Mike Lloyd, the Chief Technology Officer at RedSeal, speaks to Arabian Reseller about the emerging risks in the region and what CXOs need to know about mitigating those risks
What according to you are the new potential threats and emerging risks in this part of the region?
Reacting to every new threat as it comes along creates an endless treadmill. It makes more sense to plan for digital resilience – understand your organization by mapping it out so that you can offer an agile response to every new attack. Static defenses are ineffective, but chasing whatever’s trending is equally bad – the goal is flexible, rapid response.
Security is a responsibility that needs to be shared among employees. Do you believe in this statement? Why?
It used to be hard to get employees to care about security – they thought of attacks as remote, rare, or things that happened to other kinds of companies. Thankfully, those days are gone. Everyone has seen a notification that their data has been stolen, and has seen the way the Internet is filled with people trying to mislead you. Every business has seen ransomware and extortion demands. It’s no longer difficult to get employees to agree that anyone can be tricked, and everyone must be vigilant.
The convergence of mobility and cloud has brought forth new areas of compromise. What do CXOs need to know in order to stay ahead of such security threats?
The IT security thought process used to resemble securing a bank branch – build a big vault, put a door on it, post a guard at the door, and control who goes in and out. These days, the security mindset has to change – CXOs have to think as if they are securing a city, not a bank vault.
Cities are sprawling, hard to control, and constantly changing. How do you secure a city? First, you gather maps, and keep them up to date – map the infrastructure, map where people do various kinds of business. Then, you can find defensive gaps and build disaster recovery plans. You can even run war games and simulations to see how flexible and resilient your defenses are.
What challenges do companies face when it comes to exposure to security threats?
n a word, complexity. IT infrastructure never starts with a clean slate – every healthy organization has accumulated layers of technology as they have grown up and expanded. It’s prohibitively expensive to eliminate all the older layers of technology – if it isn’t broken, the business doesn’t want to fix it.
From a security viewpoint, though, this historical layering is a severe challenge – no human can be an expert in all the layers all at once. If you can’t understand the whole infrastructure, then attackers will find your blind spots and gather in them (either through skill or simple evolution). This is why machine reasoning about your infrastructure is essential – without understanding the terrain, you cannot hope to win the war.
How can CXOs make sure they have plugged security holes to minimise security risks and implications?
The problem facing most CXOs isn’t finding new security holes – it’s dealing with the millions of holes that are already known. Any vulnerability scan or audit turns up vast lists of defects. Fixing everything is impossible, and so you have to prioritize.
However, prioritization in context of your business or organization is easy to say, but hard to do. Real risk reduction flows from prioritization based on a real understanding of how your organization functions, and how an adversary will approach and exploit your attack surface.
You cannot eliminate your attack surface – you can only reduce it, and to do that, you need to understand how your organization really functions. Hence the first job of a CXO is to map the organization’s goals down to the technology and facilities that support the mission, then see which weaknesses create the greatest risk in context of the network.