An IT security strategy guide for CIOs
A comprehensive collection of articles, videos and more, hand-picked by our editors
Companies need to rethink their cybersecurity architectures for a number of reasons, according to Nemertes Research CEO Johna Till Johnson. The need for a next-generation security architecture is being driven by the failure of the perimeter-based architecture, the emergence of a professional threat economy and the fact that the penalty for getting hacked is getting worse. In this Q&A interview, Johnson explains the dynamics of this shifting landscape, points to technologies that can make the job easier for security teams, makes the case for a new funding model and discusses organizational structure changes that can address the higher threat level.
Editor's note: The following interview has been edited for clarity and length.
You say the time is now for next-generation security architecture. Why now?
Johna Till Johnson: There are a handful of things that are coming together. [The first one is] the failure of the perimeter-based architecture. And what I mean by that is that for the past 15 or 20 years, there was a very safe way to build your security infrastructure that depended heavily on the concept of insiders versus outsiders. So the firewall was introduced in the 1990s [along with] a secure Web gateway in its most primitive form.
And the notion was you could keep the bad guys off your infrastructure by putting firewalls at the demarcation point between outside and inside. The underlying assumption there was the bad guys were outside and the good guys were inside; that was reasonably accurate if you were an army. You could figure your guys were good and the other army was bad. But it didn't account for two things. One was insider threat, which is damage introduced by insiders, and the second one (more important in my book) is the ability of outsiders to compromise machines, get inside and then create all sorts of havoc on the inside.
The other thing that the perimeter-based architecture didn't take into consideration was the relentless drumbeat of the move toward cloud and mobile, which really starts putting assets outside the perimeter. So for all these reasons, perimeter-based architecture has begun to fail, and people are moving toward a perimeter-less architecture, which requires rethinking.
Another big step, regarding the ability of bad guys who are now able to infect machines and get on the inside: That's the result of the emergence of a professional threat economy, which sounds wonky, but essentially what it means is that each player in the economy can specialize on his or her function, and historically specialized economies tend to scale a whole lot better, just by comparison. The original hunter/gatherer economy, where everybody did everything, doesn't scale well beyond the size of the tribe. You can have lots of little tribes, but essentially you can't really support much beyond a tribe of humans.
Human economy took off [with] special divisions of functions: where you had some people milling and some people farming and some people hunting and some people crafting baskets and so forth. And essentially that's what we're seeing in the threat economy, where some people specialize in capturing and creating botnet armies, other people specialize in money laundering, other people specialize in vulnerability detection, and you can actually barter all of these things or sell these things. So you can go out, wave a wad of cash and compile yourself a botnet army, a set of vulnerabilities, a set of targets, and maybe a nice list of information that you can use to hack and you can launch an attack almost just by buying all the pieces that are now prefab. That makes threats considerably worse.
The final reason to rethink your architecture is that the penalty for getting attacked is increasingly getting worse. Not only have we seen CEOs resign and boards step down as a result of hacking, we're also seeing that regulatory compliance is starting to pick up and the company itself can be under enormous amounts of stress if there's a perception that there was a weakness and it didn't do anything about it. So for 10, 15 years, there's always been an assumption that if you have a firewall in place and your secure Web gateway is in place and if you've got anti-malware, you're in good shape. You've done everything you could do and [if an attack happens], hackers just won.
That's no longer the case. Increasingly you're going to be liable for committing any vulnerability and as we've seen, if you're a senior executive, you may have to take the fall for the hack. And that puts a lot of pressure on companies to really rethink how they're doing security. So, really to sum up the answer, it's the [problems] of the perimeter-less architecture; the emergence of a professional threat economy; and the impact of getting hacked both from a personal career limiting perspective, as well as from a regulatory compliance perspective.
One of the other big things that you're seeing evolve in addition to the professional threat economy is now you've got people who built all the pieces, and there's almost an inverse correlation between the mental effort that's required and the criminality of certain things. So, for example, money laundering is clearly criminal, but it doesn't take a rocket scientist; they've been laundering money since forever.
Uncovering certain vulnerabilities and crafting the mechanics of a hack is very, very dangerous but not necessarily illegal, and, in fact, it's very dangerous to make it illegal. There's not just this specialization, but also this distribution of risk, and that, in turn, is setting up the possibility that people can go in and literally buy cyber terrorists armies to do what they want to do, and as we're starting to see countries move against each other, we're starting to get into science fiction land.
It's going to get worse before it gets better because the stakes are now really high. There's a lot of money to be made. Obviously, it's worth it to the criminals to take on more risk because you take on risk when there's more money at the other end of it, and it's also worth taking the time and effort to develop some of the skills.
So, this is far more serious than most people think. Everybody is still stuck in the past thinking, "Oh, hackers are pimply teenage kids in their parents' living rooms." They're not. I'm not going to name names on countries, but I have on extremely good authority by the folks that actually are paid to know this that entire countries train people and pay people to get good at uncovering vulnerabilities [on a large scale] and it's almost a manufacturing plant of literally buildings full of rooms with smart, young people who are running bots and figuring out vulnerabilities, constantly scanning, because the value of this is so high.
You said, "It's going to get worse before it gets better." That suggests that it will get better.
Johnson: One of the reasons that we're recommending a next-generation security architecture is we're on the verge of a massive revolution in pretty much anything software-based right now, which really has to do with automation. So there's a ton of stuff that used to be done in a highly manual way that's about to be done in a much more automated fashion, and it's akin to the impact of robotic manufacturing plants.
Over the weekend, I was watching an automated loading and unloading of ships using shipping containers and the cranes that they use to hoist them. The whole thing was run by a guy in a tower who's running a computer program that tells where these giant shipping containers are going to go at any given point in time, and they get lifted up and moved over. And there are thousands and thousands of people who are no longer working as longshoremen.
That kind of thing is about to happen to the software world, and that means that as you start building out this perimeter-less architecture, you can automate a lot of the protection that used to be manual and improve its scalability, improve its impregnability to a massive extent. That doesn't mean that you'll necessarily be safe, because anything that you have access to, the bad guys do too. But it makes the fight a little more fair for a while, at least.
Johnson: There are a handful of things that are not necessarily unique to chief security officers -- they apply more broadly to IT -- but I can't stress enough the importance of funding, and really what a CISO needs to do is reposition funding not as a percentage of the IT budget, but based on the impact of the risk. And what I mean by that is 10 years ago, you had a little cat fight going on between us and Gartner and other folks talking about what percentage of the IT budget should be spent on security. We were arguing for 8, they were arguing for 4, you could compromise on 6, whatever. We went into a lot of clients and they said, "Well, Gartner said we should be spending this much. How much do you say we should spend?”
The truth is that's the wrong model. If you're spending a [fixed percentage] of your IT budget [on security], you're not thinking about it right. What you need to think about is, if the company's client information is hacked, what is the cost of that to the company in terms of all the usual ways that you assess risk: loss in customers, loss in revenue, loss in market capitalization due to reputation? Let's say that's a relatively modest $100 million for a large company. What are the chances of that happening? Whatever percentage that is: That's what you should be spending just to protect against that risk. One of the things you discover is that if you're spending to mitigate a risk that might be $100 million or $1 billion, the zeros start to add up pretty quickly to orders of magnitudes that are very different than if you're working from the IT budget, which, let's not forget, has been flat to shrinking for the past 10 years in most organizations. So, I don't want to underestimate the importance of revisiting the funding model. It's not just about going out with your hand out saying, "Mr. and Mrs. CEO, can I have more money?" It's more like, "Hey, we need to think about security differently."
And similarly, you really [should] revisit your organizational structure. In a lot of organizations, the CISO reports to the CIO, who reports to the CFO. That makes no sense. The CIO should be the peer of the CISO, and I'm not sure that either of them should be reporting to the CFO.
Regardless of the reporting structure, the CISO should have a strong and good relationship with corporate risk management, and if you don't have a solid risk management group in your organization, you probably [should have] one. If you are too small to afford both risk management and a CISO, you probably [should have] one person looking at both, and that's going to be hard to find but not impossible because you can take somebody that's skilled in assessing risk, bring him or her up to speed in cyber security, and have him or her staff up with however many humans you can get that are smart security architects and do a pretty decent job protecting the company. If you just hire a smart security person, and promote him or her to CISO, you aren't going to get that overall risk protection and, more importantly, integration into the company's risk protection strategy or risk mitigation strategy. So, revisiting organization is key.
I would also say for the next five to seven years, you should have a group that very specifically does nothing but look at new emerging security technologies. …
There's a lot of money going into this. A lot of technology emerging, a lot of startups; it's very, very difficult for anyone to stay on top of all the technology, but you should explicitly fund someone to do that. (And this is self-serving: They should be working with someone like us, who does that as a living.) This is an area that I think that's a little new for a lot of organizations because security technology has been a little bit stagnant up until maybe three years ago.
So, summing this all up: Revisit your architecture, revisit your funding paradigms, launch an initiative to make sure you're looking at emerging technologies and revisit your organizational structure.
What are the unsolved problems IT shops have around security?
Johnson: Well, I don't think there's a cut-and-dried solution for cloud security, for application security or for security around Internet of Things. I think there are a lot of really interesting, emerging technologies and [vendors] that claim they've solved the major problems, and maybe some of them have, but those are areas that most end-user organizations … haven't put enough investment, enough thought or enough technology into securing.
I would also say that operationally as companies surge ahead with DevOps, [there] is a new paradigm for developing software that is more reliable, less buggy and comes out at a much faster rate than previously. There's been some sense of "Well, there's no real security component to DevOps." Actually, it turns out that if you do DevOps right, you're also making the software more secure, but there [are] some challenges because one of the DevOps models is this idea that you have these tiny little units, tribes or groups of people that are involved in doing each tiny project, and each one of them has specialized expertise. Well, there aren't enough security operations folks or applications security operations folks to be included in these little tribes and so the scalability can be a challenge. So I think the process of getting SecOps into DevOps is another unsolved problem right now.
How the cloud and mobility change network perimeter security
Verizon's 2015 Data Breach Investigations Report on the cost of data breaches