At the Gartner Symposium and IT/xpo in Goa last November, Jeffrey Wheatman, Research Director, Gartner made a presentation titled ‘Disband your security team’. Digital Creed met him on the side lines of this event and he discussed the importance of aligning business and security teams (and the consequences of not doing so). Jeffery says having security and risk people pushed out into business environments provides a much better capability to pre-identify risks. He also talked about some interesting modern day security breaches to highlight changing attacker priorities.
Q. How should an organization go about defining security policies and redefining security architecture in the age of digital?
We have definitely seen a big shift and it is no longer about locking the data down in our own data centre. With the advent of cloud, social, mobile and big data we lost control over some components; we still have to lock the data. But it is much more difficult when we don’t control all of the components.
There are a couple of things we’ve seen people focussing on with varying degrees of success. Understanding your data flow, understanding where the critical data is being created and generated, where it’s being used, how it’s being used – these are really important things. It is also about understanding who owns the data in the first place.
We see far too many security teams being accountable for protecting data that they don’t actually own. They are making decisions on behalf of the business and that’s not a good long-term solution. We end up overprotecting the wrong data and underprotecting the data that’s most important.
There is no standard definition for cyber security and that sets the table for a lot of errors. So we need to define a taxonomy of common terms. We need to make sure the internal stakeholders on the business side understand these terms. The business stakeholders do not talk to the security teams about their business plans. The security team needs to know that.
This alignment only happens when something bad happens. Sometimes it is pressure from the regulators.
The Sony Pictures breach a few years ago was a big wake-up call. Yahoo! announced that millions of accounts were hacked (in 2013). And because of that, Verizon asked for a billion dollar discount on the purchase price when it acquired Yahoo!
We have also seen instances in banking and financial services companies. And because these companies are meeting the standards of due diligence, they pay lower fines to the regulator.
We are also seeing more protection of intellectual property, protection of business value, and similar aspects.
Q. How does having a dedicated security team affect innovation?
We are not actually saying your security team should go away. We are saying you need to look for opportunities to build better bridges. The way to do that is to take people who have risk and security expertise and embed them in the business. They can act as a conduit and understand what the business is doing. We also think that it is important to separate governance and strategy from operations and implementation. Otherwise, you end up with segregation of duties issues.
As far as the impact on innovation, with the advent of digital business, your business stake holders are not going to accept that you need Rs 2,50,000 and 6 months to commission a study.
So having security and risk people pushed out into those environments provides a much better capability to pre-identify risks.
People-centic security is about defining some base behavioural things, put controls in place and allow people to make decisions. Make them accountable when they do things wrong.
This is at the core of the ‘Disband your security team’ aspect.
Q. The threat landscape is changing every few years. What is cyber security going to be like in 2020? How should organizations prepare for it?
The threat landscape is evolving and now there are things like AI and bots. If you are an attacker and you are able to change the way AI works, people won’t necessarily know until it’s too late. The banking industry is a great example. Trading algorithms are already using a lot of AI. Sometimes we don’t know that the engine is broken until it’s too late. An example is Knight Capital Management which had a trading algorithm and they pushed it into production by mistake. They lost billions of dollars in 17 minutes.
Ransomware is a huge problem these days. Right now, a lot of people are just paying the ransom. But the attackers are going to increase their demand until people are going to say ‘no’ to them.
We also know that it is no longer about script kiddies; it is about dedicated attackers. For instance, there was a group that was breaking into biotech companies and they were stealing FDA reports and taking that information to bankers, who in turn were betting for or against companies based on that information.
There is a recent example of a medical devices manufacturer. The attackers said they found some defects in those devices. The company ignored them, so they went to a VC. The VC shorted the company and then tweeted about it.
We are going to see a lot more of these incidents where there is a focus on business critical assets and processes.
So it is important how we can manage those risks to the corporate vision and mission; to the corporate values. Those are the things we need to focus on.
Gartner has a model called Adaptive Security Architecture which is about prevention, detection, response. It is about taking the learnings and then starting to do preventive things.