Cybersecurity: Doing more with less

Marc Lueck of Zscaler

The budget of the CISO (chief information security officer) has consistently grown over the years, generally in line with perception of risk and the cost of controls. However, we are now at an inflection point where the proliferation (and associated costs) of a wide range of protective services/systems meets with the current macroeconomic climate. Today’s IT security leader have the difficult job of balancing the security level to the threat situation while also reducing costs and effort, says Marc Lueck, CISO EMEA Zscaler.

This evolving risk situation cannot be solved by spending more on new security tools, but better efficiency in extracting the value they represent. Instead of choosing “best in class” security solutions, it is time to adopt “best in suite” strategies that counter risk with an integrated approach. This means selecting a solution based on the outcomes it supports, rather than desired features alone.

Moving away from functionality in favour of outcomes

The traditional approach to choosing “best in class” solutions for each security problem leads to two major challenges: escalating costs and operational inefficiency in the security infrastructure. This is because each solution requires a separate purchase and administration, resulting in complex and cumbersome security architecture. In addition, when technology purchases are based on a set of known control requirements, the “edge cases” and additional immediate or future value are not assessed.

This situation stems from the way decision-makers select a solution. Rather than explore new possibilities, they focus on the technology that needs to be replaced when updating security infrastructure. In doing so, they limit themselves to the existing functionality and features, without thinking outside the box. They see the incoming technology through the lens of the old one.

Such a narrow focus on familiar solutions prevents decision makers from noticing and assessing new solutions outside of their comfort zone. It also prevents them from fulfilling the management’s expectation of achieving more security with less effort and costs. To counter this, IT security managers must start basing their approach on the desired outcomes in security and the business objectives, not just on the success that a product has in meeting documented goals.

Zero Trust: Integrating security

CISOs should focus on the desired outcome of a solution, rather than on preventing specific threats such as ransomware. They should understand how these threats succeed and stop them at source. Ransomware, for example, is a profitable business model because it can spread laterally within an infected IT system and target critical systems to steal or encrypt data. Since companies cannot eliminate all attacks, they should aim to prevent attackers moving across the network infrastructure to capture data. A modern tool in this area must therefore be able to assist in the blocking of threat actors’ lateral movements in the network environment.

To prevent implicit trusted access to network infrastructures, leaders really need to adopt a broader perspective. With hybrid working models now regular practice, it is important to secure the direct access of each user to their required applications, instead of securing access of those same users to “the network”, and then relying on the applications themselves to enforce access policy and security. A security service edge (SSE) approach helps ensure such security through the Zero Trust model. 

A zero trust platform determines and monitors the access of each user to their required application or web service, based on their role and predefined by the organisation. This security is applied inline to the connection, whether the application is stored in the cloud or in the corporate network, and the principle of least privileged access is enforced centrally, ensuring that granular access at the level of the individual application replaces network access.

Because of the focus on per-session, inline connection brokering, this SSE model can also be used for cloud access security broker (CASB) or data loss prevention (DLP) security requirements as well. The focus is on policy-based access rights, whether for access to permitted applications, web services or even at a level of individual documents. Moreover, a zero trust-based approach can be used for user, device or workload access permissions in digitised environments. Instead of many different technologies that are not connected, a suite or platform with highly integrated functions steps in. 

In essence, a Zero Trust platform will increase visibility into the security posture, define granular security policies, prevent lateral movement of attackers, and reduce the attack surface all with one tool and the architecture it uses to deliver security outcomes.

Steps to outcome-oriented security

To improve and modernise security, CISO‘s need to shift from security as a set of technical capabilities to a strategic, outcome-orientated mindset. Here are some steps to help achieve greater security more effectively and efficiently:

  • Assess your existing security

The first step is to embrace the need for security modernisation. Even in a challenging economic environment, CISOs cannot afford to be afraid of change. It is important to communicate the business case for how a transformation can benefit your bottom line as well as security. To ensure the transition to a new security is cost-neutral, leaders should identify and eliminate any waste and redundancy in your existing infrastructure. 

Ask the question: what technologies do we have to meet our security and business goals? This requires an inventory of all security solutions and their capabilities. Leaders should consider the security frameworks in place too, as they can help to achieve desired outcomes. With outcomes defined, CISOs can then use them as criteria to inform board-level decisions on how to manage risk. 

  • Identify efficiency losses

A thorough analysis of the security technologies in use can reveal areas of overlap and redundancy. These can create inefficiencies by increasing the administrative workload and costs. To consolidate the infrastructure and optimise the security performance, these redundancies need to be identified and eliminated. This is often the most effective way to achieve cost savings for companies.

In the past, duplication has arisen from the fact that security technologies have been introduced incrementally as requirements arise. Over time, this leads to a cost trap as a wide variety of systems require administration and maintenance. A best-in-suite approach is able to eliminate these inefficiencies by combining greater functionality while reducing administrative overhead. This enables leaders to phase out legacy systems whose configuration and continuous upgrades are time-consuming to support manually.

  • Define desired results

To initiate a security change, it is important to have a holistic perspective that goes beyond individual technologies. At the same time, it is also important to consider how consolidation can support the digitisation needs of a company. What, exactly, are the security requirements for digitised production environments, web services, or new communication standards like 5G? These requirements should be included in the definition of the desired outcomes.

An outcomes-oriented approach to security can help companies involve the entire business operations. Instead of focusing on the technologies that need to be replaced, they can leverage security as a business advantage. Security must be positioned to the Board as a business advantage: not only as a way of preventing losses from an attack, but as a path to safely digitising more areas of business. A security platform approach that follows best-in suite forms the foundation of this.

  • Be ready to score on unasked-for capabilities

The classic “RFP” purchasing mechanism is powerful and has helped for many years to ensure the right cost point and prevent bad purchasing decisions, but it’s strict focus on the “known needs” prevents suite-based purchases from being able to shine. Try to ensure that any RFP (request for proposal) process has some flexibility built in to formally score and/or assign value to capabilities that are outside the strict set of functional requirements.

The future lens

With a clear vision of what they want to achieve with a security approach, companies can save costs and transform their business models at the same time. Pursuing cost-neutrality of security with a clear consolidation of existing hardware will not only quickly make a company better off, but it will empower it to embrace a digital future.

The author is Marc Lueck, CISO EMEA Zscaler.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES
close up small cars model road traffic conception

Carson City upgrades to Iteris’ advanced Vantage Apex sensors

Posted on: April 26, 2024

Iteris has announced that Carson City, Nevada has chosen to upgrade the city’s intersection detection sensors to Iteris’ Vantage Apex hybrid sensors.

Read more

Make the Intelligent Choice: Embed X103 in Smart City Outdoor Devices

Posted on: April 25, 2024

The adage “less is more” is the current state of digital transformation, starting with existing technology that has already proven successful – and then further adapting and streamlining. The “smart

Read more
FEATURED IoT STORIES
What is IoT answer

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This

Read more
iot adoption

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way

Read more
IoT Now Enterprise Buyers’ Guide Which IoT Platform 2021

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT

Read more
CAT-M1 vs NB-IoT

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more
internet of things isometric illustration of connected things

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for

Read more
iot challenges and issues

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into

Read more