By Guy Matthews
Editor, NetReporter
The world of cybersecurity is akin to a giant iceberg – vast, complex, ever-changing, multi-faceted. Of its various facets, one in particular has the power to keep enterprise security professionals awake at night, and that’s the critical intersection that straddles the networking world and the cybersecurity world.
This nexus is not only a major pressure point for the hard-pressed CISO, it is the object of much effort and investment in the security vendor community. It has also been the subject of much scrutiny on the part of Mauricio Sanchez, Research Director, Network Security & SASE/SDWAN with independent research firm Dell’Oro Group.
He visualises the market for network security as divided between product types that have been around for a while, and newer technologies designed to address more contemporary challenges: “In the former category we have things like firewalls, email security and secure web gateways,” he says. “Some of these are now delivered as platforms in the cloud. And on the application and delivery and security side, closer to the data center, are things like web application firewalls and application delivery controllers. Then bringing together enterprise networking and security we have SD-WAN and what I call the great convergence of SASE.”
Sanchez sees a number of market forces and trends influencing developments in these areas, perhaps the most glaring being the pandemic: “We’ve seen a huge increase in incidents, whether that be ransomware or denial of service attacks,” he notes. “It seems that the hacker community is taking advantage of the current situation. I think hybrid work is a second market force that has resulted in an upheaval of enterprise IT and the rise of the remote workforce. Then there’s the shift to everything being online. The need to reach out to your customer with a digital experience has really motivated enterprises to up their game and invest, but in doing so they also open themselves up to a new set of security implications.”
The cybersecurity landscape of last 20 years has, argues Sanchez, been a story of fragmentation. Now he sees evidence of some consolidation with large vendors getting larger and looking to grab the entire CISO cybersecurity spend.
“Another phenomenon we have noted is a shift from hardware to cloud-delivered network security,” he says. “Moving on from an age of hub and spoke and hardware deployed at each physical point, we now have a new breed of security vendors delivering their value exclusively through the cloud. There is no hardware to buy, just a contract to sign and you’re off to the races.”
CR Srinivasan is Executive Vice President, Cloud & Security Business with global carrier brand Tata Communications, and has additional responsibility as the company’s Chief Information Security Officer and the Chief Information Officer. He has noted a number of large trends that are influencing the shape of the cybersecurity market: “There’s remote work, and virtual ‘work from anywhere’,” he notes. “A distributed workforce is now the norm. We’ve also seen many enterprises pushing for their processes to become digital, a trend that accelerated during the pandemic. There was demand to increase the number of processes that were part of the digital transformation drive. Then of course there’s the move to cloud, which has also been accelerated with more and more workloads moving in that direction. All of this is putting pressure on network security.”
He additionally sees enterprises being challenged more and more by their customers: “Those customers are looking for new capabilities, and at a faster pace than before. Businesses must keep up with market expectations, and compete effectively. This means becoming a lot more dynamic and composable, more flexible in what they do. And along with all of this, digital trust is becoming more important.”
Dr Ronald Layton, Vice President, Converged Security Operations with Sallie Mae Bank, knows a thing or two about digital trust. Prior to Sallie Mae, he was acting assistant director in the United States Secret Service with a variety of responsibilities, including an assignment to President Obama which saw him put in charge of the day to day operations and long term strategy of presidential information systems. He’s also a former Deputy Director of the National Cybersecurity Division, and Program Director of the Electronic Crimes Task Force. He describes himself as ‘the guy with a geek hat and a pistol’.
“As cyber risk professionals, we continue to embrace human behavior and try to wrap security blankets around it,” he says. “I see security as being about three Cs. Human beings are curious, we want convenience and we want to be comfortable, and so all of these things provide challenges in the security environment. As risk professionals, we have to continue to evolve and respond to these things.”
Given the current climate of raised risk, what should a CISO or a risk executive be doing? Dr Layton’s advice is foremost to push towards a SASE environment, and towards the notion of Zero Trust: “It’s about how do we, as risk professionals, adjust to these human behaviors, to make sure that we’re still operating in a secure environment,” he concludes.
So just what is the nature of all this risk? Ryan Hammer, Chief Information Security Officer with vendor Ciena, is responsible for the overall strategy and execution of the company’s enterprise and product security functions. He points to statistics that indicate that an unpatched machine with Internet connectivity can now measure its survival in minutes, perhaps hours, but certainly not weeks or months.
“With some of the kinetic warfare activity that’s occurring, we’ve seen governance loosened,” he believes. “The Internet is starting to feel more like a free fire warzone than just a rough neighborhood. Certain sectors are being hit much harder than others. But with a pervasive and porous perimeter, with machines and people all over the world working at various different hours connecting to a wide range of infrastructure, that makes it much more difficult for us to manage without some of these additional technologies. It’s a very rapidly changing landscape for sure, and the deck is often stacked against us as CISOs. It’s the old adage that the threat actor only has to be successful once and we have to be successful every time.”
With Zero Trust one of the best answers to all this increased risk, it’s useful to hear from John Kindervag, SVP, Cybersecurity Strategy with managed security services player ON2IT. He formerly spent eight years at analyst firm Forrester where he invented the concept of Zero Trust.
He pinpoints the ransomware trend as one of the great modern cybersecurity evils: “When people started to insure for ransomware, that ended up increasing the number of ransomware attacks,” he says. “It’s just like when life insurance was invented, there was a rash of murders. The invention of cyber insurance has created a surge of attacks which at the end of the day means that when CISOs want to innovate, they need to think what that really means.”
Given current conditions, Ben de Bont, Chief Information Security Officer, ServiceNow, sees his role as a threefold one: “It’s about protecting our company and our customers on the one hand, second it is to provide trust, transparency and assurance to our customers, many of whom represent the most regulated or critical infrastructure globally. The third part is using our own security products, testing them out, providing feedback to our product division.”
So with the cyber climate as it is, what are vendors of security solutions doing to help? How can they better come to the aid of the CISO?
“If you look at the vendor landscape there are probably 50 to 100 vendors who are all doing different things,” believes Srinivasan of Tata Communications. “Some of them are specializing in a very small area, and some claim to do many things under a framework but may not have equal capability or equal depth in each one of those areas. I think there’s a lot of help that’s needed in the areas we’ve discussed.”
Hammer of Ciena is in agreement: “I’ll add that there’s lots of acronyms in security, but to me that’s just a reminder that it’s important to have a focus on the basics,” he observes. “It’s one thing to be focussing on your AI DevSecOps strategy, but really we need to focus on the fundamentals and make sure that those are rock solid.”
Kindervag of ON2IT steps in to remind those who are suffering from terminology confusion and tech overload that Zero Trust should be regarded as a strategy and not a technology: “When you take a strategic approach, you can change the whole game,” he notes. “When I joined Forrester in 2008, I wanted to bring strategy to cybersecurity because most people get confused between strategy and tactics. They say they’re being strategic, but they’re actually being tactical. Zero Trust is about protecting things, and if we don’t understand what we’re protecting then we’re going to be completely unsuccessful.”
“A rule of thumb that I use is to tell security vendors what our requirements are for driving down risk, and not have them tell us what solutions they say we should be using,” interjects de Bont of ServiceNow. “We like to take a risk-based approach and look at what we actually want to achieve. And then we’ll consider some products, rather than the other way around. It’s a little surprising to me how many times it happens in reverse.”
When talking to the vendor community, CISOs might wonder exactly what gaps they need to address and where priorities truly lie.
Rarely is anything straight forward in the information security world, and seldom do easy answers present themselves reminds Hammer, of Ciena: “It all moves so fast and changes so continually,” he comments. “We’re constantly planning and checking to make sure that everything is in place. One important thing is being able to demonstrate that you have a commercially reasonable security program in place. It is also important that we remember that we are stewards of the security program for our company, and we’re responsible for making sure that all the pieces are in place, and that we can comfortably demonstrate traceability between the things that we should be doing and the things that we are doing. Sometimes it’s about protecting the business, other times about protecting customer data, or access our partners, or intellectual property and securing our products.”
In a complex landscape, Srinivasan of TATA advocates a practical and pragmatic approach: “Look for a commercially viable security program and not something that you would ideally like to have,” he suggests. “Because there’s always a trade-off between what risk you’re trying to protect against, and cost.” Dr Layton of Sallie Mae Bank, the geek with the gun, concludes by advising the CISO to do what they can to take the element of human error out of risk: “Just make it hard for humans to do something that is just screwy. As a risk executive, what you’re really trying to do is eliminate surprise, and to control your environment. You should never be ambushed by some exogenous factor that you did not make an account for. It’s about putting in all these trip wires so at least you have a better idea of what’s coming.”