Reinforcing Enterprise Security
By John Keddy, Chief Technology Officer& CISO, Security Benefit And Robert Dewhirst, Manager of Cybersecurity, Disaster Recovery, and Business Continuity, Security Benefit
What are the emerging trends across security analytics ecosystem?
What are the emerging trends across security analytics ecosystem?
John Keddy - The service providers and vendors are on the quest to find and comprehend the “bigger picture” within the security analytics landscape. Some firms are conducting of smaller firms or even start ups. I think the start up ecosystem will be even more impactful in 2019.
Robert Dewhirst - As organizations leave no stones unturned for acquiring and integrating various products, technologies, and solutions, the security analytics sector will hopefully begin to see effective artificial intelligence (AI) and machine learning (ML) implementations. This will, in turn, enable businesses to utilize sophisticated tools.
What are your thoughts on AI and the notion of it being a double-edged sword?
John Keddy - I am optimistic about the future implementations of AI and ML technology in the security space. While AI and ML implementations have fallen short of their promise in many business verticals, I remain optimistic. I think the real risk is that AI and ML deliver real capabilities and that malicious actors adopt their capabilities faster than traditional organizations. A malicious innovator might be able to “innovate” faster. If you are on defense, you want your AI and ML tools to work a highpercentage of the time thinking “we don’t have time for false positives” and “we can’t increase risk.” A malicious actor might think “not sure of effectiveness of this AI approach --- but let me unleash.” The warfare could get even more asymmetric with AI .
"Every technologist must understand that security—process and technology are now forever part of our world. Just as terrorism has driven permanentchanges in our travel cybersecurity permeates all aspects of our technology"
Robert Dewhirst - Although too early to predict, some models can succeed in a couple of areas. As per the practitioners—the folks that are working down in the trenches—they will not be interested in adopting AI or ML. Instead, they look for something that’ll help them keep their systems patched and keep their inventory accurate. Unfortunately, neither of these technologies appeal to that.
From a technology investment standpoint, I think people owe a lot of promises, we have a lot of challenges, and neither AI nor ML is addressing them. The whole ‘learning’ aspect is getting extremely difficult because it’s not just working on a dataset with a million data elements, but having the ability to learn from the ongoing influx of data. Focusing on the positives, I do think the AI and ML tools will get smarter with time.
What’s the secret behind tackling cybersecurity challenges?
John Keddy - The two largest threats companies face are:
1- The constant new revelations of vulnerabilities. Vulnerabilities may have been introduced years ago but gets realized today. Or at least realizedby the business community – malicious agents may have known longer!
2- Corporate culture. Changing the culture of the organization at all levels—from senior to most junior—to ingrain an understanding that security is a full-contact sport for everybody. No sitting in the stands. Get on the field.
Robert Dewhirst - The security analytics can help us uncover actionable information for solving numerous challenges from the vast sea of data using specialized tools. The main challenge lies in the talent shortage - the inability to understand supply and demand. Therefore, if you want the people to change the culture of the company, you must have the people with the skills to achieve that. We are definitely making use of analytical tools to get better information, but the tools cannot help in solving some of the fundamental things such as the lack of professionals with security skills in the market.
What are some of the most pressing concerns for today’s organizations?
John Keddy - 1. We need to identify the most innovative tools and vendors in the marketplace that could give us additional security
2. Be sensitive to the breadth of the regulatory regime. In our business, we want to comply not only with the letter of the law (regulation/regulatory intent) but also with the spirit and the intent of the law.
How do we change the mindset of the people?
John Keddy - I do sense that many employees in our organization have become far more sensitive and aware— even in the last 12 months. It becomes our job, as members of the leadership team, to ensure that it’s consistent across the organization.
Robert Dewhirst - The challenge today, especially in the era of branded vulnerabilities, is - how do you translate the technical security challenges into risk statements for your leadership. For example, the Meltdown and Spectre vulnerabilities. That is an extremely difficult concept to explain, and because it’s a brand, it’s going to be on a banner on the news channels. Moreover, it took the security community alone two weeks to wrap itself around what that meant. It is going to get harder, especially as attacks and vulnerabilities become more sophisticated, and people try to publicize.
How will the security analytics ecosystem evolve a few years from now?
John Keddy - The financial services businesses are still lagging in terms of leveraging leading-edge technology. As we accelerate investments in newer tools and technologies, you cannot assume that the vendor has thought about all needed aspects of security. There is no room for such an assumption. We must also understand that defending the traditional perimeter is pretty limited. . The perimeter has now blurred as people are working all over the world through mobile and portable devices and the perimeter gets dragged along with them. We are no longer securing a set of tools and technology, we are securing an environment that is evolving very quickly, and we must evolve with it. Accordingly for security analytics to have value the analytics must reflect this reality . Having a static set of reports or metrics is useless as interactions have completely different risks. Analytics will have to incorporate theoverall risk not just a simple transactional view
Robert Dewhirst - You can generalize the ecosystem as ‘holders of sensitive and important data’, which includes the healthcare data, student data, and financial services data. Hence, it is true that we cannot blindly assume the security quotient of the vendor or their services.
Do you have any advice for the budding technologists?
John Keddy - Yes –study cybersecurity! Whether your love is software development or network or AI or anything else, get an appreciation early on for cybersecurity.
Robert Dewhirst – Irrespective of the field, application or infrastructure, you should acquire a strong understanding and appreciation of security. In my view, this is not a trend, this is not a bubble, and this doesn’t go away. We are going to do it for the next perceivable future. Every effective technologist must understand that security—its awareness, knowledge, and appreciation—are now a part of our world.