CSOs over the years seen as techies at heart are today strategic business executive swho tightly couple the company’s cybersecurity posture with business agenda, says Sean Duca, vice president and regional CSO, APAC at Palo Alto Networks.
Edited Excerpts from CSO's interview with Duca:
Yesteryears’ prevention is better than cure is now ‘detection is better than prevention’ pitch for security OEMs. That makes a CSO role more challenging?
The complexity of the role of CISO right now only gets becomes bigger and harder to an extent. We are inherently built with ‘prevention is better than cure’ mind-set. I still believe if you lead with the mind-set of detection, one needs to work manually to respond and deal with the challenges until there is skillsets shortage. We cannot prevent every single attack out there but limiting the impact is possible.
Security can be broken into threat prevention, threat detection and threat eradication. Once an unknown threat is detected then CSOs should communicate it quickly to the stakeholders of the rest of its infra. The concept of in-depth defence in depth has changed to modus operandi of attacker to steal info, prevent access or destroy it. If the companies prevent them from hitting that objective they actually win. Organizations need to think on how often they need to detect breach but they also need to stop it.
There’s a new attack surface be it 3.2 million debit card breach in India or 1.5 million connected cameras breach. Have CISOs become careless or the hackers have gone smarter?
We haven’t solved petty crimes so I really don’t think we will be able to solve cybersecurity challenges. Not to say that the hackers will always win but we have to make it fundamentally difficult for them to be successful.
The advent of smartphones makes it easy to process and cheaper to take thousand odd photos than the traditional camera. From cybersecurity perspective, people reuse and reissue codes all the time without really costing them anything. If we learn about how hackers work and start to communicate information with each other and push the codes back to the attacker, then they issuing new code becomes costly for them.
For IoT strategy, CSOs need to rethink of fitting security into the IT infra. It is fundamentally hard because manufacturers are rolling out devices without security because that component escalates the cost. We are understanding the devices, users, apps and controls across IoT environment for our customers.
As a CSO of security OEM, can you relate to key concern areas of CISOs in the new threat landscape of SMAC?
Many of CSOs are bothered of the fact that they still ultimately have to provide protection to company information (wherever it is) and their end users as well. Looking at the exponential rate of threats in a ‘connected business’ environment, it is inevitable that companies most probably will see something bad.
Security executives don’t want their company breach to be listed on newspaper. There is a lack of knowledge amongst enterprise users and hence we are working with NYSE on ‘Navigating the Digital Age’ concept that is more about business conversation on cybersecurity than technology aspect. Security has to be a top down approach at the board level. The challenge has been that security is considered a problem wherein IT professionals speak to LOBs about numerous vulnerabilities, exploiting the malware and most business leaders are often clueless on the issue.
Whether it is social, mobile, analytics, cloud, virtualization or any megatrend that comes up in next few years. There is a cybersecurity element to each which CISOs should mitigate the risk or is it considered acceptable risk.
Everyone knows the importance of security yet breach menace goes on. Has the gap widened from less evangelism by tech OEMs or CSOs being less cautious to pull all plugs?
From cybersecurity perspective, nothing is tangible. You can protect the particular device with a lock on it. But the data today sits in say five different data center and sometimes who’s looking after it, then how do protect it becomes a challenge. The big challenge for CSOs revolves around where data or information is, what keep lights on to the business and how to protect it. CSOs shouldn’t spend the money to protect every asset, every door and everything in the infra but surely protect the most critical to the business.
Cloud should not been seen as fearful to be counterproductive for the company. We are talking about virtual concepts as opposed to physical realms of lock on the door. Attackers and their motivation is more towards quick wins. Almost 95% of threats are cybercrime related - either financially motivated or steal the information to monetize it later.
Palo Alto Networks talks much about Layer 7 (App Space) whereas the security architecture stretches across 10 layers as per analysts. Can you demystify this layered standard?
Two decades ago, the first firewall was introduced in a simple world of email and web. The attacker started leveraging the applications deployed and exploiting them. The firewall model was broken because everyone is moved to Port 80 being web traffic which is just open big gate that is open for the traffic flow.
We hence introduced next gen firewall to understand the applications layer. It is all about identifying, providing visibility to those apps and controlling it than can reduce the attack surface for layer 8, 9 of the user. That’s the value proposition we have.
We don’t want security to be blocker which it shouldn’t be. Security should be an enabler in like one uses car brakes. They can go fast and when faced with risk and challenge in terrain, one can slow down by applying brakes. The same concept works for security as businesses can pull back if they see a rocky road (breach or attack) ahead.
What are the big changes in cybersecurity space? Do you see automatic, machine learning, robotics take away jobs of cyber security professionals?
There definitely has been big change in terms of security solutions and also from the threats out there. For any level of automation or new technology, there would ten new jobs that pop up. Today’s school going kids will work in industries which do not exist at present. Things like AI, machine learning been around are now seeing explosion in its uptake.
In the transition of industrial revolution 2.0 to 3.0, people lost jobs but people took new ones. As we move to version 4.0 with robotics and the likes, people will work on different things. In security compared to any other space in IT, people aren’t leveraging automation enough. Right now we have automated attacker but we relying on humans to defend them. We can train millions of people but we still won’t win the challenge unless we use more of automation.
Insider threat figures at the top three as source of breach for companies as per surveys. Is there a serious cure?
Technology alone does not solve the insider threat completely because it is probably more of a cultural issue. The biggest challenge for a CISO of ‘large service provider’ was insider threat. Whenever they planned new service, GTM, there was media leak instantly. Over the year they were making it difficult for people to do their daily jobs. People hating to go to work often cause destruction to their employer. CISOs need to look at inside a little more on not to disservice to users to be productive.
Technology will come to play but it’s more to do with the processes. That’s the true way to stop insider threat which is financially motivated at most times. It’s more to protect data than protecting the infra as the security posture moves to information centric model.
The Bucket List for CSOs
- Do something different to build a robust security posture for a better business outcome.
- Adopt a prevention mind-set across team to prevent the known threats in the network.
- With limited skillsets shortage people, deploy 80: 20 rule to secure the most critical data.
- Don’t repeat what you have done in the past to land on the front page of the mainlines.
- Do not always rip the legacy infra but complement the existing infra with new security solutions.
- Do not ignore the threatening attack surface from the Application layer in your network.
Sean’s 4 Security Trends for 2017
1. Ransomware to move more towards mobiles, connected devices.
2. IoT related assets to dramatically expand the attack surface.
3. Industrial Control Systems hacking to be a big concern area.
4. Trust Integrity of Data to be crucial in industrial revolution 4.0 era.