The government’s recent Cyber Governance Health Check revealed that boards at some of the United Kingdom’s biggest companies still don’t fully understand the potential impact of a cyberattack. That’s a huge problem and in many ways surprising considering the air time and column inches given to hacks in recent years.
With over £100bn forecast to be spent on security platforms globally by 2022, the challenge is to ensure money is spent well and not just on adding more products to an already complex security infrastructure. Between 30 and 80 different security tools are typically used by companies each day. This is in stark contrast with other IT priorities where consolidation has driven efficiency and value.
Over the past decade the security market and its customers have focused on reacting to a sophisticated threat landscape, with little done to help companies reduce their attack surface. Rather than enforcing “known good” behaviours, organisations are chasing threats, adding more needless tools and focusing on the “bad” in a battle they can never win.
There is also an issue in the way organisations build infrastructure, without regard for the types of applications it will support, the architecture and means of user access. Cyber security is too often an afterthought, involving many products, tools and interfaces, and the associated management complexity.
With the ubiquity of web and cloud applications, and services now used, businesses are also struggling to fill positions that require security expertise. With 3.5m open security positions globally, the gap between the demand and the supply of suitably skilled workers is vast.
Enforcing “known good”
Companies should look to shift their cyber security strategy from reactive to preventative, an approach that enforces the “known good” of application behaviour – known network traffic, what systems should talk to each other, how application code is behaving. It is far easier to identify the “abnormal” if you know what “normal” looks like.
Companies also should align their cyber security strategy to applications and data, rather than tethering it to infrastructure and endpoints, changing the focus to what matters most, and drastically simplifying security efforts.
The only way to effectively do this, and continue to allow innovation to thrive, is to make security intrinsic, being built in not built on, from endpoint to the cloud, with complete visibility of applications, users and devices to shrink the attack surface. This can be done using intelligent automation, which adapts policy as needed and optimises resources, allowing cyber security experts to focus on delivering value.
Security in its current form is simply not working. To take the advantage back from the attackers, companies must take an intrinsic approach to cyber security. Only by locking down the “known good” can business leaders hope to traverse the security silos haunting their operations today and gain the upper hand.
Jordi Ferrer is vice president and general manager for UK and Ireland at VMware.