Vidya Phalke

The Future Of Cybersecurity

The Future of Cybersecurity

In 2013, President Obama issued an Executive Order to protect critical infrastructure by establishing baseline security standards. One year later, the government announced the cybersecurity framework, a voluntary how-to guide to strengthen cybersecurity and meanwhile, the Senate Intelligence Committee voted to approve the Cybersecurity Information Sharing Act (CISA), moving it one step closer to a floor debate.

Most recently, President Obama unveiled his new Cybersecurity Legislative Proposal, which aims to promote better cybersecurity in information-sharing between the United States government and the private sector. As further support, The White House recently hosted a Summit on cybersecurity and consumer protection at Stanford University in Palo Alto on February 13, 2015 which convened key stakeholders from government, industry and academia to advance the discussion on how to protect consumers and companies from mounting network threats.

No doubt we have come a long way, but looking at the front-page headlines today reminds us that we’ve still got a long ways to go. If the future if going to be different and more secure than today, we have to do some things differently.

I recently participated on a panel titled “The Future of Cybersecurity” at the MetricStream GRC Summit 2015, where I was joined on stage by some of today’s leading thinkers and experts on cybersecurity; Dr. Peter Fonash, Chief Technology Officer Office of Cybersecurity and Communications, Department of Homeland Security; Alma R. Cole, Vice President of Cyber Security, Robbins Gioia; Charles Tango, SVP and CISO, Sterling National Bank; Randy Sloan, Managing Director, Citigroup; and moderator John Pescatore, Director of Emerging Security Trends, SANS Institute.

The purpose of this panel was to convene a diverse group of experts who believe in a common and shared goal – to help our customers, companies, governments and societies become more secure. This panel followed on the heels of a keynote address by Anne Neuberger, Chief Risk Officer of the NSA, who spoke about a simple challenge that we can all relate to: operations. Speaking on her experience at the NSA, Neuberger articulated that a lot of security problems can be traced back to the operations, and more precisely, this idea that ‘we know what to do, but we just weren’t doing it well’ or ‘we had the right data, but the data wasn’t in the right place.’

Moderator John Pescatore from SANS Institute did an exceptional job asking the questions that needed to be asked, and guiding a very enlightening discussion for the audience. For one hour on stage, we played our small part in advancing the discussion on cybersecurity, exploring the latest threats and challenges at hand, and sharing some of the strategies and solutions that can help us all become more secure.

Here are the five key takeaways that resonated most.

threat-cybersecurity

Topic 1: Threat information sharing tends to be a one-way street. There is an obvious desire from the government to get information from private industry, but a lot more needs to be done to make this a two-way street.

According to Dr. Peter Fonash, Chief Technology Officer at the Office of Cybersecurity and Communications at the Department of Homeland Security, the DHS is looking to play a more active role in threat information sharing. To that end, the DHS is actively collecting a significant amount of information, and even paying security companies for information, including the reputation information of IP addresses. However, some challenges faced when it comes to the government being able to participate in sharing that threat information is in getting that information as “unclassified as possible” and second, lots of lawyers involved in making sure that everything that is shared is done so in a legal manner. Dr. Fonash stressed that government faces another challenge; private industry thinking that government is in some way an advisory or industry competitor when it comes to threat information – this is simply not the case.

Topic 2: There are lots of new tools, the rise of automation, big data mining – but the real challenge is around talent.

Simply stated, our organizations need more skilled cybersecurity professionals than what the currently supply offers. For cybersecurity professionals, it is a great time to be working in this field – job security for life, but it is a bad time if you are charged with hiring for this role. Automation and big data mining tools can definitely help when they are optimized for your organization, with the right context and analysts who can review the results of those tools. According to Alma R. Cole, Vice President of Cyber Security at Robbins Gioia, in the absence of the skill-sets that that you aren’t able to find, look internally. Your enterprise architecture, business analysis, or process improvement leaders can directly contribute to the outcome of cybersecurity without themselves having a PHD in cybersecurity. While cybersecurity experts are needed, we can’t just rely on the experts. Cole makes the case that as part of the solution, organizations are building security operations centers outside of the larger city centers like New York and DC – where salaries aren’t as high, and there isn’t as much competition for these roles. Some organizations are also experimenting with virtual security operations centers, which provide employees with flexibility, the ability to work from anywhere, and improved quality of life, while also providing the organization with the talent they need.

Topic 3: We are living and doing business in a global economy – we sell and buy across the world and we compete and cooperate with enemies and business partners around the world. We are trying to make our supply chains more secure but we keep making more risky connections.

According to Charles Tango, SVP and CISO at Sterling National Bank, this might be a problem that gets worse before it gets better. We’ve seen a dramatic increase in outsourcing, and many organizations have come to realize that the weakest link in the chain is oftentimes their third party. At this moment in time, as an industry, banks are largely reactionary, and there’s a lot of layering of processes, people and tools to identify and manage different risks across the supply chain. The industry needs a new approach, wherein banks can start to tackle the problem together. According to Tango, we won’t be able to solve this challenge of managing our third and fourth parties on an individual bank-by-bank basis; we have to start to tackle this collaboratively as an industry.

Topic 4: No doubt, the future of applications is changing dramatically, and evolving everyday – just look at the space of mobile computing.

According to Randy Sloan, Managing Director at Citigroup, from a dev-ops automation perspective, if you are introducing well-understood components and automation such as pluggable security – you are way out in front, and you are going to be able to tighten things up to increase security. More challenging from an app-dev perspective is the rapidness – the rapid development and the agile lifecycles that you have to stay up with. The goal is always to deliver software faster and cheaper, but that does not always mean better. Sloan advocates for balance – investing the right time from an IS architecture, to putting the right security testing processes in place, and focusing on speed – slowing things down and doing things a more thoughtfully.

Topic 5: We’ve got dashboards, and threat data, and more sharing than ever before. But what we need now are more meaningful approaches to analytics that aren’t in the rear view mirror.

I believe over the next few years, organizations will be more analytics driven, leveraging artificial intelligence, automation, machine learning and heuristic-based mechanisms. Now the challenge is figuring out how to sustain it. This is the value of an ERM framework where you can bring together different technologies and tools to get information that can distilled and reported out. This is about managing and mitigating risk in real time, and intercepting threats and preventing them from happening rather than doing analysis after the fact.

We live in an increasingly hyper-connected, socially collaborative, mobile, global, cloudy world. These are exciting times, full of new opportunities and technologies that continue to push the boundaries and limits of our wildest imaginations. Our personal and professional lives are marked by very different technology interaction paradigms than just five years ago. Organizations and everyone within them need to focus on pursuing the opportunities that such disruption and change brings about, while also addressing the risk and security issues at hand. We must remember that the discussions, strategies, and actions of today are helping to define and shape the future of cybersecurity.

By Vidya Phalke, CTO, MetricStream

CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information, resources and thought leadership services.

Contact us for a list of our leading programs.

Leading Multicloud Strategies

Solving the Complexities of Leading Multicloud Strategies

Leading Multicloud Strategies To avoid the dreaded cloud lock-in, many organizations are now managing multiple clouds to service their business needs. In fact, IDC recently found that 84% of IT executives surveyed expect to use multiple clouds from ...
WannaCry North Korea Ransomware Attack

The WannaCry Ransomware is a Reminder to Get Serious About Security

WannaCry Ransomware Attack Ransomware is the word on everyone’s lips this week, following the massive WannaCry ransomware attack which spread quickly all over the world. Security experts estimate that over 200 000 systems across 150 ...
Virtual Reality Healthcare Trends

Virtual Reality Trends and Possibilities in Healthcare

Virtual Reality Healthcare Trends Virtual reality tends currently to focus on entertainment and gaming, but it’s a field that’s beginning to show advances into more esteemed areas such as healthcare and medicine. Already high-tech simulations are allowing ...
Adopting An Industry-Wide Red Line Movement

Adopting An Industry-Wide Red Line Movement

Red Line Movement Recently, I’ve been calling for an industry-wide adoption of the red line philosophy to help with the balance of features and quality in cloud application development. It seems that everyone has the ...
How To Be Data Compliant When Using The Cloud

How To Be Data Compliant When Using The Cloud

Data compliant Companies using the cloud for data storage, applications hosting or anything else, have to carefully consider data compliance. Governance, risk management and compliance professionals, as well as managers of information security, need to ...

CLOUDBUZZ NEWS

Scale your Windows Azure application

Azure the cloud for all – highlights from Microsoft BUILD 2018

Last week, the Microsoft Build conference brought developers lots of innovation and was action packed with in-depth sessions. During the event, my discussions in the halls ranged from containers to dev tools, IoT to Azure ...
SAP Customer Data Cloud Brings Trust to Personalized Marketing Campaigns

SAP Customer Data Cloud Brings Trust to Personalized Marketing Campaigns

WALLDORF — SAP SE (NYSE: SAP) today released SAP Customer Data Cloud solutions from Gigya, the industry’s only solution based on a consent-based data model. The solution helps businesses nurture trusted relationships with customers by providing them more transparency ...
China Approves Toshiba's $18 Billion Sale of Its Memory-Chip Unit

China Approves Toshiba’s $18 Billion Sale of Its Memory-Chip Unit

TOKYO—Private-equity firm Bain Capital received approval from Chinese antitrust regulators for its deal to buy Toshiba Corp.’s memory-chip unit, a person familiar with the matter said Thursday. A Bain-led consortium reached the $18 billion deal ...
The Lighter Side of the Cloud - Procurement
The Lighter Side Of The Cloud - The Letter "G"
The Lighter Side Of The Cloud - Due Diligence
The Lighter Side Of The Cloud - Energy Battle
The Lighter Side Of The Cloud - Going Viral
The Lighter Side Of The Cloud - The Backup Reminder
The Lighter Side Of The Cloud - The Robo-Revolution
The Lighter Side Of The Cloud - Playing It Safe
The Lighter Side Of The Cloud - The Money Grab