One of the undeniable truths about cybersecurity is that is a business issue, not a technical one. But that doesn’t tell the entire story.
Of course, cybersecurity must be addressed strategically and in a business context by executives and board members, in close concert with their CISO, CIO, and security operations (SecOps) teams. But when it comes to cybersecurity, technology does matter—a lot.
The right cybersecurity technology can prevent a vast majority of attacks, detect vulnerabilities quickly, mitigate cybersecurity risks, and enable security of strategic business initiatives like digital transformation. If done right, these business outcomes can be achieved without impeding the speed of delivery. But security threats are dynamic, fast moving, and can be highly unpredictable for legacy and manual approaches to keep up with. With an increasingly machine-based adversary, cybersecurity approaches that are manual, highly fragmented, and point-product-based are doomed to fail.
Instead, we need to take a different approach—one that embraces a comprehensive view of security architecture with new technology assumptions to make our organizations more secure, even as we use technology to surface new business opportunities.
In the digital world, success requires organizational speed and agility—more than ever before, in fact. Every organization wants, and needs, to move faster and become nimbler in spotting and taking advantage of new business opportunities. Technology plays a key role in making that goal attainable, as many of us learned over the past few decades.
But for a long time, technology needed a large footprint in order to deliver business benefit. Big iron. Big applications. Big data centers. Big staff to monitor and manage networks. These big Capital Expenditure (Capex) investments and large IT/security workforces were often considered competitive differentiators for companies. Unfortunately, this legacy of “big technology and large workforce” has become a boat anchor, weighing down our organizations and restricting our ability to achieve speed and agility.
Fortunately, new solutions such as cloud computing, Software as a Service, and anywhere/anytime connectivity are changing the technology paradigm, delivering breakthrough capabilities faster, less expensively, and with a smaller technology footprint. Additionally, software-based automation has laid to waste the traditional approaches of problem solving, and are significantly reducing the need for massive security operations centers (SOCs).
But with the adoption of any new technology comes risk—specifically, cybersecurity risk. Ascendant technologies such as public cloud, SaaS, big data, machine learning, and increasingly connected Internet of Things devices, are today’s double-edged sword: big benefits with big risks. This, in turn, has put great pressure on IT and security professionals to move quickly and embrace agility, while at the same time provide the critical security safeguards.
It’s not easy. But it can be done.
One of the big challenges in addressing these technologies is how quickly they are being implemented and how fast they are growing. Keeping up with the pace of innovation is becoming nearly impossible. Some security and IT professionals suffer from what I call the “shiny tool syndrome,” while having a fear of missing out (FOMO) on all the new tools/features being developed. Unfortunately, the dirty little secret is that major cyberattacks happen due to poor cyber hygiene. Having legacy security architecture that is good on paper but doesn’t prevent attacks, porous access control, and poor implementation of security controls will result in a broad attack surface that no new shiny tool will solve. Focusing first on the basic blocking and tackling like patch management, access control, service account rotation, certificate management, network segmentation, and others—while “uncool”—is a must.
Taking an automated, software-based approach to security is in keeping with one of the important trends rippling across the technology spectrum today, which is the shift to “software-defined” models. Software-defined is typically embodied as an algorithm or application programming interface. What we now call the “software economy,” as well as traditional industries, is being disrupted by software-based approaches.
Today’s cybersecurity solutions are fast joining the software-defined game, as well. Thanks to the development of powerful and adaptable machine learning tools based on enormous data being collected, cybersecurity defenses are increasingly shaped by software around the concepts of automation, integration, and cloud optimization. Software-defined security is designed and implemented with the understanding that automated, scalable, cloud delivered security software now allow issues to be discovered and remediated in near real time. And as the incidences of zero-day attacks continue to increase, “real time” carries a whole new meaning and business impact. In addition, machine learning based solutions is complementing rule based software to further shorten the detection lifecycle of zero day attacks and prevent them from causing havoc to our critical infrastructure. The futuristic vision of machines fighting machines may be a few years away, but it is increasingly advisable to choose a purely software-defined approach to security.
Software-defined security enables embedding security in software lifecycle through automated security tests so development lifecycles can be iterative and fast. Additionally, Software-defined security empowers our employees to take more proactive roles in rooting out vulnerabilities and reducing risk. Our security-operations-center (SOC) team can do penetration testing to hunt for issues before they become problems and set up “honeypots” to attract threats and nip them in the bud. This is an entirely new model for cybersecurity—proactive, automated, and predictive, instead of reactive, manual, and based on “best estimates.”
By using software-defined security platform principles—which are going to be implemented in an agile, enterprise-wide platform, rather than a variety of point solutions for individual threats—organizations can scale security defenses in lockstep with the development of new environments for things like testing new business services or modeling assumptions on customer behavior or supply chain interruptions.
Business leaders’ conversations with CISOs should focus on issues like technical risk and technology process, rather than on trying to learn the language of bits, bytes, and bots.
For instance, business executives and board members should ask questions like:
- Do you believe you have the right security architecture in place for threats that have not yet impacted our business?
- Are your security teams embedded into the business and technology units, or are they sitting in ivory towers monitoring event logs?
- How are you quantifying risk, in terms of our core business assets? What is the financial impact of an hour of downtime after a hack?
- How are you minimizing the attack surfaces and points of compromise?
- What business service or product of ours are you most concerned about from a cybersecurity perspective (our crown jewels), and what are you doing about it?
- When we expand our corporate footprint through acquisition or market expansion, can we scale our existing security infrastructure without having to make huge new investments in Capex and staff?
- What is our optimal approach to adopting a new set of cybersecurity technologies—crawl, walk, or run? What are the tradeoffs of each?
- Does our current security technology adequately protect us against potential problems with our cloud service providers or other third parties we connect with?
Organizations can move quicker and more securely than ever by re-imagining cybersecurity around software-based platforms that are easily deployed, cloud-powered for easy scalability and simple maintenance, and well-integrated into the core business processes.
And when they get to that state, they may even have gotten over the shiny object syndrome.
Naveen Zutshi is Senior Vice President and Chief Information Officer at Palo Alto Networks. This article was adapted from Navigating the Digital Age, Second Edition.