The Cybersecurity conundrum of the Digital Transformation

Adopting a new technology is challenging, but if companies want to remain competitive, they need to adapt fast to keep their business model innovative — or at least at the level of the competition. Often, this requires adopting new technologies early on, long before we know everything about them. Specifically, before knowing the vulnerabilities or the best practices for designing, deploying, configuring and maintaining those new technologies.

Discovering flaws and vulnerabilities in technologies takes time and maturity. In other words, adopting a new technology by itself is risky, yet absolutely vital. For instance, one cybersecurity consultancy found that more than half of the container images hosted at Docker Hub contain critical vulnerabilities — images your DevOps teams are downloading and using daily.

Who you gonna call?

The Chief Information Security Officer (CISO) and her or his teams are expected to solve the problem, quickly assessing how to mitigate the new technology’s risks without impacting its value. Sound difficult? Yes, but that’s what they are trained and paid for, isn’t it? However, we often underestimate the complexity facing these teams.

Technologies are piling up because digital transformation adds to — but does not always replace — enterprise legacy applications. 5G is deployed in parallel with Wi-Fi, IoT and cabled networks. Mobile devices function alongside workstations. Even as business application teams implement DevOps, redesign applications into microservices and deploy infrastructure as code, other enterprise applications are still monolithic, deployed manually on virtual machines or physical servers. Legacy doesn’t disappear — it shrinks.

For a CISO, the legacy vulnerabilities and misconfigurations remain a concern as important as new technologies. Because cybersecurity is only as strong as its weakest link, we cannot overlook one application, one scope, or one technology. It could be used as the entry point for an attack prior to a lateral movement in the enterprise value chain. The recent supply chain attacks of SolarWinds and Kaseya are good examples. Those systems were not the most valued of the enterprises, but the consequence of a cybersecurity attack through them has been devastating for many.

Addressing the cybersecurity skills gap

OK, say you are a CISO facing a multi-technology risk landscape. Surely, the answer must be to recruit more specialists to build up your teams by technology focus. Unfortunately, it’s not that simple, because the domain is facing a shortage of skilled resources.

In its 2020 cybersecurity workforce study, (ISC)² estimated the cybersecurity workforce gap at 3 million professionals worldwide, two-thirds of which is in the Asia-Pacific region. These estimates seem to be confirmed by a jobs report by Cybersecurity Ventures, which also pointed out the nearly nonexistent unemployment rate in cybersecurity.

The demand for cybersecurity professionals is indeed growing faster than supply, despite many universities creating cyber programs in recent years. According to (ISC)², “the global cybersecurity workforce needs to grow 89% to effectively defend organizations’ critical assets.

3 million
is the number of professionals amounting for the cybersecurity gap worldwide

2/3
of the cybersecurity workforce missing is located in the Asia-Pacific region

89%
is the growth needed for the cybersecurity workforce to effectively defend critical assets

Cybersecurity is siloed and manual

Perhaps the solution to the skill shortage is to employ a common set of simple, effective tools that will help cybersecurity professionals do more with less.

Here again, I’m sorry to be the bearer of bad news. According to Dr. Sridhar Muppidi, IBM Fellow and CTO for IBM Security Systems, cybersecurity is among the most siloed disciplines in all of IT… The average enterprise uses 80 different products from 40 vendors.

Critical tasks like identifying the risk exposure of an environment, implementing preventive protections and recovering normal operations after a security incident are still largely performed manually. Making matters worse, cybersecurity suffers from a lack of available standards. This is obviously an issue for automation, as most cybersecurity solutions require their own proprietary implementation.

Finally, although there has been progress using artificial intelligence (AI) to improve incident detection and response, AI for cybersecurity is still in its infancy. Here too, cybersecurity finds itself on the back foot, as hackers and other adversaries employ AI in their attacks.

Are all new technologies good technologies?

Given the situation, it’s fair to wonder if we are adopting technologies too fast, if the technology is mature enough, and if we’re trying to run before we can walk. These questions obviously need to be asked and considered carefully, but ultimately, new, immature technologies will always need to be adopted — they are what makes a transformation possible.

With that fact in mind, how can we put CISOs in a better position? As they say, half the solution is understanding the problem, so the more closely you examine the conundrum we have outlined above, the closer you are to solving it.

We will discuss this in greater detail in a follow-up blog post available here.

 

Read the part II: Are all new technologies, good technologies?

About the author

Vasco Gomes

Global CTO for cybersecurity products, distinguished expert and member of the Scientific Community

Coming from an Information Technology engineering background, with 18 years’ of experience in information security, Vasco has helped many customers balance operational constraints versus acceptable business risks. In the recent years he has expanded this experience to help customers look into what the information security landscape might be in the next 5 years+ and best way to manage it. During innovation workshops, he shares with them some keys to anticipate the future shape of cybersecurity and maximize sovereignty over their most critical data.

Using those customer interactions and by continuously monitoring major technological trends, Vasco influences Atos cybersecurity services and products roadmaps, as well as partnerships, mergers and acquisitions.

Interested in next publications?

 

Register to our newsletter and receive a notification when there are new articles.