I just read a good Wall Street Journal blog by Ben DiPietro titled, Speed of Tech Change a Threat to Cybersecurity. His main point is that while organizations are adopting new technologies like cloud computing, mobile computing, and applications based upon the Internet of Things (IoT), they continue to address cybersecurity risks, controls, and oversight with legacy tools and processes. This creates a mismatch where cyber-adversaries have a distinct offensive advantage over a potpourri of assorted legacy enterprise security defenses.
I couldn’t agree more, Ben, but it may be worse than you think as this discrepancy has been going on for years. In a 2012 research survey, ESG asked security professionals to describe the impact of numerous new IT initiatives on infosec operations and management at their organizations. The research indicated that:
- 69% of organizations said that cloud computing initiatives made security operations and management much more difficult or somewhat more difficult.
- 62% of organizations said that mobile computing initiatives made security operations and management much more difficult or somewhat more difficult.
- 56% of organizations said that remote worker initiatives made security operations and management much more difficult or somewhat more difficult.
- 51% of organizations say that server virtualization initiatives made security operations and management much more difficult or somewhat more difficult.
- 47% of organizations said that BYOD initiatives made security operations and management much more difficult or somewhat more difficult.
Now, many enterprise organizations have embraced a number of these IT initiatives, so there is also a cumulative negative impact here. And while enterprises have implemented new technologies at a faster pace since 2015, they continue to maintain security strategies from around 2005 as the WSJ blog correctly points out. As they say in Texas, “that dog don’t hunt.”
Of course, there are countless VC-backed startups trying to bridge these gaps with new technologies for securing discrete IT initiatives, but this is mirrors the problematic legacy model. In the past, enterprises addressed new threats like SPAM, web threats, and advanced malware with individual threat management gateways and software. This led to an operational infosec nightmare where enterprise security defenses and oversight were based upon point tools, manual processes, and patchwork visibility. Things will only get worse if large organizations plug cloud, mobile, and IoT holes with one-off countermeasures that exacerbate operational chaos.
CISOs need to think about new security requirements based upon an old cybersecurity concept: the “attack surface.” In other words, the entire expanding internal and external IT infrastructure should be viewed as a holistic attack surface and addressed accordingly. So risks should be assessed across the complete attack surface while risk mitigation should include central policy management and security controls for distributed policy enforcement that cover the whole attack surface enchilada. This is critical because multi-dimensional threats will pivot from partner IT infrastructure to endpoint devices, to networks, to cloud-based sensitive data, so policies and controls must cover the attack surface and the kill chain. Finally, security analysts need real-time end-to-end visibility for threat detection and response.
DiPietro is right: Technology proliferation is outpacing cybersecurity defenses and oversight, but this is not a new phenomenon. Ten to fifteen years ago, security professionals were concerned about rogue WLAN access points, thumb drives, and iPods. The difference is that we could finesse cybersecurity risk mitigation a decade ago, but this is no longer possible.
Let’s face it: The overall attack surface is really big and only getting more expansive each day. CISOs must accept this reality and stop addressing cybersecurity as a series of discrete problems. The only way to address the growing attack surface is with a comprehensive strategy, integrated controls, and end-to-end security data collection, processing, and analytics.