Clutch spoke with Ken Ammon, the Chief Strategy Officer of OPAQ Networks, about internal cybersecurity risk and the best approach to strengthening security.
Learn more about OPAQ Networks at opaqnetworks.com.
In honor of Cybersecurity Awareness Month, Clutch begins a two-part series of interviews with cybersecurity industry experts that are designed to better inform businesses about their cybersecurity risk profile and how they can build a better security perimeter.
Internal vs. External Cybersecurity Risk
Is internal or external risk more dangerous to a company's cybersecurity?
Both internal and external threats, even though they are different, are dangerous and significantly impact a company’s business and reputation if not adequately addressed. The fact is, good security hygiene addresses both threats. With the introduction of mobile, cloud, and SaaS gone are the days of addressing security through traditional security concepts such as insiders and outsiders. For instance, external threats hijack internal identities and then perform exfiltration, damage, or ransomware exploits. Zero trust security is a concept that many security experts believe is the model for having a balanced approach to defend against internal and external threats.
What are the major factors that affect the level of internal risk? Do BYOD and remote working policies exacerbate the level of exposure a company faces?
This question directly addresses the issue of the erosion of what was a traditional security perimeter where organizations clearly defined and controlled their network and their computers that were on the network. As long as the front door had a guard and you had a perimeter with a firewall on it, you felt you were operating using security best practices. Those days are gone—that black and white definition of the network is gone. What the response has been from a security perspective is a demand for greater sophistication to cover this expanded attack surface.
Now there are over 40 security products that it seems like every organization “needs” to own, manage, and maintain. A lot of folks are falling down on basic "blocking and tackling" because they’re buried under this avalanche of security products which are mostly individual security features that should all cohesively work together, but aren’t delivered that way.
The sheer complexity of managing one’s infrastructure, combined with cloud, mobile, BYOD, and other technology trends open the door to greater security risks for companies. They need to strike the right balance between providing an exceptional end-user experience while keeping users, systems, and data secure. Enabling secure access for remote workers, supply chain partners, and other “trusted” parties certainly ratchet up the level of internal risk and exposure. So too do companies’ BYOD policies, which increasingly tend to permit the use of personal devices to access corporate assets.
How can companies effectively reduce their level of internal security risk?
There are ways to significantly reduce your internal risk by establishing granular security controls that define boundaries and allowances for specific users to access particular servers, applications, and data. For example, you can allow only a finance employee to access only the finance server and deny connection or access to other servers where sensitive information may be stored. In addition, there are other security measures such as isolating and quarantining threats as soon as they are detected to prevent a malicious actor or infection from traversing throughout your internal network.
How can businesses better detect cyberattacks?
Detection is much easier when you effectively centralize your security policy management and enforce it in a way that you trust it's actually doing what the policy stated. If you haven't integrated the identity platform of your system with your policy enforcement, then your policy enforcement rules look jumbled and you get reports with figures like "192.168.2.5 possible scan 10.10.70.3." People don't know if that's a server they are supposed to care about, or even the source, such as a laptop, tablet, or another device. It's much easier when you can say, "That's Mary Johnson, connecting to Salesforce with five attempts to do the things that are in violation of the security policy." Then everybody knows who Mary Johnson is and what Salesforce is, making it easier to identify whether the activity is malicious or inadvertent--and instantly respond to the issue. The integration of the identity platform with centralized policy enforcement dramatically closes the time-to-detection gap.
The "Talent Gap"
What sort of role has the cybersecurity “talent gap” played in the increasing number and severity of large-scale cyber attacks?
There are two impacts of the talent gap. There’s the obvious one that says if there are not enough people available, then you don’t have the right resources to bring in and execute on this sophisticated challenge. The other one is an economic impact. As demand increases and supply is more scarce, the price keeps going up. Beware of someone who’s offering you cybersecurity professional services at a bargain basement price, it’s most likely not real. The real talent demands a high price. Typically, only large enterprises can afford that talent. The mid-market is left abandoned because they don’t have any effective path forward to afford reasonable security talent.
So today's companies are staring at a complexity security infrastructure that, if properly resourced, could provide a decent amount of security protection. However, internal and external threats prey on this complexity and skills shortage. There's no question that the talent gap puts many companies at greater risk.
I think the only way you get out of this scenario is through automation. You have to find a way to highly automate, connect, and simplify. Otherwise, you can’t escape this death spiral. We’re big fans of tight integration, automation, and simplification for a market that continues to be exposed and highly vulnerable to cyberattacks.
Mid-Market Cybersecurity and Automation
Are mid-market firms adopting investing in security automation more often now?
I do see signs of what I’ll classify as a "market pivot." The cost barrier exists in the enterprise as well as mid-market companies. Both of them feel like they’re falling down. Enterprises have more money to spend than mid-market firms, so they at least can keep the wheels on the bus. We have seen the mid-market firms reaching out for help from managed service providers in various degrees to deliver their services.
For example, at the Gartner Risk Management Security Conference earlier this year, 30% of the participants were mid-market companies, which is unheard of. They typically have a very large enterprise market. They’ve now actually built an entire practice internally to support mid-market inquiries. Mid-market firms are getting smarter. They’re turning to these managed service providers. Most of them, because of the security talent gap, are incapable of delivering on what the customer is asking for.
This has driven investment into highly automated platforms for companies that deliver these services to the mid-market. Most of those mid-market companies don’t have the staff or the appetite to have a full-blown staff internally delivering this capability. With an automated security platform, service providers will be better equipped to answer the call for cybersecurity services from their customers.
How should small businesses and companies with serious IT budget restraints approach cybersecurity policy? What’s your take on the federal government stepping in to aid small business cybersecurity?
If you are a small to mid-sized company and you get hit with ransomware and you have no place to turn—you didn’t do backups and you can’t recover it—you pay the ransom. The federal government has gotten involved in that scenario because in many cases it’s actually against the law to send money to the attackers. You’ve just broken a federal law by doing something like that. The prosecutors have been pushing data back to the hilt saying, “This is a real challenge.” Money’s leaking out in a major way here. What are we to do? Go and prosecute these folks that are in this position? It doesn’t surprise me that you won’t see more of that advancement trying to get better answers for that market. It’s not just an economic challenge; it’s also a national security risk.
What needs to happen in the security market is not through another evolution; it has to be transformational. This idea that we keep nudging security along and we keep doing what we were doing yesterday but we add something new to it, is going nowhere. You have to take a transformational approach that addresses the challenges of simplification and automation. We have this awareness month, but oftentimes we’re speaking to ourselves. We’ve lost the ability to effectively communicate to people that have to make decisions, spend money and manage their risk at an executive level.