The scars of WannaCry hadn’t healed yet when Petya–a new ransomware attack–struck organizations across Europe, haunting the cybersecurity world in 2017. This further emphasized the need for avant-garde cybersecurity solutions. Organizations have to recognize the worth of taking proactive steps toward constructing a secure network, building security operations, identifying cyber threats, and creating cyber threat intelligence programs. In an interview with Enterprise Security Magazine, industry veteran and CISO of KPN, Jaya Baloo gives us an inside look at the cybersecurity space.
When I started working in the cybersecurity space, I had to convince people of the importance of cybersecurity and the dire need to be informed about one’s own assets and risks. People had to be convinced about committing resources and having a team to analyze and act upon risks. Although, looking back, we might have overstepped the mark due to a high degree of uncertainty and fear rather than a strategic understanding. However, as the number of threats continued to riseand get media attention, security professionals were slowly gathering acknowledgment through evolving privacy& security regulations, adapting innovation for security, and inclusion in strategic decisions. So, I think we have come a long way in terms of general public awareness about the problem.
“For me, it’s not just the delivery of secure products and services but also providing thought leadership.”
Unfortunately, since most companies don’t have the capability to thoroughly evaluate vendors and products; they often try to buy security solutions, or include security with something that sounds good predominantly from a cost and marketing perspective.
We have, as an industry, consistently been looking for better methods to getting the basics right in terms of security hygiene as well as improve detection and response time of new vulnerabilities and incidents but we aren’t doing well. So, although this is something we have been struggling with for a long time, and we haven’t been able to get it right when it comes to innovation, as we keep building new things with old problems in it. Take for example areas like Software Defined Networking (SDN) and Network Function Virtualization (NFV). The problem is about migrating trust points from dedicated hardware to virtualized software controlled by a hypervisor element, like Firewalls and intrusion detection systems. If we can compromise the control plane of the hypervisor, we cannot trust our security components to detect misbehaviour or enforce policies. We also need to think about security better in terms of product and software evolution where we are better able to consider known legacy risks when innovating. As customers we need to understand the potential risks, but this remains a fundamental responsibility of hardware and software vendors when designing and updating their products. My mission at KPN is to keep KPN reliable, secure and trusted by customers partners and society. We do this by not just providing secure products and services but by also providing thought leadership in security. I expect vendors to take cybersecurity just as seriously so that the solutions can be relevant for the risks we will face in the coming years. I also expect to see a proactive approach to implementing already available protocols, with an attitude of comply or explain. When I examine our supply chain of security vendors, I expect to look at maturity across the stack and not just the one area of expertise they are trying to sell us.
Technological trends in the cybersecurity landscape in the days to come
The coming of quantum computers in the near future will impact the security space. Quantum computing is a threat as it is capable of breaking the current asymmetric cryptography that we use everywhere in our networks. Quantum computers are expected to arrive anywhere between the next 5 -20 years.
We are already late are going to need all the time remaining to sort out our secure future together with the vendor landscape, supply chain, and towards customers. At KPN we are focused on trying to find an alternative so that when there is a quantum computer, we are still capable of operating securely. We are looking at increasing key length of our current algorithms used, examining options for quantum key distribution and also trying out post-quantum cryptographic algorithms. We have started by experimenting with NIST candidate algorithms, and have embedded them in a VPN solution, looking for optimization in terms of required bandwidth and computing power. I do not know a lot of companies that are doing this but as an information security professional, I feel that I have an obligation to do this.
Suggestions for decision makers
If you don’t know what your assets are, what your critical processes are, and where there are vulnerabilities and weaknesses on your networks and systems, then you probably are not going to be helped by the newest, shiniest, blockchain or AI tool for security. To understand those weaknesses make sure you have regular sanity checks (pen testing, vulnerability scanning, etc) that feed the results into a learning loop that constantly improves your ability to detect and respond and can be measured. Start with the basics and ensure not only that you have them in place, but that you understand your weaknesses and are able to run continuous improvements to ensure confidentiality, integrity, availability across your data lifecycle.