Don’t let security be the handbrake of innovation – TechCentral
The nature of cybersecurity is undergoing rapid evolution. Cyberattacks are becoming more frequent and sophisticated.
We’ve seen severe business outages in every sector. Whether you’re in finance, infrastructure or healthcare, If you’re making money, you can expect an attack. Cybersecurity teams continue scrambling to respond to these attacks as cybercriminals continually evolve their tools and techniques.
The massive growth in technology adoption, with many businesses embracing digital transformation, has necessitated a vastly different approach to security. The need to be more innovative in cybersecurity is becoming increasingly necessary.
With this context in mind, an illustrious group of industry leaders gathered at the Saxon in Johannesburg on 10 November for a roundtable discussion to discuss the issue. We highlight some of these perspectives in this article.
On the shifting landscape of cybersecurity
Threats continue to evolve. As businesses continue to adopt and move toward digital transformation, it requires a commensurate investment in cybersecurity. Cybercriminals continue to evolve their tools, leveraging new technologies faster than traditional businesses that need to justify their investment and spending.
For example, attackers are using AI to create “deep fake” videos of company leaders sharing a story and sending it to businesses to trick employees into clicking on a malicious link.
The channels of security threats also continue to evolve. Previously, threats were easier to manage as they came through e-mail and on a PC or laptop. With the introduction of mobile technologies, remote working, and different communication and social platforms, such as WhatsApp, Slack and Discord, it is becoming increasingly difficult to manage and manage and protect these channels. Hackers can now use emojis to run exploits.
Given the shifting nature of security, it is increasingly important to create a culture of risk and security and utilise new technologies to augment security capabilities.
On security skills
Skills, or the lack thereof, is a massive challenge. Diversity, including gender diversity in cybersecurity, also remains a challenge. Companies are struggling to hire these skills and capabilities. Hiring practices are not adaptable enough. Businesses have stringent policies requiring X years of experience with master’s degrees and information security certifications. Without these, one is not even invited to the interview. Yet Uber was recently hacked, and the attacker was a 17/18-year-old affiliated with a hacking group called Lapsus$, whose members are mostly teenagers.
Another challenge is that “red team” hackers often play in the “grey zone”. Red teams are simulated adversaries, attempting to identify and exploit potential weaknesses within the organisation’s cyber defences, identifying the attack path that breaches the organisation’s security defence through real-world attack techniques. For these attacks to be simulated as close to the real world as possible, they have to use sophisticated tools that real attackers would ordinarily use. This means that these individuals, while not malicious by nature, may be flagged by organisations’ integrity checks and completely overlooked by the hiring organisation.
A rethink of how we hire, particularly in cybersecurity, will help improve innovation in the field. As an industry, we need to consider more innovative approaches to hiring. Adopting an approach of “trespassers will be recruited” may be a more effective way of hiring individuals to improve the overall security posture.
On localisation
Localisation remains important. As South Africans, we must embrace our differences and not rely on purely international companies to develop solutions for us. We have different languages and cultures to which we must tailor our security efforts. Making content locally relevant will improve overall adoption.
This is also true of the rest of Africa. In these regions, digital and technology adoption is very different. There is a lower spend on security, the government more highly regulates cloud adoption, and regulation is not friendly towards technology. In these instances, we must constrain our thinking to innovate and effectively improve security in these environments.
On third-party risk
Third parties are challenging to manage, and yet, to improve innovation, we have to rely on a broader ecosystem strategy. Using third parties is necessary; however, as a business, the ultimate accountability for any data breach lies with the business as the custodian of the data. A breach brings disrepute to your company and not the third party’s.
In some instances, third parties are not only technology third parties but general service providers, such as in the supply-chain space. If third parties are not managed more effectively, it may be the weak link that breaks the chain.
Ideally, third parties should be treated like internal employees. However, taking responsibility for third-party security could mean increased licensing, cyber-assessment and training costs.
On audit
Moving away from an audit approach to a combined assurance approach has proved to be valuable where this has been successful.
Audit cannot be a tick-box function that uses its findings as a stick against security. There needs to be mutual respect, with audit be seen as a partner, helping achieve the same goals.
We must be careful that auditors do not set the security agenda. Money often chases the audit findings, yet auditors don’t take accountability when something goes wrong. It is crucial that we bring auditors along with us on the cyber journey and ensure that findings are relevant and add value.
On the changing role of the CISO
The role of the chief information security officer has fundamentally changed. A CISO today has to wear many hats. They not only manage risk, protect data and oversee the protection of critical infrastructure, but they need business and strategy skills to articulate the value and importance of information security. They need to lead large groups of very technical people, be people-orientated to create an inclusive culture of security, and be ethical beyond measure, as they hold the keys to the company data. They also need to be innovators, always looking for new ways to improve the security posture while balancing risk.
On enabling innovation in business
Innovation and security are often seen as water and oil. They don’t mix well. Getting it right is a tricky balancing act. In one instance, the security team looked at the code for the winning innovation apps in a major bank. While these apps were innovative, they lacked the basic security measures that needed to be implemented, especially when dealing with sensitive information.
When innovating, it was suggested that this is the first date, and not a marriage. However, the challenge is that if a relationship is not built on solid foundations, the marriage may crumble. Finding the balance to bake in security from the onset is necessary to innovate and avoid any security technical debt.
Dev teams must embrace a security mindset and security must play a bigger role in ensuring security is baked into the solution as it scales.
There is no doubt that this is a tricky balancing act. Businesses must innovate to keep up to pace with disruptive entrants, and security cannot hold back this innovation. At the same time, we need to create a culture of DevSecOps, where security is considered early in the innovation process. This is especially difficult in businesses that have capacity and skill constraints.
Building solutions that have strong security can be a competitive advantage and is more likely to be adopted than those technologies that aren’t secure.
Capacitating your teams, embedding security in the business, and changing the culture are all needed to improve overall innovation capabilities.
On ‘attack surface reduction’
An attack surface is essentially the entire external-facing area of the business. As we digitise, cloud-up and connect, our attack surface is broadening, and so are our attack vectors and vulnerabilities. As security professionals, we need to understand our network, reduce these attack surfaces, and strive for a smaller blast radius. We should leverage new technologies such as machine-learning models and tools to help augment our security capabilities and improve our mean time to detect and respond so that the blast radius is minimised.
In closing
Cybersecurity is complex. There are a lot of moving parts. Changing our mindsets is incredibly important. The quality of the answer is dependent on the quality of the question. We need to start asking different and better questions, which often leads to better answers and ultimately improved security and innovation.
To use the analogy of a car, the better the brakes, the faster we can drive. But let’s not make security the handbrake of innovation.
About CYBER1 Solutions
CYBER1 Solutions is a cybersecurity specialist operating in Southern Africa and East and West Africa, Dubai and Europe. We provide innovative, agile end-to-end security solutions to support our customers at every step along their security transformations.