by Kevin Delaney
Security experts share their predictions, warnings, and best practices for the coming year.
2020 promises a wave of technology change that will further transform the enterprise — and our very lives — in profound ways.
But that inclusive, sustainable, and productive future demands a far-reaching commitment to cybersecurity.
In 2019, there was no shortage of damaging, heavily publicized security breaches. And given the ever-increasing sophistication of cybercriminals and the mounting complexity facing the defenders — the threat landscape in 2020 promises all-new challenges.
So how can tech and business leaders gain an advantage in the coming months? And fully reap the benefits of transformative technologies like 5G, AI, and the Internet of Things?
For insights, we turned to some top experts in the security field:
• Bret Hartman, VP and chief technology officer of Cisco’s Security Business Group
• Jane Frankland, CEO of Cyber Security Capital Limited
• Steve Durbin, managing director, Information Security Forum
Here are seven predictions, warnings, and best practices for 2020, compiled from their collective wisdom:
Balance humans and machines
With more than 22 billion IoT devices expected online in 2020, massive amounts of data spread across multiple clouds, and a merciless stream of attacks from shape-shifting malware, phishing schemes, and other threats, many aspects of security are beyond the capacity of human minds.
That’s why machine learning and AI are foundational to any security effort. Cisco Talos, for example, blocks 2.3 million malicious emails per second.
“Dealing with complexity is the bane of a CISO’s existence,” Hartman said. And new technologies can help.
But real success comes from the right balance of human and machine capabilities. As Jane Frankland stressed, technology alone is not a “silver bullet.”
“We need to let the technology do the heavy lifting for us,” she added. “So we need to be using people to do the thinking. To do the deep analysis that the technology solutions can’t do, and then to actually look at what we’re doing in a very open-minded manner and test our thinking.”
Cisco’s Bret Hartman believes that, at its core, the security arms race will always be centered on human inventiveness, for both hackers and defenders. And he warned that machine learning “isn’t just for the good guys.”
“In cybersecurity, innovation is very much driven by human innovation on the attack side,” Hartman said. “That’s very different than other areas of technology …. And then we have to respond on the defense side. Despite AI, cybersecurity is inherently a human-driven phenomena of people wanting to do harm, steal money, cause us damage, hurt businesses, or governments. And that human motivation is at the heart of what we have to deal with.”
Find talent in unexpected places
But where will that human creativity come from? In 2019, the global security workforce fell short by nearly 3 million skilled positions. And there’s fierce competition for the talented workers that are available.
Universities and companies like Cisco are helping to close the gap. Cisco’s training programs and certifications, for example, are an industry standard, and its own culture emphasizes continuous learning.
“A lot of focus for us,” said Hartman, “is how to cross train and help folks evolve in terms of their skill set. For example, maybe they’re engineers that come from the network operations side that are interested in expanding their role and some of those skills can naturally translate into cyber security.”
Enterprises will need to get even more creative in 2020 if they expect to source, grow, and keep security talent. That begins with a more inclusive outlook — by empowering teams with advanced collaboration tools and welcoming women, minorities, and candidates from far-off cities, countries or continents.
Security teams can also find talent in their own organizations, but hiding in unlikely places.
Durbin stresses that talent can be developed from the business side, from sales, comms, design, or even HR. Security, after all, isn’t just a technology problem.
“One of the challenges that security professionals have always had is, how do you communicate your message better?” Durbin explained. “Well, let’s engage some people, for instance, in marketing in helping us get some of that message across. And security professionals these days have to be sales people. Well, they’re not too good at that so why not engage some of the sales folks.”
A diverse team also helps to understand the users, the customers, and even the hackers.
“I do a lot of work on getting women into security and staying into it,” said Frankland, “simply because of the way that women see risk — and getting that diversity of thinking into our workplace is so important for innovation.”
Get the board up to speed
To fire on all security cylinders, even the most diverse organizations need top-down leadership. Without that air cover, security teams struggle to spread awareness across the company and maintain budget for critical investments.
So security awareness must extend to the board and CEO.
“The cybercriminals,’’ said Frankland, “have got the upper hand. They’re very business-like, very creative in their thinking, so we’ve really got to up our game. That means creating more awareness within the organizations and awareness right at the very top. So we do need to get the board up to speed.”
To do that, CIOs and CISOs need to speak the language of the business, and convey security concerns not in tech jargon, but in terms of outcomes for the organization.
“The good ones have learned that they’re really a business partner,” said Hartman. “It’s about saying, here’s how we can manage our risks appropriately, here’s how we need to invest to open up new business opportunities. Talented CISOs have a great ability to do that.”
Prepare for the inevitable (and then prepare some more)
For most companies, things will go wrong. But too many remain unprepared.
“It’s the sign of a good chief security officer who has put that disaster plan in place,” said Hartman. “They’ve thought about it in advance.”
But preparation, he’s quick to add, must transcend the technical.
“It’s not just about the IT side being able to detect and stop the damage,” Hartman stressed. “What if you have a ransomware attack? How do you recover your data, if, say, you’re a healthcare provider? How do you work with the right legal advice? What are the potential liability issues that might reflect back to the board? What does it mean from a public relations standpoint? What are the regulatory issues and so forth?”
Durbin, expects more planning and rehearsals in 2020 — on all fronts.
“I see an increase in response exercises to data breaches,” he said, “including playbooks that lay out the process and who needs to be able to talk to the press, what they should be saying. It inevitably starts at the highest of levels, but it’s about the role that everybody in the enterprise can play post breach, at that most dangerous time when everybody is looking for answers. That’s a time for very cool heads to revert to well-practiced responses.”
Know your network — but look beyond it
All too often, organizations don’t even know they’ve been breached until long after major damage occurs. Gaining sharp visibility into the network is critical. But that’s nearly impossible when rising complexity and pernicious threats meet outdated, legacy infrastructures. Automated, intent-based networks are essential to detecting potential — and very real — threats.
“The starting point of any good cybersecurity architecture rests on this foundation of visibility,” said Hartman. “If you can’t see what’s going on in your environment, how could you possibly tell if somebody is attacking you? And yet, there is still the case that many organizations have pretty poor visibility. So we focus a lot on visibility, across all the different parts of a typical enterprise environment.”
Of course, you’re only as strong as your weakest link. And for even the most security-savvy companies, weak links extend across their ecosystems, where partners and vendors may not be nearly as vigilant. Close attention to those third-party entities is essential, Durbin emphasizes.
“One thing I still see as being an issue in 2020,” Durbin said, “is the way in which organizations deal with third parties. The challenge of third-party assurance around security results in potential vulnerabilities, by simply not knowing the risk posture that a third party that you’re operating with has.”
Applications open up other vulnerabilities. Today, Hartman warns, they are often the result of a complex chain of components, programming, or multiple SaaS suppliers — and problems can arise anywhere along the way.
“The next big deal around cybersecurity is about security getting embedded right into the applications themselves,” Hartman predicted, “rather than having security enforced by the infrastructure — to protect applications that maybe have vulnerability [stemming from] mistakes people made when they wrote them. Now we have to build security right into the applications themselves.”
Consider compliance an advantage (not just a headache)
From GDPR in 2018 to California’s upcoming Consumer Privacy Act, compliance is a rising concern for many organizations. Some, like British Airways, have already been dealt stiff fines.
But compliance should be viewed as an opportunity —even a potential competitive advantage.
“In an ideal world, we would be doing this anyway,” said Jane Frankland. “We would be taking that care to protect information and data that we hold. It’s just that businesses cut corners. So yes, I do think that it is good. It can slow us down. It can make things more complicated, but it should make things better in the long run.”
That change in perspective goes a long way, Durbin stressed.
“Those companies that have been able to shift away from viewing it as a burden,” he said, “to being some form of advantage, where they can explain to their customers how the data is going to be used — we’re in the early days of that being a competitive advantage, but I do believe that it can be presented as such. Increasingly, consumers will say, this is the kind of company I want to do business with because it does take it seriously.”
Expand your perspective, and enable the future
It’s an exciting time, with tremendous technology change on the way. Enterprises stand to be more innovative, efficient, and responsive to customers than ever before. And if next-gen technologies are used right, we’ll lay the foundation for a more inclusive, sustainable, and equitable future.
But all of that will be for naught if hackers have their way.
In that sense, cybersecurity should be viewed as far more than just a defensive shield. In fact, it’s a critical enabler of innovation, competitiveness, and a better world. And awareness of cybersecurity needs to be front and center at every level of every organization — and presented (and funded) in that expanded context.
“Technology can enable so much,” said Frankland, “and I’m so excited about that. But we have to do a lot of the work on the people front so that we are creating that awareness, better communicating, better enabling, empowering our leaders.”
Given Cisco’s global sweep, Hartman is particularly aware of the interconnected nature of cybersecurity.
“We all as humans rely on computers for our lives, for every aspect of our lives,” he said. “They’re integral in everything we do, how we communicate, how we share both in our personal and our work lives. And so it’s natural that cybersecurity permeates everywhere across that space. And I think that issues around cybersecurity are truly global. This concept that any country can protect and isolate themselves in a cybersecurity sense from the rest of the world makes absolutely no sense. We’re all interconnected.”
Of course, despite the vexing challenges, Hartman’s quick to offer a positive note for all those who work in cybersecurity.
“There are few areas of IT and computer science and technology that have these geopolitical implications the way cybersecurity does,” he concluded. “I love the fact that it’s at this intersection of technology and life. That makes it a fascinating job.”
• Used with the permission of http://thenetwork.cisco.com
About Kevin Delaney : Kevin Delaney brings decades of journalism experience to The Network. At The New York Times, he was an editor and columnist for the International Weekly edition.