The nature of cyber security is undergoing rapid evolution. Cyber-attacks are becoming more frequent, violent, and sophisticated. The threats continue to come in fast and furious.
We’ve seen severe business outages in every sector. Whether you’re in finance, infrastructure, or healthcare does not matter. If you’re making money, you can expect an attack. Cyber security teams continue scrambling to respond to these attacks as cybercriminals continually evolve their tools and techniques.
The massive growth in technology adoption, with many businesses embracing digital transformation, has necessitated a vastly different approach to cybersecurity. The need to be more innovative in cybersecurity is becoming increasingly necessary.
With this context in mind, an illustrious group of industry leaders gathered to dialogue and share perspectives about cybersecurity. They respectively shared how they have been looking at the future of security.
We highlight some of these perspectives:
On the shifting landscape of cybersecurity:
Threats continue to evolve. As businesses continue to adopt and move toward digital transformation, it requires a commensurate investment in cybersecurity. Cybercriminals continue to evolve their tools, leveraging new technologies faster than traditional businesses that need to justify their investment and spending.
For example, attackers are using AI to create “deep fake” videos of company leaders sharing a story and sending it to businesses to trick employees into clicking on a malicious link.
The channels of security threats also continue to evolve. Previously, threats were easier to manage, as they came through email and on a PC or laptop. With the introduction of mobile technologies, remote working, and different communication and social platforms, such as WhatsApp, Slack, and Discord, adopted for work, particularly by the younger generation, it is becoming increasingly difficult to manage and manage and protect these channels. Hackers can now use emojis to deliver and exploit people.
Given the shifting nature of security, it is increasingly important to create a culture of risk and security and utilise new technologies to augment security capabilities.
On Cybersecurity skills
Skills remain a massive challenge, particularly good cybersecurity skills are difficult to come by. Diversity, including gender diversity in cybersecurity, also remains a challenge.
Companies are struggling to hire these skills and capabilities. Hiring practices are not adaptable enough. Businesses have stringent policies requiring X years of experience with Masters degrees and information security certifications. Without these, one is not even invited to the interview. Yet, Uber was recently hacked, and the attacker was a 17/18-year-old affiliated with a hacking group called Lapsus$, whose members are mostly teenagers and which has recently targeted several technology companies.
Another challenge is that Red team hackers often play in the “grey zone”. Red teams are simulated adversaries, attempting to identify and exploit potential weaknesses within the organisation’s cyber defences and identifying the attack path that breaches the organisation’s security defence through real-world attack techniques. For these attacks to be simulated as close to the real world as possible, they have to use sophisticated tools that real attackers would ordinarily use. This means that these individuals, while not malicious by nature, may be flagged by organisations’ integrity checks and completely overlooked by the hiring organisation.
A rethink of how we hire, particularly in cybersecurity, will help improve innovation within the field. As an industry, we need to consider more innovative approaches to hiring. Adopting an approach of “Trespassers will be recruited”, may be a more effective way of hiring individuals to improve the overall security posture.
Localisation remains important. As South Africans, we must embrace our differences and not rely on purely international companies to develop solutions for us. We have different languages and cultures to which we must tailor our security efforts. Making content locally relevant will improve overall adoption.
This is also true of the rest of Africa. In these regions, digital and technology adoption is very different. There is a lower spend on security, the government more highly regulates cloud adoption, and regulation is not friendly towards technology. In these instances, we must constrain our thinking to innovate and effectively improve security in these environments.
On Third-Party Risks:
Third parties are challenging to manage, and yet, to improve innovation, we have to rely on a broader eco-system strategy. Using Third parties is necessary; however, as a business, the ultimate accountability for any data breaches lies with the business as the custodian of the data. A breach brings disrepute to your company and not that of the 3rd party.
In some instances, third parties are not only technology third parties but general service providers, such as in the supply chain space. If third parties are not managed more effectively, it may be the weak link that breaks the chain.
Ideally, third parties should be treated like internal employees; however, taking responsibility for third-party security could mean increased licensing costs, cyber assessment costs, and training costs.
Moving away from an audit approach to a combined assurance approach has proved to be valuable where this has been successful.
Audit cannot be a tick-in-the-box function that uses its findings as a stick against security. There needs to be mutual respect with audit must be seen as a partner, helping achieve the same goals.
We must be careful that auditors do not set the security agenda. Money often chases the audit findings, yet auditors don’t take accountability when something goes wrong. It is crucial that we bring auditors along with us on the cyber journey and ensure that findings are relevant and add value.
On the changing role of the CISO:
The role of the CISO has fundamentally changed. A CISO of businesses today has to wear many hats. CISOs not only manage risk, protect data, and oversee the protection of critical infrastructure, but they need business and strategy skills to articulate the value and importance of information security. They need to lead large groups of very technical people, be people-oriented to create an inclusive culture of security, and be ethical beyond measure, as they hold the keys to the company data. They also need to be innovators, always looking for new ways to improve the security posture while balancing risk.
On enabling innovation in business:
Innovation and security are often seen as water and oil. They don’t mix well. Getting it right is a tricky balancing act. In one instance, the security team looked at the code for the winning innovation apps in a major bank. While these apps were innovative, they lacked the basic security measures that needed to be implemented, especially when dealing with sensitive information.
When innovating, it was suggested that this is the first date, and not a marriage. However, the challenge is that if a relationship is not built on solid foundations, the marriage may crumble. Finding the balance to bake in security from the onset is necessary to innovate and avoid any security technical debt.
Dev teams must embrace a security mindset and security must play a bigger role in ensuring security is baked into the solution as it scales.
There is no doubt that this is a tricky balancing act. Businesses must innovate to keep up to pace with disruptive entrants, and security cannot hold back this innovation. At the same time, we need to create a culture of DevSecOps, where security is considered early in the innovation process. This is especially difficult in businesses that have capacity and skill constraints.
Building solutions that have strong security can be a competitive advantage and is more likely to be adopted than those technologies that aren’t secure.
Capacitating your teams, embedding security in the business and changing the culture are all needed to improve overall innovation capabilities.
On “Attack surface reduction”:
An attack surface is essentially the entire external-facing area of the business. As we digitise, cloud-up and connect, our attack surface is broadening, and so are our attack vectors and vulnerabilities. As security professionals, we need to understand our network, reduce these attack surfaces, and strive for a smaller blast radius. We should leverage new technologies such as Machine Learning models and tools to help augment our security capabilities and improve our mean time to detect and respond so that the blast radius is minimised.
Cyber Security is complex. There are a lot of moving parts. Changing our mindsets is incredibly important. The quality of the answer is dependent on the quality of the question. We need to start asking different and better questions, which often lead to better answers and ultimately improve security and innovation.
To use the analogy of a car, the better the brakes, the faster we can drive, but let’s not make security the handbrake of innovation.
By Nilesh Makan
Nilesh Makan is a technologist with a keen passion for cybersecurity, strategy, innovation and business agility.