From the Winter 2021 Issue

What’s Wrong with Our Industry? Business Survival and Network Security in Times of Crisis

Jack Koons
Author | Lecturer

  •  
  •  
  •  
  •  
  •  
  •  

Hard Truths

Members of the cybersecurity industry need to face a few hard truths: The perimeter as we know it is rapidly dissolving. Your data must now traverse known and unknown (i.e., untrusted) infrastructure and operate on devices no longer considered “corporate”. Identity is the new perimeter – no longer constrained by static routing tables and physical locations, and in many cases, it is ephemeral. Data is key. Visibility on what your critical data is, and what needs to go, is absolutely vital to your organization’s competitive advantage – and ultimate survival. Sadly, buying one more tool or capability is not going to save you.

The World Has Changed

Mother Nature has stepped in and forced a difficult, and yet much overdue conversation – our current security thought process and strategy is failing to keep pace with operational requirements, realities, and threats. COVID-19 and the ensuing pandemic has driven a race towards remote work and work from home necessities. These new conditions have highlighted the failings of various heretofore established network best practices such as VPNs, firewalls, and their associated hardware-based, perimeter-focused security strategies.[1]

Over the last 5-10 years, network owners, companies, and agencies had made a lot of progress in hardening network security, and then when COVID hit we all essentially left that environment and moved to a telework environment that in some cases existed before but was used one-off, not at the scale, scope, and constancy it’s used now,” the official said.

This situation is further exacerbated by an energized and motivated adversary. Ours is now a truly contested operational environment and it shows no sign of slowing down any time soon. So, embrace it, learn from it, and adapt.

Tools, Tools, and More Tools

While there is seemingly no shortage of marketing hype and so-called “thought leadership” surrounding tools, techniques, capabilities, and solutions, the harsh reality is that a new approach is needed. Our current roadmap is unsustainable, leaves us all vulnerable, and ultimately fails the supported business model. It is a sad fact of the times that many organizational owners don’t even fully understand the very capabilities or tools they deploy on their network and devices – to say nothing of fully optimizing them and integrating them.

We see ever-increasing capital deployment and resource allocation in support of cybersecurity – but without the much-hoped-for commensurate drop in confidence, integrity, and availability of data – to say nothing of resilience. But despite this, organizational leaders continue to beat down the door, buying more and more tools and capability. In fact, the plethora of tools and their associated “tool fatigue” are directly related to mounting the complexity and management costs. This presents, indeed, vulnerabilities in and of themselves. It’s now estimated that two-thirds of all network and security incidents are due to misconfiguration issues[2], and not threat actors.

A Growth Market

According to Research and Markets “Cybersecurity Global Market Report 2020-30: COVID-19 Growth and Change”:[3]

The global cybersecurity market is expected to grow from $149.46 billion in 2019 to $152.21 billion in 2020 at a compound annual growth rate (CAGR) of 1.83%. The slow growth is mainly due to the COVID-19 outbreak that has led to restrictive containment measures involving social distancing, remote working, and the closure of industries and other commercial activities that led to a decline in the bottom line. As a result, companies’ budgets for cybersecurity software is expected to decline. The market is then expected to recover and reach $208.28 billion in 2023 at CAGR of 11.02%.

According to the latest Cybersecurity Ventures Market Report:[4]

In 2004, the global cybersecurity market was worth $3.5 billion — and in 2017 it was expected to be worth more than $120 billion. The cybersecurity market grew by roughly 35X over 13 years entering our most recent prediction cycle…The cybersecurity market is continuing its stratospheric growth and hurtling towards the trillion dollar mark… 

Many of the aforementioned purchases are in search of elusive industry buzzwords such as “micro-segmentation”, “zero trust”, or part of a larger digital transformation (whatever this means to the buyer). In the end, our industry does a very good job of selling a capability or desired end state. What it doesn’t do nearly as well is articulate an actual path towards realizing true security, scale, and resiliency. For most organizations, the common question is: “Where do I begin?”

Data is the Key

That said, not all data is created equal, and not all data should be protected with the same level of resourcing. But make no mistake – it is the data that fuels the organization. This is your focus. This is the prize. Risk appetite, based on the particular business model/vertical, must be aligned according to respective data access and use. It all begins with visibility and understanding what the data is, and where it is going.

To be clear, today there is a “virtual” plethora of tools, techniques, and procedures for dealing with the current and anticipated onslaught of network threat. What is lacking, however, is the confidence and ability of the current crop of C – ISO/TO/IO/SO/RO/DO/etc. to adequately answer the following three questions:

  • What’s going on in my network?
  • What’s going on with my data?
  • While I may no longer control my network, can I control my data?

The answer, in a word, is Visibility.

It All Begins with Visibility

There is an oft-used phrase in military strategy circles that goes something like this: “If I can’t see it, I can’t cover it. And if I can’t cover it, I can’t protect it”.

Most organizations fail at basic practices like visibility while spending perishable resources and capital on more and more tools and capabilities. This is exasperated with a subsequent rush to fully integrate, tune, and optimize all of this mess into some form of effective orchestration. These changes often arise later as so-called “hidden costs.” This is time being wasted on bells and whistles. In contrast, resources should be spent on illuminating and verifying the critical business enabling data flows and workloads, as well as critical data profiles (i.e., IP, domain controllers, maps, financials, PII, etc.). Remember, no attacker ever cared about your hardware. It is always about the data. This also goes for compliance, audit, and regulatory efforts. Again – visibility and control of data.

Instead, we see organizations focus on outdated perimeter-based, hardware-focused security strategies, all while ignoring the benefits of a truly data-first mindset, based on the premise that identity is the new perimeter and data is key. We see this in today’s global pandemic as organizations continue to embrace failed and flawed VPN and firewall security policies, despite extremely concerning and debilitating scale, security (e.g., patching, zero-day vulnerabilities, etc.), and complexity issues associated with both technologies.[5]

For example, just take a look at the current landscape of marketing hype and collateral surrounding such buzzworthy, yet arcane, topics as “zero trust”, “micro-segmentation”, and “digital transformation.” In addition, consider how lightly we throw around terms like cloud, AI, ML, SIEM, SOAR, and Fusion. But yet, before anyone can continue down this path, a critical conversation is often overlooked and only re-discovered when an organization buys the next “silver bullet” tool or capability: Visibility.

This visibility conversation includes questions like:

  • What is my data posture and strategy?
  • Who owns it?
  • Where does it reside and go?
  • What is critical vs. non-essential data?
  • How is it backed-up?

This is the cornerstone of any security strategy going forward.

The Way Forward

The conversation, then, begins not with the purchase of yet another tool or capability, but the realization that hardware and buzzwords will not solve your problems. A truly granular level of understanding of your data posture (i.e., the “who, what, where, when, and why” of data flow and work streams) will serve as the very foundation for any security, compliance, network, digital, and/or access strategy.

Absent this, no amount of tooling, solutions, architecture, or orchestration will save you when you’re under attack. You must ensure visibility. Visibility is control. Control is confidence. Visibility reduces complexity and cost, while building resilience and options into any solution architecture.

When an organization truly understands its data posture, the critical workflows, data streams, and identities, only then will it be able to start the journey towards exciting opportunities such as micro-segmentation, true zero trust architecture strategies, cloud, and digital transformations. lock


[1] Johnson, Derek. “NSA to release advisory on VPN security amid telework boom.” Federal Computer Week – FCW.com, 1105 Public Sector Media Group, 1 July 2020, https://fcw.com/articles/2020/07/01/johnson-nsa-vpn-advisory.aspx?m=2
[2] https://www.ciodive.com/news/cloud-database-misconfigurations-network-security-riskrecon/584560/
[3] Research and Markets. “Global Cybersecurity Market Report (2020 to 2030) – COVID-19 Growth and Change.” Research and Markets, The Business Research Company, June 2020, https://www.researchandmarkets.com/reports/5116184/cybersecurity-global-market-report-2020-30-covid
[4] Morgan, Steve. “Cybersecurity Ventures’ 2019 Cybersecurity Market Report.” Cybercrime Magazine, Cybersecurity Ventures, 10 June 2019, https://cybersecurityventures.com/cybersecurity-market-report/#:~:text=Worldwide%20spending%20on%20information%20security,and%20%24170.4%20billion%20in%202022
[5] National Security Agency. “NSA Advisory on VPN Use – Securing IPsec Virtual Private Networks.” Media.gov, United States Government Department of Defense, October 2020, https://media.defense.gov/2020/Jul/02/2002355625/-1/-1/0/SECURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_EXECUTIVE_SUMMARY_2020_07_01_FINAL_RELEASE.PDF.

Leave a Comment