On this information, 5 CTOs present their view on the main challenges dealing with the cyber security business, with insights on how you can overcome them
‘Educating the board and ensuring they perceive the significance of cyber security must be on the prime of the agenda, like another mission-critical functionality’
As half of Info Age’s Cyber Security Month, we’re offering three CTO guides over the approaching weeks on cyber security: the challenges, the know-how and one of the best practices. This one will give attention to cyber security challenges, with some insights on how CTOs, or CISOs or these in cost of security, can overcome them.
Technological and human
Avishai Wool, CTO of Algosec, sees two classes of challenges.
Technological. “Technology is changing, and the adversaries are always finding new and interesting ways to use new technologies against us. Since technologies are being developed rapidly, and there are financial and other incentives on the side of the bad guys, we can see that we will be challenged for some time to come.”
>Learn extra on Algosec CTO trying to the longer term amid extra complicated buyer wants
Human. “Organisations need to realise that the weakest link is the human. The weakest link of an organisation under a cyber attack is the staff. The mistakes that they make allow the attacks to succeed. In the vast majority of cases, human error is the culprit.”
“The security industry needs to find ways to either empower the users to defeat cyber threats, to automate around human inabilities, or to eliminate the human from the equation.”
‘Big data stores create new security challenges’
Scott Gnau, CTO of Hortonworks, believes that the centralised nature of massive knowledge shops creates new security challenges.
“In every industry, organisations wonder whether they are getting full value from the massive amounts of information they already have. As data volumes continue to expand, they also take in an ever-wider range of sources.”
>Learn extra on Cyber security coaching
“Organisations want to extract value from that data, but the centralised nature of big data stores creates new security challenges; the data that was previously siloed and not delivering intelligence becomes a data compliance challenge and elevated security risk when correlated with personally identifiable data.”
“Traditional tools alone are not up to the task of processing the information the data contains, let alone ensuring it’s secure in the process. While controls need to be placed around the data itself, controls should also be placed around the applications and systems that store data.”
Maintaining with altering applied sciences
Sridhar Muppidi, CTO of IBM Security, identifies the fast-pace change of applied sciences – and the talents required – as one problem of succeeding in cyber security.
“I have the luxury of speaking and talking to large numbers of customers. Surprisingly, a lot of customers are struggling with skills.”
“They are struggling with skills – not just regarding hiring the right kinds of people – but in keeping up with the changing technologies. How do you keep up with the best practices? You could be the smartest person today, but if you don’t keep up with the technology, it’s a problem.”
>Learn extra on Sridhar Muppidi, CTO of IBM Security, on the altering form of innovation
“The second challenge is around context or understanding. No matter how many skills, if you don’t have the right level of information to make a decision, it’s no good. How do we understand the broader context, not just the market and the technology, but also in the information coming from multiple products that ‘I’ have within my organisation?”
“The third issue is speed. Many customers have about 80 different tools from about 40 different vendors. That’s a vast amount of data to harness. If I spot an anomaly, I need to go and research it before I can decide if it’s good or bad. Of course, I also need to do this in a concise period of time. The threat landscape is moving very fast and attackers are smart.”
The ‘growing cyber skills gap’
Jason Hart, CTO at Gemalto, additionally says that the largest problem dealing with the cyber security business is the rising cyber expertise hole.
“There’s no shortage of young people capable of pursuing a career in cyber security. But, the trick is to ensure we nurture their skills and guide them towards using their talents for good, rather than acting as black hat hackers. Thanks to institutions such as GCHQ, initiatives are now being run around the UK that are aimed at producing the next generation of cyber security experts.”
>Learn extra on Gemalto CTO: Beating ‘cybercriminals at their own game’
“As demand for these roles continues to increase in a post-GDPR world, governments, businesses and educators need to invest in these young people. Of course, they also need to train existing staff, use relevant solutions and be situationally aware, to remain secure and continue to comply with regulations now.”
Security wants a ‘multi-pronged’ strategy
Uri Sarid, CTO of MuleSoft, believes that companies should deal with cyber security as a multi-layered set of initiatives.
“It can’t be a separate initiative from other things in the business. It starts from security by design, which means that at the design of every system, there are security concerns being built in. You have to teach people who create anything, whether it’s new software, or whether it’s integrations, or whether it’s new APIs, the basic principles of security by design.”
>Learn extra on The current and future being equally necessary, in line with MuleSoft CTO
“You also have to build things in a modular way, because the only way to achieve security in a distributed world is to have modules with well-defined intent. They tell you what it is that they’re doing, they tell you what kind of information they’re exposing, what kind of capabilities they enable. And then in the wiring, you can put in security best practices. It’s much easier to do it that way than to go back and retrofit a whole bunch of systems later.”
“You have to take this multi-pronged approach. It’s an educational approach, it’s an API-led approach, it’s a very intentional approach and it’s the best way to overlay more and more layers of security in the future.”
Work on a foundation of ‘assumed compromise’
Michael Wignall, CTO at Microsoft UK, believes that organisations ought to work on the understanding that, sooner or later, they are going to be breached.
“In the cyberspace, the first thing to recognise is it’s asymmetric. Trying to protect our own estate, you need to protect it everywhere, whereas an attacker only needs to find one vulnerability and get in in one place. So, one of the core challenges is that you’re fighting an arms race where you in an asymmetric battle with the attackers.”
“Organisations need to understand and have a pragmatic view that if a hacker really wants to get into your network, they probably will. You have to work on a basis of assumed compromise, that you’re going to get breached at some point. So, you have to have a model to make it difficult for the hacker. A model that makes the costs of carrying out an attack more difficult harder.”
“You need to have a security lifecycle where you’re not just protecting your data, but you’re protecting when there’s a breach and then you’re responding quickly. Focusing on that full lifecycle of protect, protect and then respond has become more important, whereas historically, we’ve just focused on protection.”
>Learn extra on Microsoft UK CTO on having each ‘technical and business outcome skills’
“The second challenge is the attacks are getting more sophisticated. The threat landscape is changing, and you can just read the press to see that it’s moved from the geeky hacker in the bedroom through to hacktivists, to organised criminals and nation states. The sophistication of the attackers has increased and that’s a core challenge for end users.”
“There are also some technological changes with artificial intelligence and machine learning, where a lot more of these attacks are just automated. And you can spin them up and target a set of IP addresses or domains, and it will go away and automatically try a set of vulnerabilities or automatically try to breach it. To face that threat, you need to almost use the same technology – like machine learning – to protect your estate.”
“The final point is that it’s got to be a board level issue. With compliance changes like GDPR coming into force, and the regulatory impact of a data breach, the issue of cyber security has become much more serious.”
“Educating the board and making sure they understand the importance of cyber security needs to be at the top of the agenda, like any other mission-critical capability. And that is another big challenge.”