Almost every day, another cybersecurity start-up goes to market with a new product claiming to be the latest silver bullet that will surely solve the growing cybersecurity problem. Yet, also almost every day, another organization is in the headlines for a major breach, finding out the hard way that they are not adequately protected. The issue is straight-forward– as companies grow, they leverage emerging trends and technologies to create more open, decentralized, and interconnected environments that will support efficiency. This increased footprint, then, means more vulnerabilities. Further compounding the problem, though, is the fact that historically, resources for security have not kept pace with the amount of time, money, human capital, and attention given to IT. This imbalance between IT and Security over time has brought us to the existing, seemingly insurmountable chasm between business technology and cybersecurity–and attackers seem to be able to play there all day long. Not only are we facing a massive vulnerability gap, but the resources needed to fix it simply aren't there. Once a company finally realizes it is suffering from pervasive, ineffective data protection practices, they go to find help and are faced with a widespread Information Security workforce shortage. We have too much stuff and too few experts, with the inability to distinguish between "silver bullets" and true solutions. Given this massive IT-Security gap and the challenges of overcoming it, how can companies begin to balance their IT efficiency and security? Why can’t IT and Information Security teams continue to follow their traditional paths of separation? What is the solution, with the threat landscape far outpacing available cyber security resources?
What is the net result of spending time, money, and design cycles on IT, then later attempting to drop security controls on top of existing IT architecture (usually well after the real budget has been spent)? We are looking at a business technology culture that is high-functioning, fast-paced, rapidly changing, and absolutely vulnerable to staggering losses. Take, for example, the recent UK hack where a disgruntled former employee, Steffan Needham, was able to access the environment of his former employer, Voova, a software provider. After having been dismissed for sub-par performance, Needhamsimply used his former co-worker’s credentials to log in to Voova’s AWS cloud instances and begin deleting business data. All in all, Needham was able to eliminate roughly £500,000 (about $633,000) of business critical information, the fallout of which has been devastating to the company’s bottom line. While at first glance, this may not seem like a massive loss compared to some of the recent breaches that have made headlines, consider that this wasn’t the only damage Voova sustained. In addition to having to slow productivity due to missing documents and information, the company also lost a handful of their largest customer contracts because they simply couldn’t deliver at the pace they had before. They lost consumer confidence.
Since the hack, Voova has admitted that had they just implemented multifactor authentication as part of their systems configuration, this attack would likely have been thwarted. We would add, however, that separating user roles and limiting associated permissions would also have helped prevent the breach. Sure, this would mean requiring multiple admins and proper approvals for severe actions such as deleting servers, perhaps slowing down the ability to accomplish some things, but the brilliance is that it slows down the ability to accomplish some things. Do you really want it to be that easy to access and make changes to your vital business data?
This kind of permissions setup requires security-mindedness up-front for managing configurations, security settings, and employee ease of access. If they had asked us how to set up their environment, we would also have recommended that Voova implement ongoing monitoring of their systems to detect anomalous employee behaviors, and they also would also have had proper off-site backups in place so they could recover in the event of a disaster–which this most certainly was. Unfortunately, none of those measures were in place, and it remains to be seen whether Voova will join the 80% of breached companies who go out of business within two years of a hack.
If security and IT teams are working together, disasters such as these can be averted on the front end with layers of security controls, detected on the back end, with proper monitoring, and quickly recovered from with proper backup architecture. It seems a simple and obvious concept to just protect oneself from the beginning, but understanding the reasons organizations fail to do so is key in addressing the underlying problems.
- Historical separation of IS and IT Teams
Working from a system intended to promote checks and balances, many organizations have historically separated IT and IS teams, processes, budgets, and efforts. The original thought went something like this– information security will be examined once we implement all the technology we need to meet business needs. Then, once a year, we will want a team of security auditors to come in and objectively assess that environment, looking for gaps. To protect auditors’ objectivity, we won’t consult them during design, for fear of clouding their judgment when they come back to test.
- Worsening Cybersecurity-IT Resource Gaps
While no one will disagree that during an outside validation or security audit, objectivity is key, why wouldn’t you also want to build a team that includes highly trained security professionals with the same level of knowledge as your security assessors, so they can help you engineer a secure environment for that outside team to validate and test? It would save your being handed a yearly punch list of remediations so overwhelming that you are unlikely to have the budget or workforce to implement all of them, not to mention the vulnerabilities you will sustain while trying to work your way down the list. Think of it in terms of building a house. Just because you will eventually have a team of objective home inspectors come to make sure your house is sound and built to code, you would never dream of starting construction without the input of an architect and general contractor who understand how to design and build a house that is sturdy, secure, and up to code. That would be unthinkable, not to mention extremely inefficient and expensive. You would find yourself having built with the wrong materials, or placed footers and support beams in the wrong places–and any professional will tell you that once those are set and you build on top of them, your house will be vulnerable to impending disaster. This is the situation many organizations find themselves in, with IT teams that are trying to cope with pre-existing, sprawling environments that are growing so fast, they simply can’t seem to secure them properly, or implement all the necessary changes with the minimal resources they have.
- Solving Problems in your IT-Security Ecosystem
One thing is clear, the growing chasm between Information Technology and Information Security has resulted in the widest cyber threat landscape seen since the advent of computing. The solution? Begin consulting with trained professionals who have the expertise across IT and Information Security to help your teams architect environments and cloud migrations that are designed with equal parts function and security, from day one. The reality is that you may be dealing with an iron ship, so change will take time, support, incremental program development, measured improvements, and planning to move in the right direction and avoid catastrophe. That’s where a unified team of cyber-security and IT professionals can work with your existing teams to provide cost and time-efficient support–before audit season–to help you implement scalable, security engineered solutions that will keep you from becoming the next Voova.
To learn more about what it means to build security engineered solutions, join TRUE CEO, Rory Sanchez, and TRUE CISO, Jerald Dawkins, PhD, for a webinar detailing a new way of thinking about IT and Cybersecurity.
If you have experienced a security incident and would like immediate support, or if you would like to talk with someone about strengthening your organization’s security posture in measured steps, you can reach out to us at firstname.lastname@example.org