Thinking outside the Firewall: Evolution at a Glance
By Johan Hybinette, CISO, Vonage
In the quest to gain a competitive advantage, businesses today are focused on leveraging the information inside their own data warehouses. However, is it illogical to focus exclusively on the security of the data inside the firewall? Sure enough, the answer is “yes.” Evidently, firewalls are going in the direction of cloud, big data and heuristics. However, for a lot of CISOs, the challenge boils down to understanding the cloud operation. To understand the cloud truly and how it works, how not to tie itself down to unified cloud and put the prophecy security controls around that cloud is a baffling labyrinth!
To assist the CISOs in their quest to safeguard their castle, novel generations of firewalls are making headway into the market, which the organizations can leverage to bake everything into. Today, the definition of firewall can also be a piece of software forming end point solutions. They are like a wall around an organization’s fortress that has to be built up to obstruct nefarious activities and intrusion. In addition, these next-generation firewalls are being modeled with behavioral intelligence and other security practices to form comprehensive firewall solutions. It is very interesting to witness their evolution trajectory at a time when the panorama is replete with vendors, leveraging behaviors and injecting many themes in the firewall appliance to put together intelligence driven decisions. At the other end of the spectrum, administrators are turning to VDI for ease of administration. VDI can help them eliminate the hassles of provisioning, maintaining, and patching endpoints— especially those that have limited or even single-application use.
"CISOs need to invest a lot of time for supporting security initiatives in order to get a clearer picture of the business and decipher where the greatest risks lie"
With a slew of modern-day technologies and apparatus on-board, CISOs in enterprises today are being faced with a colossal challenge of massive amount of data and consequent generated analytics. They can’t rely on traditional security measures as it only takes one malicious packet to pass through the defense and the security can be compromised. Consequently, these challenges usher in a broader role of the CISOs beyond being compliance monitors. Inherent to this broader role is the imperative to understand business processes, align security initiatives better with the business, and foster shared cyber risk ownership across an organization. With this, addressing the people aspect, for instance human resources and accounting, becomes equally significant while narrowing down focus on technology, simultaneously. As a result, the role of the CISOs is earning a seat at the leadership table balancing the responsibilities as technologist and strategist along with being people-oriented, comprehending the compliance and other processes.
Furthermore, there is a need of balancing capabilities and the productivity of an organization. Firewalls have to ensure that the castle’s door is locked-in when it is supposed to be locked. In doing so, CISOs should keep in mind that their organization is both compliant and secure, which are two different things. Compliance is about check marking the security measures in place but being secure is a whole different game altogether.
Third Party Security Vendors’ Breakout
The firewall landscape is replete with third party security vendors catering open source technology to build reliable firewalls for protecting business networks. Besides, if an organization has high-quality in-house expertise, they can leverage the blend of open source and commercial tools, and create solutions with enhanced capabilities. There were around 1600 security vendors provisioning sophisticated enterprise-level firewalls by February 2017, where a majority of them offer the same technology. The next-generation firewall market is leveraging MSSP; last year it was penetration testing; the year before, it was vulnerability scanning. The next year looks prosperous for cloud for its pronounced benefits of affordability, simplicity, and efficiency.
A Piece of Advice
The cyber risks are not limited to the perimeters of an organization. Thus it is imperative that the CISOs look past the office boundaries and be an active part of the community. CISOs need to invest a lot of time for supporting security initiatives in order to get a clearer picture of the business and decipher where the greatest risks lie. They should look for innovation and consolidations at the same time. As firewalls are difficult to bypass, hackers these days hit the main site or infect mobile devices. This is where companies need to draw their focus on internal applications. When it comes to firewalls, they essentially look for the outside threats and protect organizations from malicious scripts coming in. But it is not easy to create a bullet-proof security mechanism when the vulnerability resides in office indoors. . Employees’ web browsers, cell phones and organizational IoTs are being targeted. This is where a CISO should pay attention and introduce segmentation in the organization’s network. They have to very agile, responsible and responsive at all times. There is also a need for CISOs to feed in as many characteristics and analytics into their risk tool as possible get an overview of where the risk is, and the risk factor.
Try not to have varied types of vastly different technologies to console the security mechanism but sticking to one vendor solution wouldn’t be sensible either. It would be easy to hack the network then, as getting past one solution would mean hack the entire system. Another point to consider is to have vendors to sign a DAA with the vendors, so they can perform random audits with these vendors and ensure that they are also secure as majority of the breaches today happen due to poor third party management. The key is to involve everyone in everything. Try to take your sub-ordinates to the other side of security and make them understand the technology. Teach them to pick locks, and then only they can learn the art of constructing a lock which cannot be broken.