You couldn’t have asked for a timelier panel discussion at the Canadian Telecom Summit.
Executives from a handful of IT service providers gathered to talk about the latest trends in cybersecurity at the recent conference in Toronto. Just the day before, billionaire Facebook founder Mark Zuckerberg apparently had his Twitter, Pinterest and LinkedIn accounts hacked.
One day after the Toronto panel discussion, the University of Calgary confirmed it had just paid $20,000 to hackers holding its staff email server hostage in a ransomware attack.
One week after that, EMC’s RSA division released new numbers to put those hacker headlines into context. After surveying 878 organizations in 81 countries, RSA determined 75 per cent “have a significant cybersecurity risk exposure.” (They based their risk assessments on the U.S. government’s NIST Cybersecurity Framework model.)
Going further, the researchers said organizations that favour using “perimeter-based solutions” for security are even more vulnerable to cyber thugs.
“Companies which primarily rely on a perimeter defense philosophy are disadvantaged in finding malicious activity, and risk public exposure of critical business assets,” the report suggests.
Back at the Toronto conference, panelist Jennifer Blatnik just happened to make a very similar argument.
“The perimeter approach to security is fading. Now the perimeter is everywhere,” said Blatnik, VP of product marketing at Juniper Networks.
Building an IT-based border to keep the bad stuff out just isn’t possible, she said. These days, bad stuff comes from outside the enterprise, inside of it and every place in between. The Barbarians aren’t at the gate anymore; they slithered through it a long time ago.
To ditch the perimeter-based mindset, we’ve got to stop reducing cybersecurity to a problem we could definitively solve if we only threw the right amount of tech tools and money at it. So says panel member Stewart Cawthray, general manager of network security at Rogers Communications’ enterprise business unit.
“Security is not a product. It’s a toolbox,” he said. In his view, enterprises should ideally use their cybersecurity toolboxes for ongoing security maintenance, not just putting a quick fix on a leaky faucet.
“You have to remember it’s not a technology problem, it’s a people problem,” said co-panelist Kellman Meghu, head of data centre virtualization and infrastructure at Check Point Software Technologies.
One of those people problems, said Meghu, is a prevailing perception of enterprise IT as “the evil team” that says no to all the cool stuff everyone wants to do. If people in business units sought IT’s input before developing that new app or trying out some new software, shadow IT problems wouldn’t darken the landscape so often, he said.
“Too often the conversation is still (about) how do we get this past the security team instead of hey, help us from the beginning to manage the risk,” said Meghu, adding that we need to see more of a partnership between IT and business teams.
Education is also crucial to teach line of business staff to identify external threats — and internally, to recognize their own risky behaviour, said Zayo Group CTO Dave Jones.
“You need the layer of (technology) protection but you also need the training,” said Jones.
Despite the new focus on attitudes and actions within enterprise organizations themselves, there’s still a place for technology-based weapons in the cybersecurity toolbox. Blatnik mentioned newer cybersecurity applications that use software-defined networks (SDN). Meghu said automation technology should also make stuff like threat detection and containment simpler and more accurate.
Sticking with the theme of tech-based solutions, Meghu called on vendors of some cybersecurity products to be more upfront about what they’re actually selling. Instead of pitching their wares as “a magic red button” to keep everything safe, he urged them to give customers a transparent, realistic explanation so they can “use the tools for what they really are.”
So although technology is still part of the new approach to IT security, it’s no longer the only one. To move past the perimeter mindset, cybersecurity is becoming more about buy-in and behaviour than just buying the right product.
Photo: Christine Wong