Four ways CISOs can move enterprise security into the new normal

Security is changing rapidly, and the COVID-19 pandemic hasn’t helped. A Cisco roundtable of chief information security officer advisers plotted the course for a secure future.

Image: 1550539, Getty Images/iStockPhoto

A roundtable discussion among Cisco chief information security officer (CISO) advisers Wendy Nather, Richard Archdeacon, and J. Wolfgang Goerlich outlined how the enterprise cybersecurity world is changing, and what CISOs need to do to ensure the “new normal” is a secure one.

Nather, Archdeacon, and Goerlich identified four trends in cybersecurity that are all part of the evolution into a new world of securing enterprise systems, and each of them have been made more urgent by the spread of the COVID-19 pandemic and its effects on the state of work.

Their analysis of the current state of cybersecurity points to a model that’s largely outdated and which has reacted poorly to rapid changes, often deploying Band-Aids instead of permanent solutions. To solve these problems, they said, CISOs should think about the four trends, and what can be done to bring an organization in line with what may be the future face of enterprise cybersecurity.

SEE: Incident response policy (TechRepublic Premium)

It’s time for collaboration, not control

“There’s an elephant in the room when it comes to cybersecurity,” Nather said. That elephant is an old, outdated model of how cybersecurity works, and it’s hampering good habits.

“We always assumed technology would be something we used at work, our bosses would prescribe security policy, and we would follow it,” Nather said. Thinking like that became archaic the moment technology became ubiquitous. Now that everyone has a multitude of internet connected devices, Nather said, CISOs can’t simply dictate security policy and expect users to fall in line.

Not only will workers not fall in line with top-down security directives, they’re also likely to intentionally subvert them to get what they want out of the tech they use at work. “The more constraints placed on users, the more creative they become,” Goerlich said.

Savvy users, Goerlich said, can be an asset to a cybersecurity team, helping to secure networks by collaborating with CISOs instead of working against them.

Remote work came on fast, and probably isn’t going anywhere

The COVID-19 pandemic was responsible for a rapid shift to remote work, something that caught many organizations unprepared.

Nather said that there have been a number of issues that arose due to the quick shift: Not enough hardware for home workers has led to forced BYOD, license shortages for secure connection software, users have pushed back against company control of personal devices, and endpoint device management has become practically impossible.

SEE: Identity theft protection policy (TechRepublic Premium)

Much of what CISOs were forced to implement was likely rushed due to how quickly pandemic lockdowns happened. The rapidity of the movement to remote work means that long-term solutions may not be in place. “If sustainable security wasn’t built in the beginning, it’s going to have to be built now,” Nather said.

Archdeacon said that users have to be made the front line of security in this situation, which means implementing security systems that don’t rely on enterprise security products connecting directly to remote user’s PCs. Multifactor authentication, DNS security, VPNs, and other familiar security products that put the security onus on users will be necessary for now.

AI and machine learning: CISOs are right to be skeptical

AI and ML-powered security tools have been viewed skeptically by some CISOs, and all three panelists seemed to agree that they’re right to be wary of passing security off to what Nather said some CISOs consider “just statistics and programming rules.”

“Used properly, I believe AI and ML can help with the big problem of organizations being overwhelmed by the amount of security data to sift through,” Nather said. The problem comes when AL and ML can’t be relied on to recognize the specificities of how each individual organization works.”

“Training an AI model can take months,” Goerlich said, adding that a rapid change like the kind encountered with stay-at-home orders can throw machine learning models out the window. There were countless alerts and false positives thrown by AI-powered security software at the start of the pandemic, Goerlich said.

Nather advises CISOs planning to use AI and ML for security to treat it like any other form of automation. “Automation works best when you have certainty, precision, and commitment,” Nather said.

“Be sure an automation tool is only doing what you want it to do, make sure it’s precise enough not to affect anything else, and commit to letting it run for a long time without making adjustments. If you’re not OK with letting it operate unsupervised it won’t be that useful,” Nather said.

It’s time to embrace a passwordless future

“Passwords have had their time. Nowadays attackers don’t break in, they log in,” Archdeacon said. The other panelists agreed, citing numerous reasons and extant technologies that make embracing passwordless security more practical than ever.

Goerlich said the transition will be driven by two things: What users expect from consumer devices (e.g., FaceID, Microsoft Hello, etc.), and new security standards like FIDO that make passwordless security practical.

Nather thinks secure enclaves on modern smartphones are a perfect example of how passwordless security can work. “Secure enclaves make cryptographic functions manipulable without any input from a user or potential for access by an attacker. Users can log in once with a single biometric method, and the secure enclave handles the rest,” Nather said.

The end result of a transition to passwordless security would be a securer enterprise, happier users, “and help desks not having to constantly reset passwords after a holiday,” Archdeacon said.