Techonomy recently hosted a roundtable on one of the most urgent technology issues facing business. The session, entitled How the New Approach to Cybersecurity Can Create Trust, was hosted in partnership with Wipro, the global strategy, tech, and consulting firm.
Panelists explained why the security challenge has become more urgent during the pandemic, and outlined new approaches vigilant companies are adopting in response. Trust was a key theme because customers demand companies they do business with offer a secure and reliable digital environment. Addressing all this were Tony Buffomante, Wipro’s global head of cybersecurity and risk services; Mike Kiser, director of strategy and standards at Sailpoint, a provider of identity-management solutions; and Elena Kvochko, SAP’s recently-appointed Chief Trust Officer.
Below are highlights.
On the Threat
Buffomante: “The threat landscape has changed because of the way working has changed over the past couple of years. Today we see an advanced threat using the same automation–maybe more automation–than the good guys…The amount of information we see in the hacker community, the crowdsourcing that happens, the amount of automation that is brought to bear on determining how to exploit all that and monetize it is incredible. The attackers have a bit of a recipe for disaster.”
On the Importance of Trust
Buffomante: “Businesses today are rapidly trying to evolve their practices, to automate their own front office and middle office in particular, trying to get closer with their customers, and trying to personalize that experience in new and different ways…So If I’m going to allow myself the benefits of all this personalization and automation and geo-tagging and everything that comes with it, I also have to put a lot of trust in the hands of the organizations that are collecting my personal data every second.”
Kvochko: “Trust is a confidence that commitments will be kept. It’s a business value for us. That’s why SAP established the Trust Office. We believe in overcommunicating with customers…As the threat landscape and the technology and the digital landscape evolve, a lot of companies seek to differentiate on trust and transparency, in addition to just the quality of products and services they provide.”
Kiser: “At Sailpoint we see trust as undergirded by identity–[companies] being able to identify who they’re interacting with and making sure they have the right access and minimizing that footprint…identity has to be automatic or a default choice, and…easy to use, because people have business to conduct.”
On Automation in Cybersecurity
Kiser: “Some people are still using manual processes…spreadsheets from the 1990s and 2000s. But the real future is understanding what’s coming before it happens, and building on that and getting insight from past decisions…and applying it in key ways. People describe this as machine learning or artificial intelligence. But you have to use it in very specific use cases and applied ways, not use machine learning or new technology for technology’s sake.”
Buffomante: “IT spend is moving out of the IT environment. The business is going ahead and contracting directly on some of these scenarios. But that may or may not be done in the most secure manner…There’s always going to be a new version of malware. The days of doing a questionnaire and analyzing third party risk that way are well past…Today there’s more ability to get real time information about what’s actually happening in the client’s environment, whether it be threat intel information, user behavior, or system configurations…We’re creating automation that’s pulling configuration information from inside a third party, across a firewall, and into the organization to analyze it…as opposed to just an outside-in view.”
Kvochko: “We’ve always believed in a wholistic approach to security…We have to look at all the multiple channels through which an attacker can enter an organization…A critical part is real-time monitoring of systems…Those technologies are capable of analyzing millions of data sets, and tracking different cyber threats in a way traditional software systems couldn’t keep up with. We now ask ‘How can we automate trust? How can we deliver trust at scale?’”
Finding Staff for Cybersecurity Jobs
Kvochko: “In cybersecurity there’s been a perception that we just don’t have enough talent to hire from. So we have to be creative in where we source that talent. We have established new partnerships with schools and universities where we start earlier, and hire talent that we develop and grow internally.”
Kiser: “People assume there’s some kind of qualification or certification or required degrees or credentials. But that’s not always the case. We want people who are hungry, teachable, and quick to learn.”
Buffomante: “It’s not just about technical depth and expertise and vendor certifications. It’s also about understanding the business processes and the industry context around it, and the fact that there’s a higher purpose to all this stuff.”
The Role of Boards of Directors
Buffomante: “It’s a huge priority for boards. And the conversation has definitely changed. The level of maturity of the conversation in the boardroom has grown…But it’s one of the highest enterprise-level risks they’re managing, and I still see frustration…They feel management isn’t winning. This is going to put more pressure on Chief Information Security Officers to do a better job demonstrating the value of the investments they’re making. Everyone’s talking about ‘Well we’ll just go through some AI and ML and then we’re gonna be good, right?’ But that is not the path to success if you’re communicating to a board or an audit committee or an IT committee.”
On Cybersecurity and Innovation
Kvochko: “New technology inevitably creates new risks. On the other hand, new risks create new opportunities for innovation. During the pandemic we saw how so many businesses transformed themselves at a speed that was just unthinkable before. Now we see more and more processes where security is embedded from the beginning. It ties back to the talent question. To unleash more innovation we have to source talent from new places, to give people new opportunities to show their creativity.”
Good Old-Fashioned Change Management
Buffomante: “How many organizations are sitting there saying ‘I understand all my assets and where they live, and who’s responsible for them and what patch level they’re at.’? No way. So we need a better way to get a handle on the landscape through discovery. Using this intelligence we’ve been talking about to continually learn is step one. But patching these vulnerabilities isn’t really that hard. It’s the project management, the program management to understand what needs to be patched. And getting this tested and done within the windows that are not going to disrupt the business. It’s good, old-fashioned change management.”