The Changing World of Cyber Security

Francesco Cipollone, CISO & Director NSC42, Chair of Cloud Security Alliance UK & Ireland

Francesco Cipollone, CISO & Director NSC42, Chair of Cloud Security Alliance UK & Ireland

What according to you are some of the CyberSecurity trends affecting organizations within the enterprise/industry spectrum as a whole?

The top 3 trends I’ve seen happening over the years have been:

Move to the cloud: This trend has pushed Organization to reconsider boundaries (network) and management of 3rd parties. With an initial period of reluctance of trusting the cloud providers the industry is now shifting in trusting the providers fully with PaaS solution. The complete trust of the provide has two side of the coin. On one end the cloud provider serve a wide array of customers hence their security posture is quite strong...stronger than one specific organization. With the push to cloud adoption this trend is changing

On the other end the organization are putting too many eggs in one single basket (the cloud provider) and this leads to vendor lock in, too much trust in vendor (security is the cloud provider responsibility) and lax in security monitoring.

We’ve seen of recent incidents (like Google Gsuite) going down for hours and organization that relied solely on Gsuite found themselves without backup or collaboration. This hopefully stimulated a solid discussion of multi cloud strategy. Ultimately if the cloud provider breach SLA it will only redound. Also another element the industry starts considering is how much it cost to back up information in a different cloud provider and more important how much time and cost does it take to restore.

The cloud security alliance, that i represent as head of UK & Ireland, had a decisive effort in providing standards for the cloud as well as white paper. On the subject of white paper we recently published a one pager on backup strategies and we will host a webinar soon.

DEV-OPS + SEC + BIZ:The shift of the organization to the engineering with more and more startups coming up the pressure to deliver, Minimum Viable Products, prototyping and most importantly going out to market quickly is absolutely critical for organization.

With this trend time to secure the application is getting more and more squeezed. It was already challenging to have security team reviewing application and design in a waterfall approach, now the time is even more squeezed.

"Security Team needs to develop empathy with the software engineering team if it wants to demands the same empathy"

For those above reasons two major trends start appearing:

Shifting left and making security everybody’s job.

Security review and automation

Shifting left (like a boss as my good friend Tanya says) - is the art of doing security in the very early phases of application development

Normally an application is developed in the following phases:

1. Capturing requirements

2. Designing the application

3. Building the application

4. Testing the application

5. Deploying the application in production

6. Changing the application (back to point 1)

Traditional security approach left security at the very end with a bunch of security tests (or penetration tests) before the deployment into production

Role of the architect and shift back to software engineering: With the move to the cloud a lot of traditional roles, and controls, are becoming programmatically (infrastructure, network. ...). Network security, infrastructure security is still quite relevant but is becoming more and more programmatic, automated and ultimately the responsibility of cloud providers (e.g. PaaS, SaaS services).

This has pushed the entire organization to re-focus on the application security that has seen in the recent 2 years a boost of response. Security teams are now becoming software teams with a security mindset. Nonetheless there is not enough resources to fill security jobs (>> insert statistics).

This has resulted in a nice mix of skilled up developers on security prospective.

What are some of the best practices that can be deployed to effectively mitigate cybersecurity challenges?

Top 3 things to implement

Measure everything and make Data driven decisions: Making risk-based decisions and training decisions based on evidences (how many vulnerabilities, what are the higher risks) would enable business to be more effective in their spending (tools/effort/training).

Stop trend of security team to say no:The default answer should be ‘let me see how we can help you making it more secure’

This creates a better culture of collaboration. I’ve seen evidence of developers teams asking security for help when the trend got reversed. Before the time security tended to action on audit and punishment.

Don’t get me wrong this is still the case (trust & Verify) but the approach should be of collaboration with the team that needs it the most

Develop emphatic approach (business and development): The business needs to be able to go to market to produce revenues, security risks needs to be balanced with the financial risk of not being able to go to market. Security can’t be anymore the department that says no

The security department can’t be separate from the engineering department. Security Team needs to develop empathy with the software engineering team if it want to demands the same empathy! Meet in the middle.

Also Security should work with DEV team to produce actionable items (not abstract policies) 

What role will cybersecurity organizations play in the upcoming months to further enhance protection of connected networks?

Everything is getting connected (toasters, kettle).

The companies that produce that equipment are not software houses and do not often have any clue or concept of security.

IoT regulation start appearing as well as critical national infrastructure protection but we are far off from securing environments with IoT devices

For enterprise i would suggest don’t get relaxed on the concept of perimeter (hard shell and soft inner goo). The security of the perimeter gets invalidated as soon as there is a device connected internally.

But also don’t go to the opposite extreme (0-trust network). Balance the risk of an inside attack/insider threat with the mitigation that a perimeter can offer

With startups continuing to disrupt market cultures, and the way companies function, What is the one piece of advice you would share with these CIOs on the methods to keep the business safe and simple?

The one advice I can give is evaluate security risk in monetary form.

• What is the brand and monetary of losing one specific application/website (ransomware attack)

• What are the fines for breaching a specific regulation (e.g. GDPR 2-4% global turnaround)

• What is the business risk vs the security risk?

Suggestion for software development is shift left, test extensively and include fixing the security vulnerabilities as part of everyday software development cycle. Security bugs are no different than functional bugs. But have bigger impact (financial, brand, fines ...)

Also security culture shall be extended to all part of the organization. A breach or an intrusion (social engineer) could come from financial department, marketing or sales department. Those are the most vulnerable people to social engineering and, with adequate training, could become your stronger ally.

E.g. Socialmedia/marketing department could protect the brand with effective communication when a breach or incident occurs

Financial department could detect when shadow IT is being used and alert security department because they are the holder of the budget

Weekly Brief

Read Also

An Alternative Approach to Cyber-Security Structure is the need of the hour

An Alternative Approach to Cyber-Security Structure is the need of...

Michael Somers, Head of Cyber Security, CVS Group
Embracing the Next Generation of Asset Security with AI and IoT

Embracing the Next Generation of Asset Security with AI and IoT

Matthieu Le Taillandier, General Manager for Western Europe at STANLEY Security, now part of Securitas
What Exactly is Non-Financial Risk?

What Exactly is Non-Financial Risk?

Gus Ortega, Head of Operational Risk Management at Voya Financial
#Keeping It REAL With Your Security Vendors#

#Keeping It REAL With Your Security Vendors#

Robert Pace, VP/CISO, Invitation Homes
Security For IT/OT Convergence

Security For IT/OT Convergence

Christopher Nichols, Director OT/ IT Resiliency & Support, Stanley Black & Decker
Security Architecture In Theory And In Practice: Why Security Should Be Considered Among The Main Pillars Of The Organization's Enterprise Architectur

Security Architecture In Theory And In Practice: Why Security...

Marco Morana, Head of Security Architecture,JPMorgan Chase & Co.