Qualys is sponsoring the EU Cybersecurity Blogger Awards for 2020, representing a ‘who’s who’ of people that write and share their opinions around the security sector. Ahead of the winners being announced on the 2nd of June, we thought we’d ask some questions around what is taking place in security today, how to make the most of your teams, and what changes are required too.
Let’s go into their thoughts:
1. What do you think is the most pressing issue in security today?
It’s not doing the basics, I see this so often especially when I talk to many CISO’s and infosec people. While its ok to buy the best technology, unless you know what your critical assets are, where they are located and have applied the appropriate hardening and least privilege, then when an attacker bypasses your controls it’s pretty much game over. – @cybersecstu, Many Hats Club and https://twitter.com/cybersecstu
Three months ago, it would have been quite a different answer. Today’s biggest challenge for most enterprises is the sudden, seismic shift to a remote workforce. While most enterprises supported a minimal, controlled remote workforce already, the sudden need to support hundreds or thousands of workers has left many internal IT teams struggling to manage the connectivity, file sharing, and bandwidth challenges that they are now faced with. That said, three months ago I would have said that the biggest challenge most companies face is the lack of a true user account (Identity) management program. With the never ending push to cloud services, micro-segmentation, and virtualization, legacy approaches to information security are falling by the wayside. Companies need to recognize the last bastion of security we have is the user’s credentials, and once they are compromised, no other security control matters. – John Masserini, Chronicles of a CISO
I think a lot of companies are still not implementing basic security practices. Their drive is to get a product to market without putting in the required security to keep it safe. This is resulting in a massive number of websites, and software products being accessed in ways they weren’t intended. If all these companies would just do standard security measures, we’d be a lot better off. But these companies continue to be the low hanging fruit a lot of cyber criminals will gravitate towards. – Jack Rhysider, Darknet Diaries
Integrating a little bit of security into everyone’s thought process. Basically, making it a habit! I don’t mean turning people into security experts. However just like when we make decisions about spending, we’re in the habit of thinking cost, quality, return (both at work and at home). If everyone at work and at home was in the habit of questioning the security of information, we would start to create a proactive security culture. A proactive security culture is foundational. If a business has one, all other pressing security challenges are much easier to find a solution to. – Sarah Janes, Layer 8
2. What do you think makes the biggest difference to security teams’ success?
Buy-in and support from the rest of the company. It’s not just about getting strong support and backing from the board and senior management, but also having an atmosphere inside the organization that everyone plays their part in securing the business.
If the security team can manage to shift staff’s opinion of them that IT security isn’t trying to say “no”, but instead wants to help the firm grow and succeed then you’ll have gone a long way to getting all employees to be on their guard against potential threats. – Graham Cluley, Smashing Security
Having a balanced team of people with complementary skills, regular training in Threat Hunting, Incident Response and having reliable data. – @cybersecstu, Many Hats Club
Having a good leader is vital. Someone that can set a clear strategy, communicate it up the chain, and backup their team. – Javvad Malik, https://javvadmalik.com/
Good leadership. I think security must start at the top of any organization. If a security team is trying to convince management to take security seriously, that’s never going to work or get widespread adoption. Instead it should be the president or CEO that mandates security. – Jack Rhysider, Darknet Diaries
Coherent communications and understanding of what they know and what they don’t know, having procedures in place to educate is key. – Andy Gill, WeegieCast
3. What would your magic wand for security be? What change would you make?
To integrate security into more departments and not have it operate as a silo as it does in so many cases. – Javvad Malik
I would rebuild the Internet from scratch with a focus on security, privacy, digital ecology and digital literacy. I will keep the spirit of sharing, the exchange of knowledge and the freedom of everyone to express themselves. – Gabrielle Botbol, https://gabrielleb.fr/blog/
Honesty from the tech security industry about what their products can and can’t do. – Geoff White, freelance journalist at https://geoffwhite.tech/
For employees to be the ‘CISO of their own homes.’ For employees to apply the same cyber security and risk-based thinking at home as they do at work – be that password managers, VPN usage, enabling multi-factor authentication where possible, et cetera. – Russell Lawton, TEISS
4. What do you think of developments like DevOps? Will they make life easier for security teams, harder, or just different?
DevSecOps if implemented correctly works really well, there are many examples of how companies can be super agile and have processes, automation and integration with infosec. The key is involving the Devops and Dev teams in this process, and providing the relevant training, tools, and creating that interest in being part of the infosec community. – @cybersecstu, Many Hats Club
When implemented correctly, DevOps/DevSecOps is absolutely beneficial to the holistic security position of an enterprise. The challenge is that too many DevOps adoptions focus solely on the development side and lose the security/risk mitigation practices that should be built in. Additionally, there still needs to be a single person/team accountable for strategic direction, risk reporting, and enterprise governance, even in a completely distributed DevOps model. – John Masserini, Chronicles of a CISO
DevOps doesn’t have to make life difficult for security teams – this is a relationship management and working practices piece. If security is integrated into a DevOps team, for example a developer with a security background, it becomes more agile, engagement improves, and you build security in rather than wrapping it around retroactively. Diversity in teams is very important – adding other lenses to projects adds value and highlights issues the DevOps team alone might not have spotted. – Sarah, Sophia, and Morgan, Security Queens and https://twitter.com/secqueens
Obviously changing the way you work can always be a challenge and there may be some internal resistance, but improving collaboration and productivity is always a good idea. DevOps can help firms respond to market needs faster and better. – Graham Cluley, Smashing Security.