According to ESG research, 74% of cybersecurity professionals believe that cyber-risk management is more difficult today than it was two years ago. Respondents point to an expanding attack surface, an increase in software vulnerabilities, and more sophisticated tactics, techniques, and procedures (TTPs) from cyber-adversaries.
Okay, so there’s a cyber-risk management gap at most organizations–so what are they going to do about it? The research indicates that:
Jerry Garcia once said the Grateful Dead is like black licorice—you either love them or hate them. Well, I have finally been able to make a connection between the Dead and cybersecurity as it sure seems to me that “DevSecOps” is the Grateful Dead of cybersecurity—you either love it or hate it.
Early in my high-tech career, SUN Microsystems was thought of as a computing visionary. SUN coined an intriguing company tagline early on, “the network is the computer.” What did this mean? That IT infrastructure was linked together in a loosely coupled architecture, tied together via networking technologies like Ethernet cables and the TCP/IP protocol. Thus, it was critical to engineer the network correctly to maximize network availability, performance, and business benefits.
Cyber Pros Join Together for a Night of Classic RockIn conjunction with the AWS re:Inforce conference last week, ESG hosted an evening of classic rock, where we invited our clients to join us on the stage at the Hard Rock Café Boston for a classic rock jam night. While a few of the musicians knew each other, most did not, yet they jumped right in to perform tunes from bands like Led Zeppelin, Billy Squier, Pat Benatar, AC/DC, and many more.
I spent the last few days at AWS re:Inforce 2019, here in Boston. It was my first AWS event and I came away with a few strong impressions:
Extreme will be celebrating the 4th of July holiday with its latest acquisition, Aerohive. In what seems to be a trend for Extreme, it was able to pick up the company for a good price (especially when compared to other recent WiFi acquisitions). The big difference, however, is that in this case it did not just acquire the assets, but rather the whole company. Translation – this one should be a bit smoother, more predictable and hopefully lacking surprises!
The big news in Las Vegas this week was HPE’s decision to go all in on “as a service.” Emboldened by its success with GreenLake, Antonio Neri announced the entire HPE portfolio would be available “as a service” by 2022. To be clear, HPE will continue to sell products via traditional CapEx methods, as well, offering its customers choice. Its premise is that it believes that cloud is not a destination, but rather it is an experience and so this announcement challenges the notion that cloud first equals public cloud only, and deliver the same cloud experience with Greenlake. The new “as a service” option will include subscription, pay-per-use and consumption models and fall under the GreenLake brand.
Before GDPR became official in May 2018, I heard a similar story from many CISOs. In the past, data privacy programs were legal exercises focused on data classification and governance. Yes, there were security angles around compliance, DLP, and incident response, but legal had oversight around which data was considered as private and what could and could not be done with sensitive data.
GDPR changed everything. Data privacy is no longer a background legal project but rather a set of business-critical processes, and this impacted the cybersecurity team. CISOs were asked to utilize their operational expertise to help operationalize data privacy programs.
Not surprisingly, CISOs dragged the cybersecurity team along for the data privacy ride. According to a recent research report from ESG and ISSA, 40% of cybersecurity professionals surveyed say that the cybersecurity team has taken a significantly more active role around data privacy over the past 12 months while another 44% claim that the cybersecurity team is somewhat more active around data privacy during this timeframe.
Now it’s important to remember that cybersecurity pros aren’t exactly waiting around for things to do. In fact, the research indicates that 74% of organizations have been impacted by the global cybersecurity skills shortage, resulting in an increasing workload for the infosec team. Add data privacy responsibilities to the list.
Piling data privacy responsibilities onto an already overwhelmed cybersecurity staff comes with some risk. To mitigate this risk, cybersecurity professionals should receive appropriate data privacy training, roles and responsibilities should be well defined, all data privacy processes should be documented, and the cybersecurity team should have the proper data analytics tools to monitor program successes.
Unfortunately, this isn’t happening. The research indicates:
Too often, privacy and security are thrown in the same bucket, but this is a mistake. Data privacy is all about data classification and lifecycle management of sensitive data (i.e., who can access it, where it should be stored, how it should be destroyed, etc.). Alternatively, security teams are responsible for building, maintaining, and monitoring walls around sensitive data.
Yes, GDPR, the impending California Consumer Privacy Act (CCPR) will bring security and data privacy closer together, but this merger should be done carefully, not haphazardly. The ESG/ISSA data demonstrates that there’s a lot of work ahead to bring data privacy and security together in a way that mitigates risk and doesn’t disrupt ongoing processes.
Last week, I attended Cisco Live US in San Diego to hear the latest and greatest from Cisco executives and technology leaders. Following Cisco’s campus refresh a couple of months ago, the company continued to execute against its Intent-based networking imperative with a number of announcements aimed at making your network solutions smarter, simpler, and more secure.
In the cybersecurity world, we cheer when companies are as successful as CrowdStrike in their recent IPO. This kind of success helps fuel the energy level across the entire cyber industry, rising the tide for all who are focused on keeping the world safe from cyberattacks.
Winning in this market requires more than just a deep understanding of cyberattacks and how to stop them. It requires a deep understanding of what challenges organizations are facing as they strive to protect themselves while their attack-surface grows, amid a growing base of adversaries who are innovating at a pace that rivals many of the world’s most successful tech companies.
Given the increasing complexity and scale of IT environments, it is becoming clear that technologies like artificial intelligence (AI) and machine learning (ML) will be required for operations teams to effectively and efficiently manage these environments. This is especially true for the network in highly distributed environments, since it plays an integral role in connecting data centers, clouds, and edge environments. Cisco wants to make its intent-based networking (IBN) solutions smarter, simpler, and more secure by adding AI/ML and multi-domain integration. At this year’s Cisco Live in San Diego, Cisco announced its latest innovations for IBN, AI Network Analytics, along with tight domain integration and additional AI/ML support in DevNet.
Cisco held its annual customer event, CiscoLive, in San Diego this week, while hosting industry analysts like me at C-Scape. As part of the agenda, the Cisco security team provided details on its present position and future strategy. Here are a few of my takeaways: