Demystifying Cybersecurity

How can enterprises prioritize, plan and act to enhance their cyber defense strategy?

In an increasingly enigmatic threat landscape, cybersecurity is becoming more and more complex. Join our cybersecurity expert, Chris Cooper, as he takes the mystery out of some of the more pressing issues, including security by design, the cybersecurity maturity model, the impact of cloud and IoT, and the advantages of dedicated managed security services.

Transcript

Karl Culley:
Welcome to a Capgemini podcast on demystifying cybersecurity. I’m your host, Carl Kelly, and I’m really pleased to be joined by cybersecurity expert Chris Cooper, who will offer his insights on this very often complex topic. So, thank you so much for joining us, Chris.

Chris Cooper:
Thanks, Carl.

Karl Culley:
Could you introduce your role?

Chris Cooper:
Yes, certainly. I have the pleasure of leading the cybersecurity team for Northern Europe [at] Capgemini. I have around 350 people across both the UK and the Nordic countries with a whole range of cybersecurity experts, from consultancy through to managed security services.

Karl Culley:
Well, I guess we’ll start by setting the scene of an increasingly complex threat landscape. Cybersecurity, I suppose, becomes more and more complex, with more and more solutions like hybrid cloud, et cetera, available. How can enterprises effectively manage their security services end to end?

Chris Cooper:
Yeah, if we start by thinking about what’s causing that increasing complexity, it comes down to a number of things. It’s the increased complexity of technology over the last decade, whether that’s private cloud, public cloud, Software-as-a-Service. Now, all of these different things have changed the environment.

The regulatory environments changed significantly as well, so there are much tougher regulations such as GDPR around. But also, the threat from both criminals and nation-state sponsored attacks is also increased significantly.

We used to think about it in terms of detect and respond. Protect would be the key part there, before you worry too much about detect and respond. But that model’s changed over the last few years. NIST introduced a five-layer model and the focus moved from prevent to detect.

So now we encourage our customers to be thinking more about having end-to-end visibility of their security environment so they can detect something happening as fast as possible and then they can respond to it, rather than trying to build up huge castle walls that prevent anything from happening in the first place.

Karl Culley:
Okay. Could you advise on how to properly manage identity and access management? And maybe you can also give our listeners a bit of background on the difference between those two things to start off with.

Chris Cooper:
Sure. Yeah. So, identity access management, as a mechanism, suffered when it was first launched, a number of years ago now, because it was seen as a bit of a silver bullet. Now one of these pieces of technology, you could just plug it in, it would do its thing and magically, you had much higher security. And now as time has gone on, people have realized that there’s actually much more to it.

So firstly, as you indicated, Carl, there’s identity management, which is about managing the attributes of the user. And then there’s the actual access management piece, which is controlling your access to different systems. But none of this works without having the people management and the processes around it.

So you still need, critically, a starters, leavers, and movers process. And that’s one of the fundamental problems we find with most clients we talk to when they’re looking at these systems, is they don’t have that in place. And they don’t know when people are joining, when they’re leaving, or when they’re moving to a new role, when [they] therefore need different types of access rights.

Karl Culley:
I’ve got here some notes about access management best practices and a couple of them were pinpoints and eliminate high-risk systems and also crack down on orphaned accounts. Could you talk a little bit about these?

Chris Cooper:
Yeah, so orphaned accounts is really thinking about the leavers and the movers process, it’s accounts that were created for an individual that may not be in the organization anymore, may not be in the role that needs that account anymore, but they’ve been effectively left there.

They’re not being actively used. But of course, because they’re open and they are usable, then they’re a risk that somebody gaining access to the system could try to use those accounts to do things. So you always want to try and remove those things.

In terms of high-risk systems, this really comes back to the Nest model that I mentioned earlier, is that now rather than trying to build castle walls around the perimeter of the environments and try and stop everything, we’d like to focus and identify those key systems, those key data sources that are most important to you as a customer. It’s identify those systems and make sure they’re secure and you might also add other layers of security like encryption and things around them as well.

Karl Culley:
Okay. Can we talk a little bit about patch management and cover what it is? It sounds a little bit like dog training to me. But can you tell me what it is and why it is so important?

Chris Cooper:
Yeah, patch management is all about making sure your software across your environment is up to date and any vulnerabilities have been patched, for lack of a better word.

This is something that’s been around since the beginning of computing effectively, has always been this process of patch management. And as an industry, as now an IT industry, we’ve never really got control of it. We’ve never been good at making sure we’re always up to date. But it’s just as critical today as it always has been. And most vulnerabilities and attack mechanisms use some kind of vulnerability that often hasn’t been patched.

If you take something like the WannaCry outbreak in 2017, now that caused huge damage globally in many organizations. And one of the worst hit was the National Health Service in the UK. And it was purely because they hadn’t applied patches, some of which had been out for over a year, but they’d not applied them. And therefore the vulnerabilities still existed in their systems. So something that’s relatively simple is actually really critical to your security.

Karl Culley:
While they were patching people up, they were perhaps not patching their IT enough.

Chris Cooper:
Absolutely.

Karl Culley:
Oh dear. Okay. As security is so often tied to digital transformation initiatives, cybersecurity perhaps needs to be integrated from the beginning. And I’ve heard this phrase used in the IT bedrock, how can organizations go about ensuring this is the case, Chris?

Chris Cooper:
Yeah, so this is really about making sure cybersecurity is in the whole end-to-end environment. Traditionally, what tended to happen was you would design a new system, you would build it, you’d be about a day away from deploying it and then you suddenly go, “Oh, perhaps we ought to get security to have a look at it.” It was very much an afterthought.

Now, that creates tensions. Security will then often say, “there’s things you’ve missed here.” Now you might have to delay the launch, but also you haven’t got the best security built in to the end-to-end environment. So now we actively encourage all our clients to make sure they build security in from day one.

Now, include the security experts from scoping the solution that you’re looking at through design, build, test, and deployment. And make sure that that security flows through it rather than trying to bolt it onto the side. And that can make a huge difference to the security of your applications and things going forward. And particularly now in this new threat landscape, that’s critically important.

Karl Culley:
Can we move on to talk about the various cybersecurity maturity levels and how companies can benefit from strategic and technology partners?

Chris Cooper:
Yeah, absolutely. Security maturity was something that was created over the last few years to try and help companies understand where they are in that security journey. Now how secure are they?

Security capability was aligned with the CMMI model, which was originally created for software and things. So, it’s a five-layer model, very basic level through to advanced maturity. At IDC for example, they’ve got a model that goes through from ad-hoc security, opportunistic security, repeatable, managed, and then optimized security.

Karl Culley:
Okay.

Chris Cooper:
These things can be used to assess your own security, where in your own environment you are. But you can also look at it from a managed security-services provider perspective in that, by using an MSS, you’re effectively buying into more mature security because they should have that repeatability in place.

It should be actively managed and it should be optimized to make sure you’re seeing those key alerts that you need to see, rather than all the noise around it.

Karl Culley:
Sure. And those security levels you just mentioned, Chris, of ad hoc, opportunistic, repeatable, managed, and optimized. Is that a kind of industry-wide recognized standard?

Chris Cooper:
The five layers are pretty much standardized across the industry, but you’ll see different labels from different companies. I’m afraid there is no formal sort of ISO standard or anything for this. So you will see different labels but they are principally aligned in the same way.

Karl Culley:
Okay. Can we talk about cybersecurity in the age of IoT and cloud and, of course, cloud and IoT are kind of burgeoning and have exploded in recent years. And so the cybersecurity needs to be more than up to the challenge. And how complex does it make things, cloud and IoT?

Chris Cooper:
This is obviously a huge topic, IoT and cloud. So I’ll do my best to cover it in the time we’ve got. But cloud is reasonably well defined now in that you typically have private cloud, public cloud, and hybrid environments. But the way that you’re monitoring and managing that security is completely changed because suddenly you’re very dependent on Microsoft Azure or AWS or Google or whoever you’re using for your public cloud.

That changes the environment you have to deal with and you have to kind of include it as part of your overall end-to-end security environment. IoT is really the next step of complexity that’s coming in. Now, IoT and cloud are two completely separate things, but IoT isn’t really well defined yet. Typically, you can think of it as being any device that’s connected to the internet, but that really would cover everything.

More typically, it’s considered to be devices that we connected. And that could be anything from an electricity smart meter through to your kettle or your fridge. But a lot of this is about consumerism. So suddenly all these devices are connected to your home. So you might have smart lighting, different smart home things like through Google or Amazon or whoever.

All of these things can be connected and then they suddenly become a potential point of vulnerability. And of course if you’re then connecting into your corporate environment from your home network, that link is potentially there as a way of gaining access to a corporate environment.

And on the flip side of it is that consumerism piece where companies that are making these devices are suddenly responsible for the security of those devices in people’s homes, which of course is a completely new environment for people to deal with.

Karl Culley:
Yes. Yeah, absolutely. And the law and culpability of certain things then comes into play, doesn’t it?

Chris Cooper:
Yeah, absolutely. And they’re forecasting that by 2020, so only next year, there’ll be three IoT devices for every human on the planet. We’re talking about vast numbers of these devices that are out there.

Karl Culley:
Absolutely. So it seems like the greater the connectivity, the greater the potential for vulnerabilities, more entry points.

Chris Cooper:
Absolutely. Yeah. We’ve already seen compromises for printers in the home, baby monitors, even hot tubs have been hacked in the last 12 months. So a number of these devices and companies are only just starting to understand what they need to do to keep them secure.

Karl Culley:
Let’s talk about managed security services and what value can organizations get from using a dedicated security company?

Chris Cooper:
Part of this comes back to what we were saying in the beginning about the more complex environment. So you’ve got the increase in the technology and everything and the regulatory environment. Another key aspect though is people.

We all know that cybersecurity resources are very scarce and the most recent research suggests that, by 2021, there’ll be three and a half million cybersecurity resources unfilled globally. So that’s part of it, is that it’s very difficult to get enough people to do this for every company individually now.

But also ultimately, you’re using a specialist provider of managed security services because they have the expertise and the experience and they can make the investments that you often can’t make.

So, we can invest in the people to make sure we’ve got the latest highly trained people. We can invest in the latest technology because we’re spreading those costs across multiple customers rather than you buying it for yourself. And then we have the people and the process and the maturity in place to actually be able to do it to a higher standard.

When you go back to the five-layer maturity model again, so you’re really buying into that experience and that expertise but also because it becomes about sharing intelligence, because we’re seeing security threats and things as they happen across thousands of customers across the world.

We can share that intelligence to make sure we’re protecting all of our clients as best as we possibly can. Whereas if you’re trying to do these things yourself, you only have your own area to be able to monitor. It’s a very fast-moving market from a threat perspective and that drives new products and some of those products have more value than others.

We spend a lot of our time looking at these new technologies and things and saying, “Well, will they actually bring real value to our clients?” And at the moment, for example, the big area is around SOAR platforms. So, this is about automating and orchestrating things in the background, so that you can respond that much quicker when something happens, because automatic triggers go off.

We’re investing in those platforms for our customers, but these are significant financial investments, plus it needs rewriting, run the scripts and everything else to know how we’re going to respond to incidents.

Karl Culley:
Okay, well, you touched upon it earlier. Can we talk about, and when I say we talk, can you talk about, with your expertise, talk about the GDPR and how complex and it’s not only GDPR, as I heard, there was a new California equivalent, the CCPA just came out. So all of these regulatory requirements with the transfer and sharing of data, this makes things much more complex.

Chris Cooper:
That’s right. GDPR is the big one that’s known about, but as you said, a number of regions and countries around the world are starting to follow suit with similar things and that really changes the emphasis on cybersecurity.

It means you have to know where all your data is, all your personal data, means you need to know who’s accessing that personal data. And if something goes wrong, you have to publicly register that very quickly, usually within about 72 hours. So you don’t have a lot of time, so you need to understand your environment and what’s going on in there and it’s a significant potential risk as well.

Chris Cooper:
GDPR, for example, carries some substantial potential penalties based on your global revenue. So, suddenly, companies are at the risk of a much more serious fine than they ever were. You used to be able to, some companies would consider the fine less than the investment you needed to do all these things. That’s changed completely, so we’re just starting to see the first real use of that legislation.

These are really substantial penalties now that hurt the bottom line. So it’s changing that environment but also because it’s making customers much more aware of the security because you have to announce that you’ve had a problem and then you have to persuade those same customers that you fixed the problem and it’s safe to carry on using them as a company. Otherwise the brand damage can be huge.

Karl Culley:
Yeah. Potential damage to reputation – that can be irreversible, I suppose. These days with more and more options, cybersecurity solutions and options on the market, would it be fair to say that it’s more customer centric than it’s ever been?

Chris Cooper:
Yeah. I think traditionally, cybersecurity was a bit of a department almost, off on its own doing its own thing. It wasn’t part of the main business, in the same way that IT wasn’t a decade or so ago. And that environment’s changed significantly.

It started with the change in the role of the head of security, which then became the chief information security officer or the CSO and that role is still gaining more and more importance. And many companies now have those reporting directly to the board or even being on the board.

And certainly if nothing else, there’s typically somebody on the board now, who is personally responsible for cybersecurity within that company. Security needs to understand how the business works and also the impact it has on the business when it makes certain decisions.

Now if it decides to lock something down, is that going to impact something that the business is actually doing that is driving the profits, so they need to understand that. On the flip side of it, you then, you’ve seen it also in the managed security services market.

Traditionally you would just go out and buy an off-the-shelf service. It came as it was. They’d already defined it and you actually, you had to use it in that way. As the markets expanded and matured, you now have a range of things from off the shelf, which is the cheaper end of the market and then as you go through the market, you become much more customer centric, through to completely bespoke systems and security-monitoring environments.

So it is a big change in security, an important one I think. Cybersecurity needs to recognize the impact it has on a business, both positively and negatively if it doesn’t do its job in the right way.

Karl Culley:
Well, it seems like a fascinating field to be involved in, Chris. And I’m wondering, what do you find most exciting about your role? What’s the most interesting thing?

Chris Cooper:
The main reason I got into cybersecurity and then why I’m still in it today, is that rapidly changing environment. It means every day is different. There’s always something going on, there’s new things to learn, new threats to counter. It’s a challenging and really interesting environment to work in.

Karl Culley:
Well, it sounds exactly that, and thank you so much for joining us. Thank you for your insights and elucidation on this fascinating topic and I’ve enjoyed myself. Thank you for joining us, Chris.

Chris Cooper:
Thanks, Carl. It’s been a pleasure.

Karl Culley:
So, that’s it. Thank you to our listeners and do join us next time for the next podcast, which is going to be on SecDevOps with special guest, Louis Delabarre. So, thank you. Bye bye.