Cisco outlines 4 Cybersecurity Trends in the Next NormalBy Staff Writer 9 October 2020 | Categories: feature articles
TechSmart Features sponsored by:
The pandemic has put Chief Information Security Officers (CISOs) front and center of their organisation’s path forward. Business continuity plans that may or may not have included remote work have been put to the test. What was a reaction to a situation has now become part of longer-term planning. And with adversaries seeking to capitalize on threat vectors exacerbated by the pandemic, security finds itself at the heart of business.
“CISOs continue to face a number of challenges – some are new, others have been around for quite some time,” began Wendy Nather, head of the global Advisory CISO organization at Cisco’s Duo Security. “This year, remote work is front and center. It brings major challenges around visibility into what goes on in the IT environment.” “It’s about visibility both into applications and devices” agreed Wolf Goerlich, Advisory CISO at Cisco’s Duo.
“Some enterprises are using over 1,000 applications, however the Security team might only see 10% of that. Same on the devices front: power users use six or more devices, and the Security teams might not have visibility into all of those.”
“In addition, there is the people issue: retaining and recruiting talent is one of their biggest challenges for CISOs,” added Richard Archdeacon, leader of the Duo Advisory CISO team in EMEAR at Cisco. In a roundtable conversation, the three experts outlined four security trends they recommend CISOs to consider.
- The time for passwordless
The password – it's both the cornerstone and the Achilles’ heel of security. Passwords are a pain for users to remember, rotate, and maintain, with an average person having 191 passwords. Passwords are also easily compromised, as 81% of breaches involve stolen or weak credentials, according to the Verizon Data Breach Investigation Report. Furthermore, passwords have hidden costs. Organizations spend millions of dollars and help desk hours a year on password resets, so the cost isn’t simply from breach.
Platforms, industry groups, and service providers have begun to coalesce around a foundation for a passwordless future. Technology has evolved which has made biometrics almost ubiquitous in both consumer and enterprise, and companies have begun to explore what a world without passwords will look like in terms of the security of their users and data.
“Upending 60+ years of password use won’t be easy. We are at a unique point to reconsider authentication and build systems that are as easy to use as they are hard to breach,” noted Goerlich. “The passwordless future might be just 1-2 years out,” Nather added. “In the meantime, solutions such as Single Sign On are already making life easier for users.”
- Collaboration, not control
In many organisations, the traditional approach to security has been to issue instructions and policies. The past months, however, have accelerated a major culture shift. There is a different model emerging, where security professionals work with their business colleagues in a cooperative and collaborative way.
As people work more independently and at faster rate, security teams need to ensure that whatever security controls they implement must be easy to use. “Collaboration rather than control can have a significant impact in how we build security products,” continued Nather.
On the one hand, control costs money for organizations, on the other hand users are taking more and more control themselves. Consequently, CISOs are increasingly asking questions such as: What do we absolutely need to control? What can we rely on users to take care of? What can we enforce and what do we need to enforce?
“In addition, there is a hidden cost to control,” commented Goerlich. “The more constraints we put on users, the more creative they become. This results in a high risk.”
- Secure Remote Work Accelerated
Working remotely has been possible for decades. However, its prevalence has skyrocketed in even the most technologically conservative of organizations.
During the pandemic, Duo Security at Cisco, a user-centric multi-factor authentication and secure access provider, saw user authentications per month jump from 600M to 800M, largely due to the shift in remote work, and it has remained at elevated levels ever since.
As shown by Cisco’s Workforce of the Future survey, remote work is here to stay, as a form of hybrid working models.
“A significant trend we saw come into play amongst CISO’s during the lockdown was getting the basics and core fundamentals right,” Archeacon said. “CISOs were implementing fundamental security controls such as multifactor authentication, DNS and VPN security. As we move forward and new ways of working emerge, CISO’s are taking stock of their learnings to form a strategic view on how their organisations need to be secured in future. This amplifies the need for collaboration so that users can also play an instrumental role in security on the frontline.”
- Artificial Intelligence, Machine Learning & zero-trust security
In traditional security approaches, trust is based solely on the network location the access request originates from, while in a zero-trust approach, trust is more dynamic and adaptive. It's established for every access request, no matter where it comes from and secures access across apps and networks, and only allows the right users and devices to get access.
More authentication factors, adding encryption, and marking known and trusted devices, make it harder for attackers to collect what they need (user credentials, network access, and the ability to move laterally).
Purpose-built User and Entity Behaviour Analytics (UEBA) is one example how AI & ML can be used to help enable zero trust security. It places the analytics around specific activities rather than the generalized approach taken today.
“AI and ML is a form of automation to assist humans. Automation works best when you have certainty, precision and commitment. These are the three elements that we factor into our products at Cisco. When it comes to certainty, you must be certain of how, what, why and when you need automation to support you. In addition, you need to be precise in how you need automation to work for you so that it does not inadvertently impact any other systems. Finally, you need commitment: be prepared for the automation to be running for a long period of time without any adjustments,” Nather concluded.
Most Read Articles
Have Your Say
What new tech or developments are you most anticipating this year?