Is today’s cyber security meeting CISO demands?

The world of cybersecurity is akin to a giant iceberg – vast, complex, ever-changing, multi-faceted. Of its various facets, one in particular has the power to keep enterprise security professionals awake at night, and that’s the critical intersection that straddles the networking world and the cybersecurity world.

This nexus is not only a major pressure point for the hard-pressed CISO, it is the object of much effort and investment in the security vendor community. It has also been the subject of much scrutiny on the part of Mauricio Sanchez, Research Director, Network Security & SASE/SDWAN with independent research firm Dell’Oro Group.

He visualises the market for network security as divided between product types that have been around for a while, and newer technologies designed to address more contemporary challenges: “In the former category we have things like firewalls, email security and secure web gateways,” he says. “Some of these are now delivered as platforms in the cloud. And on the application and delivery and security side, closer to the data center, are things like web application firewalls and application delivery controllers. Then bringing together enterprise networking and security we have SD-WAN and what I call the great convergence of SASE.”

Network security trends
Figure 1: Network security trends

 

Sanchez sees a number of market forces and trends influencing developments in these areas, perhaps the most glaring being the pandemic: “We’ve seen a huge increase in incidents, whether that be ransomware or denial of service attacks,” he notes. “It seems that the hacker community is taking advantage of the current situation. I think hybrid work is a second market force that has resulted in an upheaval of enterprise IT and the rise of the remote workforce. Then there’s the shift to everything being online. The need to reach out to your customer with a digital experience has really motivated enterprises to up their game and invest, but in doing so they also open themselves up to a new set of security implications.”

The cybersecurity landscape of last 20 years has, argues Sanchez, been a story of fragmentation. Now he sees evidence of some consolidation with large vendors getting larger and looking to grab the entire CISO cybersecurity spend.

Cloud-delivered security
Figure 2: Cloud-delivered security

 

“Another phenomenon we have noted is a shift from hardware to cloud-delivered network security,” he says. “Moving on from an age of hub and spoke and hardware deployed at each physical point, we now have a new breed of security vendors delivering their value exclusively through the cloud. There is no hardware to buy, just a contract to sign and you’re off to the races.”

CR Srinivasan is Executive Vice President, Cloud & Security Business with global carrier brand Tata Communications, and has additional responsibility as the company’s Chief Information Security Officer and the Chief Information Officer. He has noted a number of large trends that are influencing the shape of the cybersecurity market: “There’s remote work, and virtual ‘work from anywhere’,” he notes. “A distributed workforce is now the norm. We’ve also seen many enterprises pushing for their processes to become digital, a trend that accelerated during the pandemic. There was demand to increase the number of processes that were part of the digital transformation drive. Then of course there’s the move to cloud, which has also been accelerated with more and more workloads moving in that direction. All of this is putting pressure on network security.”

He additionally sees enterprises being challenged more and more by their customers: “Those customers are looking for new capabilities, and at a faster pace than before. Businesses must keep up with market expectations, and compete effectively. This means becoming a lot more dynamic and composable, more flexible in what they do. And along with all of this, digital trust is becoming more important.”

Dr Ronald Layton, Vice President, Converged Security Operations with Sallie Mae Bank, knows a thing or two about digital trust. Prior to Sallie Mae, he was acting assistant director in the United States Secret Service with a variety of responsibilities, including an assignment to President Obama which saw him put in charge of the day to day operations and long term strategy of presidential information systems. He’s also a former Deputy Director of the National Cybersecurity Division, and Program Director of the Electronic Crimes Task Force. He describes himself as ‘the guy with a geek hat and a pistol’.

“As cyber risk professionals, we continue to embrace human behavior and try to wrap security blankets around it,” he says. “I see security as being about three Cs. Human beings are curious, we want convenience and we want to be comfortable, and so all of these things provide challenges in the security environment. As risk professionals, we have to continue to evolve and respond to these things.”

Given the current climate of raised risk, what should a CISO or a risk executive be doing? Dr Layton’s advice is foremost to push towards a SASE environment, and towards the notion of Zero Trust: “It’s about how do we, as risk professionals, adjust to these human behaviors, to make sure that we’re still operating in a secure environment,” he concludes.

So just what is the nature of all this risk? Ryan Hammer, Chief Information Security Officer with vendor Ciena, is responsible for the overall strategy and execution of the company’s enterprise and product security functions. He points to statistics that indicate that an unpatched machine with Internet connectivity can now measure its survival in minutes, perhaps hours, but certainly not weeks or months.

“With some of the kinetic warfare activity that’s occurring, we’ve seen governance loosened,” he believes. “The Internet is starting to feel more like a free fire warzone than just a rough neighborhood. Certain sectors are being hit much harder than others. But with a pervasive and porous perimeter, with machines and people all over the world working at various different hours connecting to a wide range of infrastructure, that makes it much more difficult for us to manage without some of these additional technologies. It’s a very rapidly changing landscape for sure, and the deck is often stacked against us as CISOs. It’s the old adage that the threat actor only has to be successful once and we have to be successful every time.”

With Zero Trust one of the best answers to all this increased risk, it’s useful to hear from John Kindervag, SVP, Cybersecurity Strategy with managed security services player ON2IT. He formerly spent eight years at analyst firm Forrester where he invented the concept of Zero Trust.

He pinpoints the ransomware trend as one of the great modern cybersecurity evils: “When people started to insure for ransomware, that ended up increasing the number of ransomware attacks,” he says. “It’s just like when life insurance was invented, there was a rash of murders. The invention of cyber insurance has created a surge of attacks which at the end of the day means that when CISOs want to innovate, they need to think what that really means.”

Given current conditions, Ben de Bont, Chief Information Security Officer, ServiceNow, sees his role as a threefold one: “It’s about protecting our company and our customers on the one hand, second it is to provide trust, transparency and assurance to our customers, many of whom represent the most regulated or critical infrastructure globally. The third part is using our own security products, testing them out, providing feedback to our product division.” 

So with the cyber climate as it is, what are vendors of security solutions doing to help? How can they better come to the aid of the CISO?

“If you look at the vendor landscape there are probably 50 to 100 vendors who are all doing different things,” believes Srinivasan of Tata Communications. “Some of them are specializing in a very small area, and some claim to do many things under a framework but may not have equal capability or equal depth in each one of those areas. I think there’s a lot of help that’s needed in the areas we’ve discussed.”

Hammer of Ciena is in agreement: “I’ll add that there’s lots of acronyms in security, but to me that’s just a reminder that it’s important to have a focus on the basics,” he observes. “It’s one thing to be focussing on your AI DevSecOps strategy, but really we need to focus on the fundamentals and make sure that those are rock solid.”

Kindervag of ON2IT steps in to remind those who are suffering from terminology confusion and tech overload that Zero Trust should be regarded as a strategy and not a technology: “When you take a strategic approach, you can change the whole game,” he notes. “When I joined Forrester in 2008, I wanted to bring strategy to cybersecurity because most people get confused between strategy and tactics. They say they’re being strategic, but they’re actually being tactical. Zero Trust is about protecting things, and if we don’t understand what we’re protecting then we’re going to be completely unsuccessful.”

“A rule of thumb that I use is to tell security vendors what our requirements are for driving down risk, and not have them tell us what solutions they say we should be using,” interjects de Bont of ServiceNow. “We like to take a risk-based approach and look at what we actually want to achieve. And then we’ll consider some products, rather than the other way around. It’s a little surprising to me how many times it happens in reverse.”

When talking to the vendor community, CISOs might wonder exactly what gaps they need to address and where priorities truly lie.

Rarely is anything straight forward in the information security world, and seldom do easy answers present themselves reminds Hammer, of Ciena: “It all moves so fast and changes so continually,” he comments. “We’re constantly planning and checking to make sure that everything is in place. One important thing is being able to demonstrate that you have a commercially reasonable security program in place. It is also important that we remember that we are stewards of the security program for our company, and we’re responsible for making sure that all the pieces are in place, and that we can comfortably demonstrate traceability between the things that we should be doing and the things that we are doing. Sometimes it’s about protecting the business, other times about protecting customer data, or access our partners, or intellectual property and securing our products.”

In a complex landscape, Srinivasan of TATA advocates a practical and pragmatic approach: “Look for a commercially viable security program and not something that you would ideally like to have,” he suggests. “Because there’s always a trade-off between what risk you’re trying to protect against, and cost.”

Dr Layton of Sallie Mae Bank, the geek with the gun, concludes by advising the CISO to do what they can to take the element of human error out of risk: “Just make it hard for humans to do something that is just screwy. As a risk executive, what you’re really trying to do is eliminate surprise, and to control your environment. You should never be ambushed by some exogenous factor that you did not make an account for. It’s about putting in all these trip wires so at least you have a better idea of what’s coming.”

 

By Guy Matthews, Editor In Chief

https://www.businessinnovationleadersforum.org/public/events/cyber-security-meeting-ciso-demands/

 

Featured Speakers:

Analyst Chair: Mauricio Sanchez, Research Director, Network Security & SASE/SDWAN, Dell’Oro Group

www.delloro.com

 

Ryan Hammer, Chief Information Security Officer, Ciena

www.ciena.com

 

John Kindervag, SVP, Cybersecurity Strategy, ON2IT

https://on2it.net/en/

 

Dr. Ronald Layton, Vice President, Converged Security Operations, Sallie Mae Bank

www.salliemae.com/banking

 

Ben de Bont, Chief Information Security Officer, ServiceNow

www.servicenow.com

 

Srinivasan CR, Executive Vice President, Cloud & Security Business, Tata Communications

www.tatacommunications.com

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on whatsapp
Share on email

Discussion

Responses

Your email address will not be published. Required fields are marked *

Founding Corporate Sponsor:

Media & Analyst Partnerships:

Contact

Membership & administration

forum co-founder

International Events Manager

© Copyright 2021. Business Innovation Leaders Forum. All Rights Reserved. | Privacy Policy

SIGN UP TO ACCESS

Please enter your details below to access this content.

  • This field is for validation purposes and should be left unchanged.

THANK YOU FOR YOUR INTEREST IN THE BUSINESS INNOVATION LEADERS FORUM

TAKE ADVANTAGE OF OUR FREE TRIAL MEMBERSHIP THROUGH TO 30th september 2023

We would like to send you more information about membership so please fill in your details below, and we will get in touch shortly. Meanwhile you can click the link below to explore the forum further.

BE INSPIRED TO INNOVATE!

RECEIVE OUR

Book of the Month*

The Serendipity Mindset: The Art and Science of Creating Good Luck

By Dr Christian Busch
Serendipity is an aptitude for making desirable discoveries by accident. To other people it looks like “good luck”, but it is more the ability to recognise and seize an opportunity, rather than have good fortune thrust upon one. Finding a wallet stuffed with money on the conference room floor is good luck, whereas holding it up and asking if anyone has lost their wallet might be the beginning of a valuable friendship – that would be serendipity.

Chance encounters, or strokes of fortune, feature in countless stories of business success. This book looks beneath the surface, reveals and teaches the mindset that can transform pure chance into opportunity. The author is director of the Global Economy Program at New York University’s Center for Global Affairs, and a lecturer at the London School of Economics.

Serendipity is an aptitude for making desirable discoveries by accident. To other people it looks like “good luck”, but it is more the ability to recognise and seize an opportunity, rather than have good fortune thrust upon one. Finding a wallet stuffed with money on the conference room floor is good luck, whereas holding it up and asking if anyone has lost their wallet might be the beginning of a valuable friendship – that would be serendipity.

The author says “This is a book about the interactions of coincidence, human ambition and imagination”. In the above example: finding the wallet is the coincidence; ambition is the desire to make something of the discovery; add imagination and you open up a whole menu of possibilities: from spending spree to earning a reputation for honesty – or even making a wealthy friend.

Business is typically forged on human ambition and imagination, but early success often feeds an appetite for control – and “control freaks” can be blind to the opportunities thrown up by the unexpected. They only see chance events as distractions. If plans go awry, they may blame the failure on “bad luck” rather than admit their own inflexible attitude.

The author himself admits to being “a German who is used to planning” and prone to feel anxious when something unexpected happens. That makes him an ideal teacher, because he has worked hard to discover and analyse the mindset that enables one to “connect the dots” and cultivate serendipity. He presents a goldmine of examples from science, business and life where an apparent mishap or failure lead to a breakthrough.

Indeed, studies suggest that around 50% of major scientific breakthroughs emerge as the result of accidents or coincidences. A well-known example is Alexander Fleming’s discovery of penicillin, launching the whole field of antibiotics. Other examples include X-rays, nylon, microwave ovens, rubber, Velcro, Viagra and Post-it Notes – where would we be without these!

The book goes beyond the ability to recognise and respond to opportunities in chaos, but the subtitle – The Art and Science of Creating Good Luck – is actually a bit misleading. True, he does show ways to develop better fortune, but it would be better to call it “inviting” or “encouraging” good luck. For example, he suggests better ways to start a conversation with a stranger – ways that will make it more likely to lead to chance connections or shared interests.

The publishers may have chosen the word “creating” to make the book appeal to the human desire to control – for control freaks are exactly the readership that would benefit the most from this book’s wisdom and practical advice.

For the rest of us, it offers a great way to rediscover the sense of play that is so important in life – and too often lost in business.

 

“Following the success of The Serendipity Mindset hardback, a paperback edition has also now been launched under the title “Connect the Dots”.

How to upload a file

This website uses cookies to ensure you get the best experience on our website More info.