Security Strategy & Roadmap

Security Strategy & Roadmap
Cybersecurity Quarterly Survey, Q1 2022Cybersecurity Quarterly Survey, Q1 2022

This quarterly survey will track the state of cybersecurity through 2022. Benchmark your cybersecurity initiatives against peers in Q1, 2022.

Related Tags
How do you forecast a five year roadmap?

Top Answer: Basing your roadmap on the current trends helps a lot, especially for the areas that I'm more interested in, which are educational and agricultural technology. I'm constantly looking at what's happening both here in India, as well as abroad. Then I figure out which players are working on it here right now. I make an evaluation based on the needs that we have here in India. For education, I know that online education is going to play a major role. But I also know that it's not going to be at the secondary level. Online education is going to play out majorly where people need to upskill themselves. I provide training services as well, so I know where the need is.

Related Tags
With a limited IT/IT Security budget, should an organization make investments in the area of Security Awareness Training or Zero Trust?

Top Answer: Technology can still not compensate for the negligence and naivety of humans. The weakest link in the chain is still employees, so it's always better to invest in training/awareness than fancy technology if you don't have the basics. There is no single product that is Zero Trust. It's a concept and can be achieved by combining various technologies. If someone is selling you a Zero Trust product ... run away. With limited budgets starting from the low-hanging fruits and education, employees are the obvious choice.

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

Top Answer: Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

Security Operations Center (SOC) High Level OverviewSecurity Operations Center (SOC) High Level Overview

How are decision-makers running their SOC (if they have one)? Benchmark against your peers.

If you are a current SAP customer, when do you plan to migrate to SAP S/4HANA?

Top Answer: No plan to migrate soon.

Related Tags
People & Leadership
Strategy & Architecture
End-User Services & Collaboration
Applications & Platforms
Governance, Risk & Compliance
Data & Analytics
Business Intelligence
Disruptive & Emerging Technologies
Team & Organizational Design
Security Strategy & Roadmap
IT Strategy & Roadmap
Outsourcing & Managed Services
Backup & Disaster Recovery
Public Cloud
Hybrid Cloud
Contact Center & Telecom
Data Center
Device Management
End-User Devices
Productivity Tools
Collaboration Solutions
Document Management
Business Applications
Human Resources (HRIS)
Technical Product Management
Software Development
Quality Assurance
Continuous Integration/Continuous Deployment (CI/CD)
Enterprise & IT Service Management (ITSM)
Availability & Capacity Management
KPIs, Metrics & Reporting
Financial Management
Vendor Management
Service Desk
Management Tools
Risk Management
Data Privacy
Artificial Intelligence & Machine Learning (AI/ML)
Data Warehouse
Security & GRC
Identity & Access Management (IAM)
Peer Insights
Vendor/Product Recommendation
Business Continuity & Disaster Recovery
Crisis Management
Customer Engagement
Customer Relationship Management (CRM)
Enterprise Resource Planning (ERP)
Business Relationships
Talent Management & Performance
Portfolio, Program & Project Management
Data Management
Big Data
Vendor/Product Assessment
Process Management
Asset & Configuration Management
Operations Management
Mobile Development
What advice would you give security practitioners regarding evolving cyber threats?

Top Answer: Just like you can’t defend what you can’t see, another hard truth is that you can’t secure that which you don’t understand. I think the #1 issue in this space today is the pace of change and the difficulty that security practitioners have keeping up, especially in environments that have multiple generations of technology. If I had one piece of advice for security practitioners, it’s that you need to stay current with new technology as, or before it's being adopted in your firm. Your colleagues can’t and won’t put their deadlines on hold to wait for security to catch up. I can't emphasize that enough. If you take a job as a CISO or security analyst at an AWS shop, you need to be getting AWS knowledge and certifications to demonstrate to your peers that you understand the space. If you take a job at an Azure shop, a GCP shop or a mainframe shop, you need to be gaining knowledge on those platforms and technologies that you're responsible for securing.  Fundamentally, you can’t do it without your colleagues and teammates, and if you don’t understand mainframe security, the mainframe operator who's been doing it for 30 years isn't going to listen to you. If you're not constantly learning and taking courses from places like Coursera or Pluralsight or somewhere, you'll be stale in two years. The idea is to stay ahead of the curve, which is only possible if you have already caught up and can keep up. And if you aren’t caught up with today, it’s almost impossible to anticipate the attacks of tomorrow. 

How should security leaders approach API security today?

Top Answer: Security leaders should approach API security holistically. The first generation of API security tools did a good job of illuminating the core problem and the need to monitor API traffic, but it was limited to a “spotlight approach,” which means it only focused on part of the problem. As a CISO, I want to see sunlight: I want to see everything from code to production, with simulated attacks to validate and prioritize exposures. For the last 18 years as a CISO, I've said to vendors, partners and suppliers, “Whatever the threat model is, I need to see assets; actors, meaning who's involved; interfaces, so I know how they are getting to my assets; and actions, which show me who's doing what to what via what.” Only when you have that visibility can you develop a baseline for what normal behavior looks like. Once you have that baseline and you can get your arms around your space, then you reduce your attack surface and deploy resources to remediation of code and 24/7 monitoring, and use machine learning and automated models to alert you when something deviates from that normative behavior. But you can't monitor or defend what you can't see, and blind spots are prevalent; around 50% of APIs are unmanaged today.  That focus on visibility is one reason I’m a fan of the NIST model here in the US; the first principle is “identify.” You can’t protect what you can’t see. Creating and exposing APIs is very easy, but finding, governing, and securing them all is not. Adoption of APIs and their exposed logic has outpaced security and DevOps teams’ ability to keep up with or even put a lens on how their data's coming in and out.

How do you improve cybersecurity without driving up costs?

Top Answer: When you do root cause analysis on cybersecurity incidents, it comes down to a few basic things. Either the company didn't have good controls in place to begin with, or they thought they had controls in place, but those controls weren't across their entire estate. So there’s incomplete control: 80% was covered, but 20% wasn't. Even if only 1% wasn't covered, bad actors only need one device. Once they're on it, they can do whatever they want. Another factor is defense. Some organizations have one control and they think that's all they need. But you have to layer these controls so that it becomes much more difficult for the bad actors to navigate through and get to the underlying access they want. When I do root cause analysis on these incidents, I often find that even though the organization had two-factor authentication (2FA), they also had one test VPN account that they forgot about, and that is how the attackers got in. It's always something like that. You don't need to spend millions and millions of dollars to get a good cybersecurity posture. If you have the budget, go for it. But people are going to get you with some basic things. If you don't do the basic things well, all the money you're spending on advanced anomaly detection doesn't matter. Because if you leave the door open, or if you leave the key right outside the door, people are just going to walk in.

Outsourcing Cybersecurity Tools and ProcessesOutsourcing Cybersecurity Tools and Processes

How many cybersecurity tools and processes are teams outsourcing in 2021?

Why is API security so difficult to manage?

Top Answer: There’s an old saying in security: “Your defense must be informed by the offense.” In general, defenders are always one step behind the aggressors, whether we’re talking about the digital or the physical space.  The Maginot Line is a good analogy for the current state of API security in most organizations. The industrial revolution didn’t happen in order to build machine guns, it was for commercial reasons. But these innovations created new military capabilities and in 1914, defenders in Europe didn't anticipate the degree to which the attackers were embracing industrialization in the context of kinetic warfare. Unfortunately, this meant they went riding into battle to defend their homelands on horseback, only to be met by mechanized columns of machine gun fire. After that conflict, in 1930, the best military minds in Europe began construction of the Maginot Line, which was an amazing set of fortifications built to resist a robust ground invasion like the ones they had just endured. But only 10 years later, the next attacks went around the Maginot Line through Belgium and the Luftwaffe flew right over it. The Maginot Line, as impressive as it was, provided a false sense of security and failed to take into account the next set of innovative thought patterns of the attackers. This is basically what we’re seeing in the world of web security, and these same rules apply to what’s happening across the world as companies rapidly create and expose their APIs.  We've been dealing with and securing web apps for over 20 years, but 20 years ago they were built much differently than they are today. The legacy term is “monolithic application,” and that was a standard design pattern for years and years; many companies still operate this way. There’s a well-known application security model from an organization called OWASP, and while it’s still valid, it was first published in 2003. You still have to defend against the attacks from the original OWASP Top 10, like SQL injection and cross-site scripting (XSS). But now companies and governments are rapidly embracing APIs and microservices, and in doing so they're expecting these new exposed services to do a lot more of the security that used to be centralized. The “I” in API stands for interface, and publishing new interfaces changes your attack surface. Attackers always change their tactics to take advantage of new attack surfaces, and if your defenses don’t evolve in real time, you are left with gaps and undefended blind spots. A lot of security and development teams don’t know that OWASP published a new Top 10 specifically for API vulnerabilities beginning in 2019, so unless they’ve revisited their whole framework in the last year or two, there’s a very good chance that they haven’t taken these new attack vectors into account.  Going back to the Maginot Line analogy: they didn't have anti-aircraft capabilities when they built it because air power wasn't a big thing, so they had to adapt during battle and learn how to defend up, not just left and right. In the same vein, we need to increase our abilities to defend against the new attacks against APIs, but today API adoption is dramatically outpacing security and the longer this happens, the further apart adoption and security get. There's a huge paradigm change from monolithic applications and the old attacks to the new, distributed API and microservice attack surface. The changing attack surface is one thing, but another is what’s available on the new attack surface. APIs expose application and business logic directly. That's not a bug, it’s a feature. It's by design, but the defenses like web application firewalls (WAF) that we use to defend against the old Top 10 list can’t understand or defend against logic-based attacks.  Yet another aspect of modern application architecture is that you can have multiple teams iterating and changing their APIs quickly. Some folks change their APIs several times per week and sometimes several times per day, and security can’t keep up with these changes. But once you fall behind, it's very difficult to catch up. As API security is a very new space, I use the Maginot Line analogy only to provide a non-computerized historical perspective. This paradigm happens over and over again, and in 10 years, it'll be something else. But for now, when it comes to API security, we're all behind the curve and it's become a big problem that is only getting worse, at least in the short term.

What do you do when a business won't follow your cybersecurity recommendations?

Top Answer: You have to treat those situations with the same disposition a doctor would have. I've done over 200 assessments around the globe, often in organizations that are seen as mission-critical to the country they’re in. It’s often a massive enterprise that’s responsible for the country’s gross domestic product, so I don't take it personally when they take my report and put it on a shelf. I did everything I could; I learned about the system and its makeup. It’s just the nature of the beast. 

How do you foster a collaborative dynamic when assessing another organization’s cybersecurity?

Top Answer: I made some great friends doing cybersecurity assessments. I can pick up a phone in a foreign country and never need to worry about a meal. It's amazing the way a community rallies around itself, but that comes with a certain level of diligence and discipline, where you're each able to demonstrate to the other that you're not there to make them feel bad. You're in the trenches with them, trying to do the same thing for the same team. You just have a better vantage because you’re the mercenary who has been out there, seeing the world as it is. That gives you the ability to make a more effective decision.  Then you could even be asked to be a SANS instructor based on your community impact because you approach it with an agnostic view, and you're able to remove the ego from what you're trying to achieve. That allows you to assess the individual, team, or institution as a whole and say, "It's not about this one factor of the multi-factored Swiss watch of the customer security program. I don't care about that one cog. I care about the entire watch piece." That creates a different dynamic. It used to be that when I would come in to perform a forensic assessment on an organization, the legal liability of that risk was identified as the “Joe factor” as we would witness factors that other tools left behind by using our methodology. People in those organizations thought, “If that person sees too much, he needs to go because he understands exactly what's broken. If we have to dismiss this individual, we are in trouble.” So there is a certain approach that you need to bring in as the outside party to bridge the gap between acting in the best interests of all involved.