO of CrisisTeam.co.uk, he highlights how collaboration, democratization and embedded security are becoming essential.
Building on the themes in the last article Countering the Ransomware Menace: busting 5 big cyber myths, Salvi goes on to suggest that organizations need to take a more collaborative approach to cybersecurity as they recover from the shock of the pandemic.
The pandemic has not only been a massive challenge for CIOs and CISOs, but also a great distraction. Much of their time and energy was initially focused on a scramble to enable staff to work from home and has subsequently concentrated on supporting their organizations as they have reverted to more hybrid or flexible working arrangements.
Cybersecurity requires a meticulous, methodical, and purposeful approach, but for many organizations the pandemic response required shortcuts to be taken and the normal level of rigor to be suspended.
At the same time cyber attackers, always opportunists, have sought to exploit the confusion and resulting vulnerabilities with waves of phishing, ransomware and DDOS attacks.
Complexity is, and always has been, the real enemy
As the dust settles on chaos caused by the pandemic, lockdowns, and restrictions, and we start to acclimatize to the ‘new normal’, CIOs and CISOs need to focus on regaining the initiative in an ongoing war that many believe we are currently losing.
One of the greatest inhibitors will be complexity. Smaller organizations may well have less complex infrastructure challenges, but they also typically lack the security skills needed to apply much more than the basics in terms of cybersecurity. They will need to rely on Managed Security Service Providers (MSSPs) to help them ‘up their game’.
For larger organizations, complexity is a very real challenge on almost all fronts. Hybrid and multi-cloud environments with a wide array of everything from SaaS to legacy applications makes things not only hard to manage, but even harder to optimize and secure.
The cybersecurity industry is part of the problem here. In a fragmented market, the proliferation of point solutions with overlapping functionality and limited interoperability means that CISOs are spending more time and effort managing and integrating their security systems than they are actually addressing the threats themselves. Research has found that they are often dealing with anywhere between seven and 100 different point solutions. It is often impossible to manage such fragmentation and has led to a ‘band aid’ approach where quick fix upon quick fix has created an integration mess that accentuates the complexity.
While some of the larger cybersecurity vendors are acquiring and integrating smaller players, this consolidation is not keeping pace with the constant cycle of innovation and emergence of yet more start-ups with further point solutions to address new issues and vulnerabilities. It may be some time before the sector matures enough to see any real consolidation or interoperability.
Moving beyond ABC – to CDE maybe?
If we are to overcome these challenges, then a greater level of sophistication is required. Salvi advocates the following:
C – Collaboration: it is currently almost impossible to have a single pane of glass from which to manage end to end security. Almost every vendor has its own console with numerous closed ecosystems and frequent functional duplication. Standards and greater use of APIs will allow clients to choose security management consoles that best meet their needs. Currently there is limited availability of APIs and many of those that exist are slow, unreliable and don’t scale well.
And APIs are just the first step. Over time more sophisticated security engineering will mean that ‘zero trust’ will evolve into ‘zero touch’ with AI-based automation and control. There also needs to be a realization that legacy and on-prem systems will become increasingly risky over time, as almost all security innovation occurs in the cloud.
D – Democratization: cybersecurity is not something that can be delegated to a CISO with limited budget and authority and forgotten about – unless you like living dangerously. It needs to be a responsibility shared by everyone and led by a CISO that has the backing of the board.
Skills remain a challenge. In time automation will help solve this, but in the interim MSSPs will play a critical role. In addition to such specialist skills, we also need basic security skills to be pervasive, with everyone in an organization from reception to the board room being trained to use multifactor authentication, to spot phishing attacks and to be alert and able to raise the alarm when needed.
E – Embedded security: increasingly we are seeing security as something that is built into all products, services, and procedures. The main vendors of cloud and SaaS services as well as software solutions are already making great progress here. Vendors of IoT devices have some catching up to do. Organizations also need to make sure that security is embedded in every process. For example, a procurement manager mandated to buy on price might favor a cheap, insecure memory stick, while one empowered to prioritize security would pay a small additional margin for one that came with encryption.
A more holistic approach with greater collaboration and democratization of security and with it embedded into everything we do will pay dividends. It will enable us to end the downward spiral of complexity and focus instead on use cases, business needs and value orientation. This is essential if CISOs want to be taken seriously at board level – to be able to justify budgets, demonstrate business cases and prove compliance.
And what of ‘F’ – the future – well, if we can get C, D and E right then the future looks bright.