The cybersecurity threat agent has been around since the mid-90s, exploiting weaknesses in systems and organisations worldwide. CISOs are continuously having to adapt and evolve their preventive measures to keep up with threat agents and the advanced malware techniques being used. In this debate, the speakers discuss what security approaches they should use with the rise of the hybrid working model and how to deal with new threat agents.
With Sasha Qadri moderating this roundtable debate, the speakers include:
- Nick Edwards, Vice President, Product Management, Menlo Security Inc
- Rahul Bhardwaj, CISO – APAC, Kroll
Changing security approaches
Moderator Sasha Qadri asked the speakers whether traditional security approaches should change now that remote and hybrid working has become more permanent.
Responsible for product strategy, management and planning at Menlo security, Nick Edwards stated that a lot of his decision making is influenced by what he hears from customers. “What I’m hearing from customers based on remote work is that the traditional security model needs to evolve”, he said. He added that this model is now broken. Back when people were working from their offices, controlling data and applications was much easier according to Nick. With the increase in remote work and sudden change in working models, traditional security solutions aren’t effective enough to protect organisations. This, in turn, has forced a reconsideration in Nick’s view. “That type of thinking, I think, causes customers to re-evaluate,” he said.
In response to Sasha’s question on what the customers’ needs are, Nick focused on policies. “I think what they want to be able to do is make sure that they have a consistent set of security policies for all of the users”, he said. The classic model of firewalls and VPNs are not designed to have ease of access in all areas today. Today, Nick pointed out that customers are now looking at leveraging cloud services to do this more effectively.
Rahul was in agreement with Nick’s views on changing security methods. CISO for APAC at Kroll, Rahul Bhardwaj stated that the traditional security model dissolved the day people started to use the hybrid working model. He highlighted that people can now access data from their homes – even on their mobile phones while having their daily jog. Taking this into consideration, he believed that the security model would fail. “You need to be agile, you need to make sure business is given all the needs to grow”, he said. Rahul argued that this isn’t possible with the traditional security model.
Evolution of the CISO
Recalling research from Gartner, Sasha stated that the role of the CISO has to be reframed. In addition to this, cybersecurity and risk concerns are now actually a huge business risk since the increase in remote working.
Focusing on how the role of the CISO has changed, Rahul thinks the traditional role of the CISO and being a “good technologist” has fundamentally changed. One of these changes is the fact that they are now more involved in decision-making within the organisation. “I think every CISO including me is no different…. We want to know as early as possible what our next product offering will be”, he said. He argued that if a product has already been developed and security is considered as nothing more than an afterthought, “we are failing out there”. He added that security by design is possible if the organisation’s business leader considers security an integral part of the business.
The new threat agent
Nick was asked whether there were new threat agents we should be more aware of and how he has dealt with them.
He stated that he has seen more than one trend since the new distributed working model was introduced. One trend which stood out to him was the idea that “the browser is the new office”. He recalled a statistic from Google stating that people spend over 70 percent of their time on the web browser. Up to two decades ago, he noted that people used to spend this time sitting down together in meetings and conference rooms. Nick pointed out that the modern day threat agent (or “the bag guys”) are aware of this and use it to their advantage. Nowadays, he has noticed that a lot of threat agent attacks are primarily targeting the browser. “It’s a totally different attack surface area that I think the industry is trying to rustle with”, he said.
CISOs have different perspectives on how to deal with this new threat agent according to Nick. However, he explained that companies need to “take stock of what they have and what the landscape looks like”. In addition to this, businesses need to start thinking about where they are going with their products and their services. Much like Rahul’s previous point, Nick thinks businesses should have their security pieces programmed into their plans “as a forethought, not an afterthought”.
This roundtable was recorded at The Studio and made in partnership with Menlo Security. To find out more about The Studio, click here.
