Thank you for Subscribing to CIO Applications Europe Weekly Brief
Taking Holistic Control of Your Enterprise's Security
By Jaya Baloo, CISO, KPN
The evolution for us as security requiring professionals is to be more than just networking systems professionals. It requires us to take a broader view of the angles on the threats that are coming to us. We as practitioners, need to have a multidisciplinary approach to figure out how to solve the threats coming at us.
Today the hardest thing is not about knowing that these attacks are happening; although detection or response is an issue in itself, to prioritize effectively what to handle first is rather more important. For this to happen, it requires a deep understanding of the problems and a non-trivial effort at best considering the rapid evolution of technology today.
What according to you are some of the challenges plaguing information security today and how can they be mitigated effectively?
The first and foremost challenge is the volume of traffic that we need to understand as well as the granularity of inspection. We notice people saying that we need the granularity movement to observe the most advanced attack group. Some of those groups are still making use of phishing to have as an initial vector. But to manage to pierce that initial vector and see them moving through their network requires a degree of real understanding of their own network and different types of system monitoring. To identify the normal traffic and define anomalies first, we need to understand what it normally looks like. Most companies don't know how to figure out if it is normal or not. I need to do something about it as this could be a sign of someone who doesn't belong to us and is trying to steal traffic or data and that's what is challenging to achieve.
Could you elaborate on some interesting and impactful initiatives that you’re currently overseeing?
We specifically are focusing on preventative measures. We worked on secure communication programs, post-quantum algorithms/versions. We have taken a lot of measures to protect the data and communication and their lifecycle to prevent a lot of things from happening by applying encryption.
We are trying to examine how we can solve the challenges effectively with a broader principle to make things less complex. Because I think in some of the cases especially, when applying some technological solutions you have the constraint that as complexity increases it decreases your actual security because you have no clue what's going on anymore. So we always say complexity is the enemy of security, and again have security, but try to keep it simple.
In terms of cloud adoption, when we outsource our data, we don't have self-responsibility. So regardless of which cloud vendor we work with, it's still our responsibility to verify the trust we place in that cloud provider
Attention on protecting personal data is continuing to rise in terms of compliance and being able to stick to regulation with a change would be another challenge. What's your view on this?
The regulations are going to change the way the regulators do, but our goal is not to achieve compliance. I opine compliance is a minimum baseline of things that we have to do. No matter what, our goal is security. This means that compliance is a minimal effort if you're doing a lot more on top of to get things correct. According to me, we should be more concerned with what we need to do on top of compliance.
Which are a few technological trends influencing information security landscape currently?
In terms of cloud adoption, we need to understand that when we outsource our data, we don't have self-responsibility. So regardless of which cloud vendor we work with, it's still our responsibility to verify the trust we place in that cloud provider. This means that we need to be able to do security and defense and that's what we always did. Many cloud providers don't provide this type of visibility into what happens, and there is a risk when you have to assume that there will be a set of people accessing your data potentially or doing systems changes that you're more open about. There a lot of Software-as-a-Service providers who don't want you to encrypt your data when you use their service. Managing that isn't always left to your own capability. You need to either take that cloud providers encryption standards over or trust them with doing the necessary. And I think here it begs a lot of burden on you to have a right to audit and ensure you will go through everything and that you're comfortable with what types of security you provide for your user data. The worst scenario is you know all of this, but there is no other way. Thus, while embracing the cloud, ensure you know what you're getting into and that you'll be appropriately covered with all of the concern. That being said I think AI is a huge bonus if applied collectively and effectively. I believe in using AI for security, and it can be a great help simply with the mass amounts of data that's coming at us and being able to better appreciate and anticipate attacks.
There is an exponential change that we're going to see in the future which going to evolve more rapidly than before. I believe that the pace of change is not likely to decrease anytime soon and it worries me a bit because I think that it gives still an asymmetric advantage to the attackers rather than to the defenders.
Do you have any suggestions for industry veterans or budding entrepreneurs from the information security space?
The most important thing for CISO or anyone else is to keep learning in terms of technology. One has to be a good problem solver, creative, and diplomats to a certain extent. But what really matters is while they attend a lot of meetings and after the endless meeting, they still need to ensure that the thing that brought them there in the first place is a strong technical foundation. This they need to keep up. It's always a misfortune when you see CISOs let that go, and then they try to struggle to understand how to prioritize the problems that they're getting from their people. So I think no matter what else happens they need to hold on to that strong technical core while continuously evolving and developing other skills.