Cybersecurity: What Leaders Need to Know in 2021

By Salvatore Ciolfi July 12, 2021
Share

Cybersecurity: What Leaders Need to Know in 2021 – the latest in BrainStation’s Digital Leadership Event Series – took place on July 8th, and featured the four experts leading cybersecurity strategy at financial services giant Mastercard, investment firm Blackstone, professional networking site LinkedIn, and software developer Citrix.

You can watch the full panel discussion here:

Our panelists agreed that the need for cybersecurity has grown by leaps over the past year and a half – more on that below. But what exactly does cybersecurity entail?

Eugene Dvorochkin, Senior Member of the Information Security team at LinkedIn, summarizes cybersecurity as “using technology, processes, and controls to protect systems, network, and data. Ultimately, everything goes back to the data…All we’re trying to do is protect that data, protect its integrity, and make sure [there’s no] unauthorized use of it.”

As Kurt Roemer, Chief Security Strategist at Citrix, explains, cybersecurity’s traditional focus on maintaining data’s confidentiality, integrity, and availability should expand to include a fourth factor: safety. “As we adopt IoT and other artificial intelligence and [augmented reality applications], it’s integrating with our physical world in a way where safety becomes critically important.”

Puneet Bhatnagar, Senior Vice President / IAM Lead – Cybersecurity at Blackstone, takes a more philosophical approach: “I ask myself the fundamental question of ‘How can I help build trust into the design of systems? Do I feel comfortable signing up for an application when I’m offering my personal details? Do I trust the brand that I’m offering that information to?’ It’s important for corporations to see cybersecurity as everything they need to do to build trust within their applications and ecosystem.”

Sukhmani Dev, Vice President of Digital & Security Solutions at Mastercard, concurs. “We want to make sure that trust is reflected in every single transaction.”

Achieving that ultimate goal is as dynamic a process as technology itself. Below are just a few of the broader trends our panelists identified.

Cybersecurity Is More Important Than Ever

COVID-19 and the resulting explosion of work-from-home culture has compressed an evolution that was expected to take a decade into a matter of months. That acceleration means more online activity, more new users, and more complexity in the individual systems those users rely on, all of which spells opportunity for bad actors. The result is a sudden and acute need for more digital security.

Much of that need comes down to simple volume; during lockdown, more people worked and shopped from devices in their homes. Dvorochkin explains, “When you’re using your home network, you’re potentially using personal devices like your personal computer or iPhone to access corporate environments and data, and you’re also dependent more on third-party systems such as Zoom or other communication methods. You’re coming into harder-to-secure environments.”

For many large international companies, accommodating remote work was relatively straightforward. But for many smaller brick-and-mortar businesses, this meant a first foray into the digital world – and these are particularly vulnerable to hackers. “[It’s a misconception] that only big, well-known companies are the targets of attacks,” Dvorochkin continues. “Hackers have gotten more advanced, but also the tools and techniques that they use have basically become public. Anyone can go online and start hacking any company. It’s not just large, well-known companies that are being targeted by sophisticated hackers – it can be literally any mom-and-pop shop.”

Dev identifies the growing complexity of systems as another vector. “Everything is more interconnected than ever,” she says. “If you think about a bank, they may have their suppliers, but then their suppliers have suppliers, and these are massive supply chains. The connection points have grown exponentially in the last few years.”

This means more weak links for hackers to exploit – and hackers have taken notice.

Moving From Systems to Users

The growth in scale and complexity also means cybersecurity teams are fighting on more fronts than ever. This in turn is leading to a change in the way cybersecurity experts conceive of their task. If the goal is to secure data within a digital fortress, cybersecurity’s job is to protect the perimeter – but the perimeter and modes of attacking it are ever-changing. Locking data down is not the answer – there’s no point in having a system if nobody can access it. Instead, the priority is shifting to, first, confirming the identities of the people accessing it, and second, granting access to only the data they need, rather than the entire system.

“Before, you might have had certain things that could only be considered secure when they were in the four walls,” Roemer says. “What if you turn that around and say, ‘How do we secure these when it’s outside the four walls, in the cloud?’ When you look at the hybrid work model, you have people working in different situations potentially every week – in an office, in their home, maybe in a coffee shop again, maybe out traveling. How do you make sure that you’ve got the right security environment available for those individuals?”

For Bhatnagar, this means “the only real perimeter you have that you can truly secure is your identity perimeter.” This typically demands multi-factor authentication, which helps to verify that people are who they say they are (“There’s some crazy statistics out there,” Bhatnagar says, “like, more than 90% of breaches originated from some sort of email compromise”).

As a result, “It’s not enough to just have a good network perimeter or to have a good set of firewalls. You have to move your thinking from being systems- or network-centric to being identity- or user-centric. That’s when we started thinking about these newer paradigms of zero trust. With the kind of volume of information that people are constantly accessing, you’re always going to be playing catch-up if you’re just trying to patch the system or secure the network.”

Shifting focus to the user’s identity helps eliminate access to outside hackers, but it also helps contain risk from the inside by limiting even legitimate users’ access to the data they need. This, of course, depends on the ability to parse the data at your disposal. Dvorochkin explains, “Back in the day, companies were over-privileging people, and they were able to access everything carte blanche, which obviously leads to a lot more risk. [You need to be] very specific about all the data that you have. You don’t know what you don’t know, so good identification tagging is very important – to know exactly where your data is located, how much of it there is, and the transactions you have with it, especially with third-party suppliers. Because, again, we’re becoming more and more dependent on third-party applications, and they’re obviously not at the same level of trust as our internal employees. It all comes back to identification, having a good asset inventory of it, and being able to limit it.”

Culture and Education Are Key

You can’t implement any kind of cybersecurity strategy unless your teammates are on board. And human beings are always the weakest link in the cybersecurity chain – most hacking is done not by writing code but by posing as an authority and tricking someone into giving up a password. The solution here is as much social as it is technological.

“Cybersecurity is not one person or one team’s responsibility,” Bhatnagar says. “Everybody needs to roll up their sleeves and own it. We lay a lot of emphasis on end-user awareness training, helping them identify phishing emails, doing simulations of phishing, and incrementally advancing the complexity of these simulations, just so we’re constantly educating our people.”

This can directly cut down on individual instances of data breaches, but it also helps cultivate a company-wide culture that values cybersecurity. “Once you put that out there, it’s a language that everybody understands – that it’s not just your cybersecurity professionals who need to be super technical, but that there’s a general framework other business leaders can understand. You can use that to raise awareness and to get the budget and the funding and the resources you need to keep making strategic improvements.”

Dev seconds the importance of corporate culture. “And along with culture,” she says, “I would also say training….It’s a very different way of thinking and operating, as compared to legacy systems. The rest of the technology, design, and so on will fall in place if you have the attitude to culture right.”

For Roemer, this starts at the top. “Security is a shared responsibility, and we all need to be security practitioners. Leadership needs to go to HR and let them know that security capabilities are needed across the organization and talk about how they can provide reskilling and advancement opportunities for those who find security to be a compelling career, and be able to pull those individuals – not just from the IT organization but from across the org, as it makes sense – and so reach out to the rest of the organization [and communicate that] we desperately need additional security professionals and we all need to be considered practitioners.”

Shifting From Tactics to Platforms

Somewhat paradoxically, given the shift in focus from total system security to the user identity perimeter, we’re also seeing a shift away from tactics and toward platforms – that is, to organizing cybersecurity efforts into a holistic strategy, rather than an array of individual patches.

Roemer explains, “The reason for this is that it has become very difficult to manage [a collection of] point products. They don’t integrate well, and we don’t have the resources to use them to their effectiveness. So the more we can build and consolidate into a platform, the more we can amplify security capabilities.”

Dvorochkin adds that this means co-ordinating not just tactics but also entire teams. “Oftentimes, technology domains or functions are siloed. We’re obviously all trying to achieve the same goal, which is to make the firm successful.”

For Bhatnagar, a more strategic approach includes having a well-staffed and -funded security operations center. While it’s always good to be proactive, that doesn’t mean a breach won’t eventually happen, and when it does, it’s imperative that an organization is ready to spring into action. “There’s always things that are going to come out of left field, because hackers continue to get more advanced, and their techniques continue to get more persistent.”

Cybersecurity Is Always Dynamic

Dvorochkin echoes Bhatnagar’s sentiment – responsiveness is crucial. Cybersecurity strategy needs to be dynamic in order to counter attacks both proactively and reactively. On the reactive side, he says, “It’s not a matter of if, it’s a matter of when you’ll get breached; it’s almost impossible to fully be protected on an ongoing basis. Something eventually is going to get through. Protecting the perimeter is important, having good detective controls is important – but you also need to have a good response, good evaluation, and be able to test yourself.”

On the proactive side, this means constantly evaluating your strategy; you can’t just set it and forget it. “[There’s a] misconception that, ‘Okay, well, we invested in technology, we did this one-time setup, we have a cybersecurity program, we’re good to go,” Dvorochkin continues. “A one-time setup of implementing some tools – it’s not going to protect you. Technology changes almost on a daily basis because of the synergistic relationship between tech and cyber, and cybersecurity is changing just as fast. So you have to be dynamic, you have to always be up to date, and you have to have good investment from your company – because cybersecurity is not cheap.”

“Consider your information technology portfolio a set of investments,” Roemer adds. “As with your personal investments, go through from time to time and re-evaluate what’s working well, what’s not, and where you need to dump the dogs and move on to something that’s going to give you a better return. Security is very much like that. We need the agility, and if you consider your information technology portfolio not as a sunk set of decisions but as a set of investments that are constantly evaluated, you can help to move forward and address today’s and tomorrow’s security needs.”