The Expert View: In cyber-security, prevention is better than cure

The threat landscape for cyber-security has continued to evolve, with a ransomware breach now happening every 11 seconds, said Zac Warren, Chief Security Advisor at Tanium, introducing a TEISS Breakfast Briefing at London’s Goring Hotel.

He told attendees at the briefing, all senior cyber-security specialists from a range of sectors, that despite a total worldwide spend of $180 billion per year on cyber, organisations are still struggling to secure their systems. Attendees shared their insights on how to address complexity in cyber-security.

Archaeologists, not architects

Complexity was a major problem for attendees. Of course, there are the external complexities of an ever-evolving threat landscape, and background challenges such as the Covid-19 pandemic and the war in Ukraine. But more immediate is the internal complexity of IT systems.

One attendee pointed out that the systems his team must secure cover a spectrum that extends from legacy systems at one end to brand-new projects spun up a few hours ago by DevOps. Securing everything is a challenge because organisations typically do not have complete visibility of their IT estate. In the case of some systems, nobody on the present team fully understands why these systems were set up as they are. As one attendee said: “We don’t need IT architects, we need IT archaeologists!”

The problem is exacerbated by the fact that many legacy systems were built before security was a consideration, while new projects are often planned without thought given to how they will be secured during their use or at the end of their lifecycle. Attendees described this as technical debt that starts accruing as soon as a project goes live.

Moving towards a proactive, preventative stance

To tackle complexity in cyber-security, attendees emphasised the importance of visibility. Organisations need to understand their IT estate and identify their most sensitive data, APIs, and applications. Some organisations will find that up to 30 per cent of the estate can be shadow IT.

Securing everything doesn’t necessarily require a best-of-breed tool for every task, said Warren. He advised attendees to begin by seeing if they can get more out of the tools they already have. He said that companies often have as many as 70 tools, and they are seldom using any of them to their full capacity. This kind of assessment might reveal that the business already has the tools it needs.

But no defence is perfect, so multiple layers are needed to help catch as much as possible. Authentication and authorisation were identified as key elements for incident management. Knowing who is on the network is crucial, especially in a cloud environment. Authentication and authorisation also help identify unusual behaviour, such as someone accessing data that they shouldn’t have access to, or logging in from an unexpected location.

Automation can help reduce noise and automate low-risk, low-value tasks. However, there are limitations to automation, attendees said. It needs to be configured, and finding people with the necessary skills to do so can be challenging. Additionally, it can be difficult to apply automation to legacy systems that are not always compatible with modern tools.

Demonstrating the value of cyber-security

Attendees noted that boards can get frustrated with cyber-security spending, especially if the organisation has a lot of tools. Paradoxically, board members don’t necessarily see the value of cyber-security spending until there is an incident. To address this, cyber-security professionals need to work on helping the board understand the value of their investment and move the conversation towards the right protection for the organisation.

Regulations were also identified as a way to drive change. Cyber-security regulations can have a similar effect to health and safety regulations, driving a better attitude to risk in the workplace. Attendees cited Cyber Essentials Plus as an example of a beneficial regulation, particularly since it is a barrier companies must clear so they can work with the government.

Attendees concluded that addressing complexity in cyber-security is a multifaceted problem. Organisations must have a clear understanding of their IT estate and adopt a proactive, preventative stance. Cyber-security professionals must work with the board to demonstrate the value of investment and drive the conversation towards the right protection. Ultimately, it was agreed, cyber-security is a continuous process that requires constant attention and evolution.

For more information, please visit www.tanium.com.