By Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT, Six Sigma Black Belt
International Chief Technology Officer, Cybersecurity, Micro Focus
These are difficult times. In 2020, many businesses were seriously hit and some are realizing they may never fully recover. Several business lines were affected… but one that’s remained vibrant is cybercrime. The hasty transition to remote work left many home networks being used for work not properly secured, offering attackers an easy opportunity to breach systems and bring organizations to a halt. Solving for this unfortunate reality will require a different approach, a new perspective, and maybe even a new beginning. It’s time for a new era of cyber resiliency made possible by radical innovation.
What is required now in every industry, market, and geography is a new way of thinking about the holy disciplines upon which cybersecurity was built: Identity and Access Management, Application Security, Security Operations, and Data Security. It is imperative that companies refresh their thinking on how to ensure who has access to what, when, how access was granted, and for how long. And that must happen for every infrastructure, system, and device in a programmatic way — keeping in mind people, process, and technology, but also observing culture, structure, and strategy at the same time. Radical innovation will come from the use of unsupervised Machine Learning — that learns by observation rather than by example — and detects anomalies in the way identities and accesses are governed in an environment.
Companies can now define a risk score and compare their current security posture not only with their past performance, but even with their competitors, making this a fantastic metric for Risk Auditing and Assurance departments. Radical innovation would also come from leveraging all the data coming from different sources and correlate it appropriately to assess risky behaviours in a context-aware approach (comprehending the variables that produce an outcome to grant access and acting in consequence, maybe hardening the requirements ‘on-the-fly’ for that specific request).
Once an organization establishes new ways of thinking, then its strategy and tactics on cybersecurity can adapt and adopt techniques never before seen: like encrypting data and preserving the original format of the information — saving precious time and money since changing the origin/destiny applications is no longer necessary. Or using tokenization (rather than encryption) in a way so there is no evident mathematical relationship between the tokenized data and the original information, making it difficult for hackers to estimate the latter.
Radical innovation should also come from the discipline of application security. This means technology that not only identifies and detects vulnerabilities (which is highly appreciated for developers and risk practitioners), but also with a solution set that actually recommends solutions and suggests the right code that will fortify an application — specially in the era of CI/CD (continuous integration/continuous development). A tool that can automagically detect vulnerabilities and faulty code that is using, for instance, old OpenSource libraries represents a gigantic leap in the way developers and coders can assess their security posture and minimize the window of exposure.
It is critical that organizations focus their efforts on ensuring their capacity to resist and endure in the troubled time ahead of us with different threat actors willing to create disruption and harm societies at large. It seems critical how organizations must understand concepts such as structured and unstructured data, ShadowIT, ShadowData, the processes of Risk Identification, Risk Governance and Risk Response, and the fantastic ideas of creating ‘circles of trust’. In short, how to enter into a journey that will require discovery of assets in order to protect them (Galileo Galilei said more than 500 years ago that “one cannot control what is not known.” Quite a radical and innovative thought for the era!).
That discovery has to cover all the angles of the enterprise (from the cloud to the data centers, from the data to the applications, from the network to the devices) and that would be, as an overarching principle, a radical approach to innovation, leaving no systems behind. That would fully embrace the idea of cyber resiliency by anticipating, withstanding, recovering and evolving. It is the way to go: using disruptive, emerging technologies that engineers imagine so as to enhance and bolster the security posture of an entity. This is what is required in the times we are living. This is what is needed to embrace radical innovation for the greater good.