EB: Do organisations today have a thorough grasp of the trends shaping their industry and the impact these are having on their security posture?
MP: It’s a given that senior IT executives keep track of the trends impacting their industry. But, what they don’t do is effectively adapt the way they work in response to them. Many IT teams are still treating security in the same way that they did 20 years ago. They are continuing to strengthen the infrastructure they already have, which is well understood by cyber criminals and therefore unlikely offers adequate protection.
EB: What are the key components of a security strategy that meets the demands of the ‘modern world’?
MP: Having a team of like-minded executives who are willing to embrace change is a critical factor. Too many IT departments see their role as ‘keeping the lights on’ rather than delivering change and therefore, innovation to the business. Second is adequately meeting the demand of that change. With applications and users migrating to the cloud, security needs a similar strategy. That’s because the sheer volume of traffic generated by cloud computing is growing exponentially every year. The old way of stacking up security appliances in the data centre and creating a moat is no longer effective to protect today’s cloud-enabled, agile business.
EB: Many organisations are focused on digitalisation, but what security hurdles does that create and how should businesses be tackling them?
MP: The main hurdle with “cloudification” is that network infrastructure has to be taken into consideration as well as security to ensure consistent user experience, when accessing cloud-based apps. Teams can’t just strengthen the hardware they’ve already got at a few internet gateways. This would incur latency and high MPLS costs due to the amount of cloud-based traffic. Forward-thinking organisations are considering network redesigns to allow local internet breakouts and profit from a cloud-based approach to security that can scale to reach all destinations outside of the corporate perimeter. This will ensure all users and all assets are secure, regardless of location.
EB: Is manual intervention alone enough to secure the enterprise and handle the increasing levels of cybercrime today?
MP: If enterprises simply add more hardware components to improve their security, all they are really doing is adding another layer of administration for security that won’t scale. Typically, organisations today have high stacks of security appliances within their portfolio, all provided by different manufacturers and these devices cannot talk to each other. That means that IT spends vast amounts of time evaluating and correlating logs from different systems and feeding them into a common SIEM (security information and event management system) to check for modern threat patterns. This is very time consuming and relies on organisations having the specialist personnel in place to start with, which is difficult to guarantee.
By using modern cloud-based approaches, where security updates are installed automatically at a much higher frequency, teams can comfortably gain the upper hand in the fight against malware threats.
EB: In your opinion, what is the biggest security myth amongst organisations today?
MP: Organisations still believe that they need a secure network and that their staff will connect to it. This myth will be dispelled in the next five years, as continued digitalisation and the volume of traffic crossing the perimeter increases. Modern organisations have already recognised that the internet is becoming the new corporate network. They no longer have the majority of users connecting to the network, but have moved data and applications into the cloud, protecting the traffic to the internet off-premise. Only their intellectual property is kept and protected on-premise like Fort Knox.
EB: If you could offer business leaders one piece of security advice, what would it be?
MP: Be prepared to take the leap. Don’t treat defence in the way that you have done for the last 20 years – that would be fighting a losing battle. Cyber criminals have been watching you do it and therefore know exactly how to exploit it. Workplace apps have migrated to the cloud and the same move is wise for security.