National Cybersecurity Awareness Month
The state of the cybersecurity sphere today lies somewhere between a rosy picture of technology made safe by vendor services and dire forecasts of a coming cyberapocalypse. Where in the middle ground the enterprise finds itself, however, can be hard to pinpoint.
A host of private and public tech leaders, IT specialists and tech vendors gathered at CyberTalks in D.C. last week to discuss where on this spectrum the current cybersecurity environment finds itself and what the path is moving forward.
As speakers moved from Equifax lessons to data encryption and cloud security to setting up a system, widespread recognition of industry deficiencies, global tech shortcomings and the risks of modern cyberthreats left little to the imagination.
So in case you missed it, here's what the experts had to say at CyberTalks:
1. Whoever said there is safety in numbers?
The pace of technological innovation can completely transform a workplace or industry in a matter of years. Just take a look at developments in mobility and the Internet of Things. Ease of connection across personal and professional lives has led to what Brett Hansen, VP of Data Security Solutions at Dell, described as a "workplace transformation."
With new devices added everyday and continuous information transfer across personal emails, public clouds and public Wi-Fi, business networks are unhygienic, according to Hansen. But cutting back on a connected, mobile workforce simply is not an option for most companies because many employees demand the same tools in the office they have at home, expanding the IoT and straining business security.
Millennials have been known to select their job by the IT environment available, according to Hansen. Their proclivity for independent communication and information sharing is viewed as one of the greatest threats to workplace security — especially in the tech industry where they have carved out the lion's share of jobs relative to other populations.
Since companies cannot put a plug in the stream of devices, the next best option is to create what many experts described as a "data-centric" approach to cybersecurity. This certainly requires a holistic look at endpoints and end users, but must also go deeper.
2. Secure everything but the kitchen sink
Strong cybersecurity is an obvious goal for every organization, but it's incredibly difficult to attain because of how many factors and actors are at play. There are a multitude of ways to enhance data security, and when combined, they offer organizations a vital backbone for security.
Hackers often penetrate a system through the path of least resistance, so beefing up simple and obvious endpoint security is important. Access management tools — in terms of who is allowed to access data as well as multi-factor authentication controls — are tried and tested methods all companies should install.
In an ideal world, endpoint security would not be a problem, but the reality of time to market pressures inadvertently has created an insecure device environment, according to Jeff Eisensmith, CISO of the U.S. Department of Homeland Security.
If access is granted to a system, companies can offer another layer of security through encryption. In the past, data could only be encrypted at rest, but thanks to recent advancements it can now be encrypted in use, said Mark Russinovich, CTO of Azure. Having data which is never in the clear offers yet another hurdle to malicious actors. Equifax is just the latest example of a company which did not encrypt sensitive information and is paying the price.
Better security measures upfront are essential to transforming security strategies from reactive to proactive, a strategic move which many called for over the course of the day.
But try as one might to be proactive, every company needs to ultimately create cyber resiliency as breaches will remain a matter of 'if' and not 'when' for the foreseeable future. Ensuring business continuity and stability after an incident is critical to recovery.
3. Don't bring a floppy disk to a cyberfight
Tech leaders should remember that no matter how good their tools are, a truly effective security system often boils down to the user, and one of the few constants about human behavior is the inevitability of human error. Companies need to either get rid of users or passwords, said Akhilesh Tiwari, global head of Enterprise Application Services at Tata Consultancy Services.
But the human factor cannot often be automated or taken out. Authentication, access management, resiliency and applications are all important focus areas, but companies also need to pay attention to workforce and employee skill enhancement, said Tom Ruff, VP of Public Sector at Akamai Technologies.
The business losses of an under-prepared workforce extend far beyond the losses from a cybercrime, totaling an estimated $6 billion annually through the mishandling of new tech. Coupled with the tens of millions of dollars a businesses are poised to lose a year from cyberattacks, early investments in employee training and enhancement no longer seem like such a financial burden.
4. There's no 'me' in IT
CyberTalks saw many calls to action for members of the public and private sphere in the face of growing cyberthreats. When faced with an asymmetric threat, discrete parties must pool their defenses to overcome, said Marten Mickos, CEO of HackerOne.
Mickos' experience running bug bounties is one such example of how a partnership between ordinarily at odds groups can result in improved cybersecurity. Mickos led events to find vulnerabilities in Air Force, Army and Pentagon computer systems, surprising many with discoveries in a matter of minutes — and once at the hand of a teenager.
Cooperation extends beyond human interactions and to interoperability across computer systems. Heterogenous data security tools which are not tied to one infrastructure are essential in today's environment, according to Hansen. As a service models and the popularity of multi-cloud platforms necessitate commonalities throughout security systems.
Few companies work as an island today, and organizations are only as secure as every service vendor, partner and professional organization with which systems and data are linked.
5. Trickle down techonomics
With government IT on the brink of a new modernization effort under the current administration, CyberTalks gave plenty of attention to public servants in the lineup and their efforts in the cybersecurity landscape.
Margie Graves, acting federal CIO, called for a tight partnership between the government and the industry for security purposes and to facilitate government IT upgrades. Furthermore, she called for companies and agencies alike to tie every dollar in their IT budgets to reducing risk.
The costs of cybersecurity, however, are often unknown. There is no CISO who can go to an executive board and definitively say they need a specified amount of money to fix or stop a cyber event, said Karen Evans, national director of U.S. Cyber Challenge. Many other experts echoed the sentiment, noting difficulties pinpointing at what level in monetary investment security vulnerability is discovered or rectified.
The U.S. government is certainly not alone in trying to keep budget costs down, and unpredictable upfront cybersecurity costs can be difficult for CIOs and CISOs to nail down. Effectively pricing security measures and IT costs has led to tensions in the C-suite between IT officers and CFOs.