Change is the only constant, or is it?

By: Ahmad Elkhatib
Ahmadpic

April was a busy month for me attending the RSA conference in San Francisco followed by GISEC in Dubai. A common theme became evident  among professionals in the information security and cybersecurity fields was that there are significant changes facing our industry. It is true that many of the solutions and services that are becoming more prominent today like threat intelligence, visibility on the endpoint and network, and merging of identity and authentication have been around for over a decade. But they have hit primetime now because of the increased sophistication of the attackers and the realization by clients that incorporating these solutions is a necessity, not a “nice to have.” In the early 2000’s, when I was still an intern, I would talk to people about the catastrophic possibilities a cyberattack could have, and many reacted as though I was describing a scene from a science fiction movie at best, or making up things to instill fear and boost my sales at worst. Fast forward 10 years later and everyday you have stories like this published by the Wall Street Journal, talking about a cyberattack causing physical damange, this report in Reuters, analyzing the massive attack on Sony and this from the BBC, discussing the malware attack that targeted Oil& Gas industry specifically Aramco. The reality is actually worse than anything I had imagined 15 years ago! 

These attacks should not put us in a state of panic, but rather should encourage us to accept realities and move on to pursue ways to minimize risks. Building larger walls and deeper moats never stopped attackers as the infamous story of the Trojan Horse will always prove to us. We need focus: to look at ways to identify where our most critical information assets are, and spend majority of our effort in securing those. We must employ strong authentication and encryption, and to securely manage the keys to our kingdom. Look very hard at your messaging infrastructure as it is a strong pattern that the majority of attacks today start with an email. Then we have to realize that organizations that have spent millions on securing themselves (including those cited above) have been breached so it is inevitable that you will be too. We need to prepare for that inevitable reality by building a robust and resilient incident-response platform to help us face those extremely painful days after an attack, to minimize the time needed to get back to normal operations. Finally and most importantly is investing in people. Without having your employees aware, trained, and security-conscious, your millions of dollars of investment in securing your assets can become worthless with the click of a button. 

What I have written above is not groundbreaking, nor do I describe next-generation technologies. Yes, the technology behind authentication, encryption, visibility and threat intelligence have certainly improved over the years but these concepts have existed for at least 10 or 15 years and have not fundamentally changed. What needs to change is our mindset. From the executive board down to the factory floor employee, we need to train ourselves and our colleagues to consider digital security as important as their personal and physical security. Information security professionals need to understand that building bigger walls by buying bigger and bigger boxes of the next generation technology to protect the network is not going to solve their problems. It is only then that we can properly address the important issues that have had solutions for many years but have not been paid proper attention.