The impact of the pandemic and the rapid acceleration of digital initiatives in a short time forced organisations to control and manage disruptions to their business. As security and risk management leaders handle the recovery and renewal phases from the past two years, they must consider forward-looking strategic planning assumptions when allocating resources and selecting products and prioritizing services and initiatives.
How do security and risk management leaders keep pace with the future of digital in a post-pandemic scenario? Gartner predicts that by 2025, 60% of organisations will fail to realize the benefits of zero trust. Zero trust has been with us for over 10 years.
Asked for his opinion on why such a high failure rate, Sean Duca, VP and regional chief security officer for Asia Pacific and Japan at Palo Alto Networks, says that many believe that zero trust is a product.
He corrects this by suggesting that it (zero trust) is a strategy – a mindset change to security by removing implicit trust.
“Gartner’s prediction stems from the fact that some vendors are pushing products that can solve all your zero trust problems, which is factually incorrect. It's a combination of different tools, and approaches to how we have solved for security, making it fundamentally harder for an adversary to get inside our environment and cause harm,” he elaborated.
Gartner also predicts that by 2025, 40% of boards will have a dedicated cyber committee and 50% will have performance requirements placed for the C level.
Duca agrees that the prediction reveals organisations are starting to take cybersecurity seriously. He goes on to comment that what Gartner is probably looking at is the key part that if we’re not securing our organisation and collecting information, we should be protecting it.
“An organisation and their executives should be measured on that (security) as we typically measure the way that we serve our customers. Why don't we focus on doing that from how we secure the customer?”
Sean Duca
“That's the approach we should be thinking about because ultimately, you can lose customers by suffering from a breach,” warned Duca.
Government regulation to counter ransomware
Governments around the world are finally taking notice of the impact ransomware is having not just on businesses but also on citizens’ lives and economies.
Miriam Wugmeister, a partner at Morrison & Foerster, predicts that 2023 will see fewer ransomware payments and attributes this to the combination of government actions to deter and disrupt ransomware activity, new legal requirements to disclose ransom payments, and declining insurance coverage.
Gartner predicts that by 2025, 30% of nations globally will pass legislation on ransomware which has been with us for a while now and It's been a lot more top of mind the last couple of years.
Asked whether this is too little too late for governments and regulators, Duca suggested that it depends on what type of legislation will be passed.
“From the work that we've done with the ransomware taskforce, the findings point that governments should be thinking about mandating the reporting of ransomware to decipher how big or small the problem is, before making a policy decision.
“We’ll need to be very careful about the type of legislation that should be passed by thinking about the result that we're looking to achieve,” he added.
Will 5G adoption expand vulnerability vectors?
Asked whether organisations integrating 5G into their connectivity infrastructure will further deepen their vulnerabilities, Duca steps back and acknowledges that countries around the world are constructing a 5G network by adding to their current 4G infrastructure.
“This means that to build a 5G network, you'll need to use a lot more virtualisation, which means you'll need to use a lot more cloud. And along with that, the cloud's ability to deliver performance, scalability, and agility also begins to expose the 5G core to cloud security flaws. You never know where your massive attacks will originate, even if they originate within the operator's network,” he opined.
Cloud supply chain vulnerabilities on the rise
A Palo Alto Networks 2023 prediction notes that as supply chains go digital taking advantage of the maturing cloud technology and expertise, there is a corresponding rise in risk associated with cloud supply chains.
Duca explains that with companies adopting cloud-native architectures, they are also consuming third-party code. Developers building applications hosted in public cloud infrastructure are going to various public repositories and borrowing code.
“How do we start providing checks and balances to understand the issues there? The key is to ensure that we don't fall victim to cloud supply chain attacks that could disrupt our organisations, the availability of our systems, and in turn any other type of infrastructure that's inside the environment,” suggested Duca.
Data sovereignty in a borderless global economy
Data sovereignty is the idea that data is subject to the laws and governance structure of the country where they are collected. The growing adoption of cloud computing, including the storage of data or information, and revelations on the U.S. National Security Agency’s PRISM program and the US Patriot Act, have prompted governments around the world to consider putting in place national data sovereignty measures.
Can enterprises comply with the evolving regulations on data sovereignty while taking advantage of the borderless opportunities that are accorded by the internet?
Duca acknowledged that the discussion around data sovereignty is intensifying because the world's becoming more reliant on the data of digital information, we're putting out there.
“If we consider the data within the physical confines of our country, what it means is we're limiting the agility elasticity it could offer. Thinking about this borderless world that we're in when it comes to cybersecurity, cybercrime is borderless, they don't think about localization or data sovereignty."
Sean Duca
“They're thinking about how they can launch an attack from one country to another using different systems. The more that we start concentrating all our data in one central place, it also becomes a very good honeypot and a target,” he posited.
Metaverse as viewed from the CISO’s office
The metaverse will continue to be the stuff of experimentation and theory-setting. But for organisations looking at this, how should they approach the technology from a security angle?
Duca sees the metaverse as another type of channel that an organisation can use to sell or deliver their services and goods to the market.
“How do we start to ensure that we're factoring the security and reputational aspects and the potential fraud that could happen? A word of caution would be to think about what we're doing because we are going to be experiencing a whole new way of interacting with our customers. Let's just do it safely and securely,” he posited.
Top recommendations for CISOs and CIOs in 2023
Duca suggests focusing on ensuring that as the businesses transform: “as we start to think about faster ways to interact with our customers and constituents, let's think about transforming the way that we've been doing security.
“We need to change our ways because the attackers can change theirs. We need to think about how we operate at scale and ensure that our businesses are resilient. We need to ensure a prevention-first mindset and applying strategies like zero trust would be one method of trying to achieve that,” he concluded.
Click on the PodChats player and hear Duca elaborate on what CISOs and security professionals in Asia can expect in 2023.
- Gartner predicts that by 2025, 60% of organisations will fail to realise the benefits of zero trust. Why do you think this is so?
- Gartner forecasts that by 2025, 40% of boards will have a dedicated cyber committee and 50% will have performance requirements for C-level. Your thoughts?
- Gartner predicts that by 2025, 30% of nations globally will pass legislation on ransomware. Do you think this is too little too late by then?
- Onto Palo Alto Network’s predictions for the coming year:
- Why do you think the acceleration of 5G adoption will deepen vulnerabilities? (viewed from enterprise)
- When do you say cloud supply chain attacks will disrupt businesses? How can enterprises address new potential vulnerabilities while adopting the use of clouds – public or private?
- Data sovereignty has been around for decades. Why will intensify in 2023 and how can enterprises comply with evolving regulations on this, while taking advantage of the borderless opportunities accorded by the Internet?
- The metaverse is nascent at this stage. For organisations looking at this intently, how should they approach the technology?
- Looking at 2023, what are your top 3 recommendations for CISOs and CIOs as they look to protect the enterprise against the unpredictable?
