Support 100 years of independent journalism.

Advertorial feature by VMware
  1. Spotlight
  2. Cyber
3 May 2019updated 08 Sep 2021 11:08am

An intrinsic approach to cyber security.

If you want cyber security to work, it needs to be about fewer products delivering more value.    

By Jordi Ferrer

The government’s recent Cyber Governance Health Check revealed that boards at some of the United Kingdom’s biggest companies still don’t fully understand the potential impact of a cyberattack. That’s a huge problem and in many ways surprising considering the air time and column inches given to hacks in recent years.

With over £100bn forecast to be spent on security platforms globally by 2022, the challenge is to ensure money is spent well and not just on adding more products to an already complex security infrastructure. Between 30 and 80 different security tools are typically used by companies each day. This is in stark contrast with other IT priorities where consolidation has driven efficiency and value.

Over the past decade the security market and its customers have focused on reacting to a sophisticated threat landscape, with little done to help companies reduce their attack surface. Rather than enforcing “known good” behaviours, organisations are chasing threats, adding more needless tools and focusing on the “bad” in a battle they can never win.

There is also an issue in the way organisations build infrastructure, without regard for the types of applications it will support, the architecture and means of user access. Cyber security is too often an afterthought, involving many products, tools and interfaces, and the associated management complexity.

With the ubiquity of web and cloud applications, and services now used, businesses are also struggling to fill positions that require security expertise. With 3.5m open security positions globally, the gap between the demand and the supply of suitably skilled workers is vast.

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. A weekly newsletter helping you fit together the pieces of the global economic slowdown. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.

Enforcing “known good”

Companies should look to shift their cyber security strategy from reactive to preventative, an approach that enforces the “known good” of application behaviour – known network traffic, what systems should talk to each other, how application code is behaving. It is far easier to identify the “abnormal” if you know what “normal” looks like.

Companies also should align their cyber security strategy to applications and data, rather than tethering it to infrastructure and endpoints, changing the focus to what matters most, and drastically simplifying security efforts.

The only way to effectively do this, and continue to allow innovation to thrive, is to make security intrinsic, being built in not built on, from endpoint to the cloud, with complete visibility of applications, users and devices to shrink the attack surface. This can be done using intelligent automation, which adapts policy as needed and optimises resources, allowing cyber security experts to focus on delivering value.

Being proactive

Security in its current form is simply not working. To take the advantage back from the attackers, companies must take an intrinsic approach to cyber security. Only by locking down the “known good” can business leaders hope to traverse the security silos haunting their operations today and gain the upper hand.

Jordi Ferrer is vice president and general manager for UK and Ireland at VMware.