Instilling a culture of security

Increasing focus on cyber-security once meant buying "yet another box." Gert-Jan Schenk says now businesses need to shift from defence to offence and instil a culture of security which needs to come directly from the CEO.

Gert-Jan Schenk, VP for EMEA, Lookout
Gert-Jan Schenk, VP for EMEA, Lookout

I look at it this way; last year businesses were mostly on the defence with cyber-security. We saw mainstream breaches become the norm, with V-Tech, Ashley Madison and OPM top of the mind. This year, we're going to see businesses, governments and solution providers come at the challenge of cyber-security with more gusto, innovation and manpower than ever before. While security is a bit like the dragon you can never one hundred percent slay, I believe we're going to see a much stronger offence this year and moving forward.

Here are a few areas where I see cyber-security shifting in the years to come.

1.   We're going to hear about a lot more breaches, but it's how we use this information that will makes us smarter and safer.

We don't hear about most breaches because if customer data wasn't compromised – a la the TalkTalks of the world – companies aren't mandated to share their stories. Indeed, there are far more breaches happening every day than most people realise. However, real behind-the-hack stories – what was breached, how, by whom and for what reasons – could allow the industry to learn from what happened, and ensure it never happens again. Just look at the aviation industry: if a plane crashes for the same reason that a previous one did, that's a huge problem, hence a high amount of regulated information sharing within this industry. With cyber-security, however, if a company gets breached for the same reason that a previous one did, that's just a normal day.

Soon, this will all change when it comes to data breaches. The European Commission recently proposed the first EU-wide cyber-security rules, where businesses identified as ‘critical service companies' will be required to quickly report security breaches to authorities. It shows the industry is moving towards making more businesses accountable and responsible for both reporting, and will therefore act to prevent future breaches.

Proposals like the EU's are a good thing. We need to be sharing the results of thorough investigations into all cyber-attacks, not just those with devastating repercussions.

2.   The perimeter isn't going to die, it's going to spawn.

We've been hearing the ‘death to blanket firewalls' cry from the security industry for years, but that's the wrong way to look at it. While many major breaches involve an attacker bypassing a firewall to get at valuable data, most organisations still use the perimeter as a cornerstone of their security architecture. Even when moving to the cloud, enterprises often extend their perimeter to virtual systems. Because business needs dictate having innumerable exceptions to perimeter access controls (eg open ports for web services, partners and contractors needing access, VPNs and Wi-Fi granting access to unmanaged devices), IT no longer effectively controls what can get behind the firewall.

I foresee “re-perimeterisation,” where instead of monolithic internal networks, enterprises will build micro-perimeters that envelop and protect many individual segments of the larger system, such as applications and data stores. These micro-perimeters may even enforce their own customised security policy, depending on how sensitive that information is.

The existing perimeter will crumble, but it will be reformed into stronger, smaller perimeters that make what was once a one-and-done attack into a major obstacle course.

3.   Instil a culture of security, led by the CEO

Under increased regulatory and financial pressure to reduce the risk of a breach, businesses need a change the perception about building their protection strategy. In the past, increasing focus on cyber-security meant buying “yet another box.” Deploying solutions without first understanding the problems to solve and a strategy to solve them has proven ineffective and mega-breaches have proliferated over the past few years. Real progress, however, will come by measuring *actual* risk reduction, instead of aiming for the hollow victory of solution deployment.

How will this change occur? First, CEOs must recognise that the days of the security blank cheque, throwing money at CSOs to “solve security,” are long gone. For starters, this is not an effective strategy for CEOs to absolve themselves of responsibility, never mind the fact that those cheques are bound to dry up. In reality, money should be the least of an organisation's problem with cyber-security. Money is not the only solution. Businesses need to instil a culture of security and this needs to come directly from the CEO in order to be effective. Give your CSO the authority and cache within the organisation to implement protocols to keep people safe. All too often we hear about security teams that know of a bug, but they lack the authority to force fixes. Bring in HR and Marketing to help identify how, when and where to implement company-wide programmes that will be adopted. This is really just a start.

Contributed by Gert-Jan Schenk, VP for EMEA, Lookout