In my work, I spend a lot of time with customers and listening to their cybersecurity challenges, their need for a better understanding of security, their compliance challenges and regulatory compliance pressure. At the same time, I spend a lot of effort working on understanding the underlying trends, hacker motivation and how a hacker thinks in order to better visualize the missing links between where customers are today on their cybersecurity journey, and where their primary risks are.
Companies and organizations spend a lot of time on people, process and technology, and there are many good reasons for it. For example, a network standardized on Cisco, HP or Juniper is the norm – something that every organization is investing in. It is as common as using a firewall, an intrusion detection or prevention system, anti-virus on endpoints and servers, sandboxing etc. All of these are commercial products that can be procured at scale. And, with more and more standard designs, networks are becoming more and more the same.
An organization’s journey to the cloud is also a key driver, where data is stored in the cloud with the perception that it is safe – when, in some cases, it is actually not that secure. Regulatory compliance is also the same. Legislation like the GDPR, ISO standards and NIST all mean organizations have to structure themselves, their processes and work in very much the same way.
So why is it interesting to learn more about how organizations are investing in technologies? And which regulatory compliance they need to adhere to, or standards and processes they follow? The answer is as simple as it is interesting. Nothing organizations do today will help them if there is a hacker motivated enough to go after them.
Companies must therefore assume breach. In other words, assume that someone is already in your organization. We still see so many customers stuck with the mindset of “it doesn't happen to me”. Many do not even know if their organization has relationships with other more interesting targets or that they could be a victim on the journey to an even greater prize.
When everything in security becomes more and more standardized, it becomes easier for perpetrators to find ways in and explore weaknesses at scale. The market is sometimes discussing and eluding to the notion that threats are becoming more sophisticated when, in fact, it is actually becoming easier and easier for the hackers to find their way in.
In ordinary life, we sometimes refer to ”think outside the box”. For the hackers of today, there is no box. They do not even know it is there. There are no limits. They see only possibilities of exploring your standardized infrastructure and finding easy access to your assets and the cost of error for them is virtually zero. How many failed login attempts do you monitor? When is it flagged as a security breach? How do you visualize lateral movements when all your investments are ploughed into prevention technologies, ideally sitting at the perimeter of your infrastructure?
So what can you do?
1. Focus on aligning your business needs with your security needs. Make sure the CISO sits in the leadership team – to coach and support the CEO in making risk aware business decisions. Then security becomes a business enabler, instead of business inhibitor.
2. As mentioned earlier, assume breach. Think about investing differently and do not get stuck in what you have already done for the past decade. Find a trusted advisor like NTT Security that helps you not only invest in technology, but find a balanced approach and focus on increasing your business resilience towards new attacks.