In a freewheeling interview, Jude Pereira, MD of Nanjgel Solutions, dissects the security landscape and tells us where the industry is heading in the future.
Is the security industry getting more mature to tackle the challenges?
The security industry is fully matured. It is not easy to hack into networks and vendors are doing their job well. Now, hackers are finding collaborative measures because it is no longer easy to drop some software onto a network and get in. If you have done your job well, and implemented some sort of security frameworks, you are safe. You may not be 100 percent secure but you are safe.
Do you see organisation budgeting for security?
Yes, companies are budgeting for security. If you run a business, it is mandatory to have a security budget. There is a paradigm shift in security now; people are no longer talking about static tools, but it is more about how you augment, integrate and automate all these silos. If you ask me any conversation about security has to be centred around two important factors – risk and resilience. Do you have the right privacy controls? Do you have the right processes and governance in place? When it comes to resilience, the questions should be, if I am breached, what are my measures to mitigate? How quickly can I get back? What kind of service assurance can I provide? These are the terms security people are not familiar with and this is where you have to start. If you are a CISO, you can’t just be contented with implementing the next big solution. You should also be able to counter the attacks and understand what really happened. To achieve this, having the right people, processes and education is important.
Are we evolving beyond basic tools?
We have gone way beyond basic tools. CISOs often ask me, what is next beyond these? They don’t want us to talk about firewalls, IPS, SIEM, etc. They want to know what is beyond all these. CISOs are no longer just looking for simple security tools and processes anymore. This is why we are building management dashboards and visibility tools that can bring security that previous technologies can’t provide. Going forward, I think artificial intelligence and machine learning will play a major role in security. I still don’t see cognitive analytics in the security market, and machine learning that vendors are talking about is very basic. However, these are the next set of tools you can expect to see.
Is security now a boardroom discussion?
Security is indeed a boardroom game now, and CISOs are directly responsible. Before, they didn’t even know what devices or policies they had. Now the top is getting hammered. If a company is impacted by a breach, the first party to be reprimanded is the top management, not a junior engineer at the bottom. This shift is very important.
What kind of new attack vectors are you seeing?
Forget new attacks, we are not even rugged for the old. I haven’t seen specialised penetration tests in the Middle East. You might find some who does the basics but they are not doing the way it should be done. A good pen testing should cover all aspects – is the coding right? Can it withstand SQL injections? Can someone get into your system by dropping in a malware?
The problem is that we are more tool-centric, than threat-centric. Some of the companies don’t even know what they are deploying security tools for. When I talk to customers I ask them what are they trying to achieve and they don’t have an answer to that. If you are a bank, forget the perimeter, focus on securing the core banking system. Your perimeter is only as good as your core.
What should be the cornerstone of a good security architecture?
The cornerstone of security should be a framework. You can start off with the tools and they go much beyond that to processes, governance and resilience. But, the most important thing is education, because people will always be weakest link. Can any vendor guarantee you that they can stop ransomware or phishing attacks? If an employee wants to click a link or download something, he or she will. Here, the awareness is the key. The complexity of solving threats is increasing and human beings are needed to compensate for the lack of automation. The problem is that there are so much manual processes, which is why I always say security should be automated, and not fragmented.