In this guide, five CTOs provide their view on the main challenges facing the cyber security industry, with insights on how to overcome them.
As part of Information Age’s Cyber Security Month, we are providing three CTO guides over the coming weeks on cyber security: the challenges, the technology and the best practices. This one will focus on cyber security challenges, with some insights on how CTOs, or CISOs or those in charge of security, can overcome them.
Technological and human
Avishai Wool, CTO of Algosec, sees two categories of challenges.
Technological. “Technology is changing, and the adversaries are always finding new and interesting ways to use new technologies against us. Since technologies are being developed rapidly, and there are financial and other incentives on the side of the bad guys, we can see that we will be challenged for some time to come.”
Human. “Organisations need to realise that the weakest link is the human. The weakest link of an organisation under a cyber attack is the staff. The mistakes that they make allow the attacks to succeed. In the vast majority of cases, human error is the culprit.”
“The security industry needs to find ways to either empower the users to defeat cyber threats, to automate around human inabilities, or to eliminate the human from the equation.”
‘Big data stores create new security challenges’
Scott Gnau, CTO of Hortonworks, believes that the centralised nature of big data stores creates new security challenges.
“In every industry, organisations wonder whether they are getting full value from the massive amounts of information they already have. As data volumes continue to expand, they also take in an ever-wider range of sources.”
“Organisations want to extract value from that data, but the centralised nature of big data stores creates new security challenges; the data that was previously siloed and not delivering intelligence becomes a data compliance challenge and elevated security risk when correlated with personally identifiable data.”
“Traditional tools alone are not up to the task of processing the information the data contains, let alone ensuring it’s secure in the process. While controls need to be placed around the data itself, controls should also be placed around the applications and systems that store data.”
Keeping up with changing technologies
Sridhar Muppidi, CTO of IBM Security, identifies the fast-pace change of technologies – and the skills required – as one challenge of succeeding in cyber security.
“I have the luxury of speaking and talking to large numbers of customers. Surprisingly, a lot of customers are struggling with skills.”
“They are struggling with skills – not just regarding hiring the right kinds of people – but in keeping up with the changing technologies. How do you keep up with the best practices? You could be the smartest person today, but if you don’t keep up with the technology, it’s a problem.”
“The second challenge is around context or understanding. No matter how many skills, if you don’t have the right level of information to make a decision, it’s no good. How do we understand the broader context, not just the market and the technology, but also in the information coming from multiple products that ‘I’ have within my organisation?”
“The third issue is speed. Many customers have about 80 different tools from about 40 different vendors. That’s a vast amount of data to harness. If I spot an anomaly, I need to go and research it before I can decide if it’s good or bad. Of course, I also need to do this in a concise period of time. The threat landscape is moving very fast and attackers are smart.”
The ‘growing cyber skills gap’
“There’s no shortage of young people capable of pursuing a career in cyber security. But, the trick is to ensure we nurture their skills and guide them towards using their talents for good, rather than acting as black hat hackers. Thanks to institutions such as GCHQ, initiatives are now being run around the UK that are aimed at producing the next generation of cyber security experts.”
“As demand for these roles continues to increase in a post-GDPR world, governments, businesses and educators need to invest in these young people. Of course, they also need to train existing staff, use relevant solutions and be situationally aware, to remain secure and continue to comply with regulations now.”
Security needs a ‘multi-pronged’ approach
Uri Sarid, CTO of MuleSoft, believes that businesses have to treat cyber security as a multi-layered set of initiatives.
“It can’t be a separate initiative from other things in the business. It starts from security by design, which means that at the design of every system, there are security concerns being built in. You have to teach people who create anything, whether it’s new software, or whether it’s integrations, or whether it’s new APIs, the basic principles of security by design.”
“You also have to build things in a modular way, because the only way to achieve security in a distributed world is to have modules with well-defined intent. They tell you what it is that they’re doing, they tell you what kind of information they’re exposing, what kind of capabilities they enable. And then in the wiring, you can put in security best practices. It’s much easier to do it that way than to go back and retrofit a whole bunch of systems later.”
“You have to take this multi-pronged approach. It’s an educational approach, it’s an API-led approach, it’s a very intentional approach and it’s the best way to overlay more and more layers of security in the future.”
Work on a basis of ‘assumed compromise’
Michael Wignall, CTO at Microsoft UK, believes that organisations should work on the understanding that, at some point, they will be breached.
“In the cyberspace, the first thing to recognise is it’s asymmetric. Trying to protect our own estate, you need to protect it everywhere, whereas an attacker only needs to find one vulnerability and get in in one place. So, one of the core challenges is that you’re fighting an arms race where you in an asymmetric battle with the attackers.”
“Organisations need to understand and have a pragmatic view that if a hacker really wants to get into your network, they probably will. You have to work on a basis of assumed compromise, that you’re going to get breached at some point. So, you have to have a model to make it difficult for the hacker. A model that makes the costs of carrying out an attack more difficult harder.”
“You need to have a security lifecycle where you’re not just protecting your data, but you’re protecting when there’s a breach and then you’re responding quickly. Focusing on that full lifecycle of protect, protect and then respond has become more important, whereas historically, we’ve just focused on protection.”
“The second challenge is the attacks are getting more sophisticated. The threat landscape is changing, and you can just read the press to see that it’s moved from the geeky hacker in the bedroom through to hacktivists, to organised criminals and nation states. The sophistication of the attackers has increased and that’s a core challenge for end users.”
“There are also some technological changes with artificial intelligence and machine learning, where a lot more of these attacks are just automated. And you can spin them up and target a set of IP addresses or domains, and it will go away and automatically try a set of vulnerabilities or automatically try to breach it. To face that threat, you need to almost use the same technology – like machine learning – to protect your estate.”
“The final point is that it’s got to be a board level issue. With compliance changes like GDPR coming into force, and the regulatory impact of a data breach, the issue of cyber security has become much more serious.”
“Educating the board and making sure they understand the importance of cyber security needs to be at the top of the agenda, like any other mission-critical capability. And that is another big challenge.”