A rebirth in monitoring and measuring of security threats isn’t enough to guarantee companies are secure, says one security expert who says that’s leading to a new movement in secure design patterns.
Ron Gula, Tenable Network Security co-founder and chairman of the board, says there has been a ‘rebirth’ in monitoring and detection of bad guys, leveraging new technology, and of measuring risk via frameworks such as the NIST Cybersecurity Framework, or even things like PCI.
“There are a lot more organisations and boards who want to know if they’re secure and if they have a gap, where it is and how they compare against their peers,” Gula says.
“I’m really happy with those two things,” the 20 year information security veteran says.
However, he adds: “You can do all that, but you will never be guaranteed that you’re secure.
“So there is a new movement in secure design patterns that leverage things like outsourcing, applications to the cloud, rewriting applications with containers and microservices, and repeatable use.”
Gula says risk frameworks should be used as a ruler, or lens, for organisations to evaluate their own internal defences and risks in a way that is vendor neutral and allows them to compare their controls against others in their industry.
He used the example of two security officers golfing.
“One is an IBM shop, one is a Symantec shop, one uses Microsoft laptops, one uses Apple laptops. They can’t speak the same language if they talk about the security controls for the vendors they bought, but if they speak in terms of the ASD or the Nist Cybersecurity framework or even the ISO framework there is a lot of commonality and they can talk about the benefits there.”
Gula says the frameworks will also be critical for cyber-insurance.
“You can’t figure out if one company or organisation is more secure, or a bigger cyber-risk than another one with vendor specific ways of measuring it, there are too many vagaries.
“But doing it under the lens of the new cybersecurity framework or the ASD can give cyber insurance people a lot more opportunity to make a better judgment call on whether cyber insurance is a good deal or not.”
Gula says the frameworks also enable companies to quickly scope out where quick wins can be achieved.
“Whether you start with ASD or the NIST Cybersecurity Framework, everyone of these controls in the framework is going to have a quick win and a long term value.
Once you do your assessment under that same sort of lens, looking at where your gaps are, as a business, your board, your executives, can make a decision about what is best for your organisation.
“And it shouldn’t be an overnight thing. It should be as they think about IT in general, what kind of services are they buying, what kind of commercial solutions, or open source solutions they need to have to monitor and enforce those kinds of policies.”
Unsurprisingly, Gula says the role of the reseller is ‘really changing’ with resellers no longer just fulfilment agents, but also key advisors.
“The reseller is really an advisor, especially for small market.
“If you’re not Fortune 200, you’re probably working with resellers as your trusted advisor. And you have a limited amount of cyber people inside an organisation. You have a limited number of vendors they can use. And when you do buy a vendor, whether Tenable or whoever, chances are you don’t use 100% of the features.
“A reseller can help a customer design, deploy and do health checks and make sure the latest features are being used.”