Tag Archives: CISO

News, Technology

SASE – the risk of over-rationalising

Chief Information Security Officers (CISOs) are being encouraged to build a Secure Access Service Edge (SASE) migration plan to create a robust Zero Trust architecture, while also consolidating the security vendor suite. Yet, while the concept of single vendor SASE solutions may appear to meet goals for rationalising security costs and complexity, it creates untenable risks for any organisation operating in a high assurance industry. Paul German, CEO, Certes Networks, explains why a best of breed SASE framework from a single Managed Service Provider is key to de-risking SASE for high assurance companies.

Trusted Framework

Secure Access Service Edge (SASE) is the future, according to market research analysts including Gartner, which predicts that by 2025 at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020.  Encompassing multiple security capabilities into a single deliverable, SASE deployments include Software Defined Wide Area Network (SD–WAN) connectivity, Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Firewall-as-a-Service and Secure Web Gateway.

But while vendors are beginning to flood to the market with branded ‘SASE solutions’, there is a degree of confusion about SASE that is adding significant operational risk, especially to organisations in highly regulated industries, where data sensitivity combined with the threat landscape demands a far more robust approach.

One of the touted benefits of the SASE framework is the opportunity to address the challenges created by a patchwork of vendors and policies deployed incrementally, often over many years, in response to evolving security threats. The result has often led to complexity for both users and administrators, with different product lifecycles creating both confusion and potential weakness within the security posture. SASE is viewed as a pragmatic security model that provides an opportunity to rationalise and consolidate vendors to reduce complexity and potentially cut costs.

High Assurance Risk

For smaller organisations and those in un- or lightly regulated industries, single vendor SASE is a viable option. It provides a clear security framework and, with a single contract and single console, an organisation has a complete view of its security posture in one place, most likely for the very first time.  For those organisations operating in regulated industries, including government, finance, critical national infrastructure and healthcare, however, single vendor SASE creates an unacceptable risk – and one that no CISO should countenance.

A key point is that no vendor can offer best of breed technology across the entire SASE solution, which means organisations will by default compromise the quality of technology in one or more areas. Far more concerning, though, is the risk created by the single source of all security components: one of the many benefits of SASE is its delivery as a cloud orchestrated service, but if there is any vulnerability within the single SASE product set, it will affect every part of the framework, every part of the infrastructure.  

In contrast, a SASE framework built upon individual, best of breed suppliers for each part of the solution increases the end to end quality of the SASE deployment. Furthermore, the inevitable overlap between supplier solutions also further reduces risk by adding redundancy – if one firewall is compromised, for example, another part of the SASE solution will likely include functions that provide some degree of protection to safeguard the enterprise. Critically, by implementing a solution based on multiple vendors, an organisation avoids the risk associated with a single code, minimising the chance of a vulnerability affecting the entire security stack. 

SASE without Compromise

SASE is becoming an increasingly important security model for businesses of all sizes, in all industries. But there never has been a security silver bullet. While a single vendor approach creates too much risk for high assurance businesses, the concept of SASE as a framework with all of the key components built in is absolutely the right approach. The goal is to find a solution that integrates best of breed security components from multiple vendors to de-risk the security posture, while also delivering the benefits of a single managed solution, including consolidated security dashboard, from one organisation.

Cybersecurity, News

Crossword Cybersecurity Plc research reveals 40 per cent of companies believe their cyber strategy will be outdated in under two years

A perfect storm of escalating cyber-attacks and global tech innovation, leaves 61 per cent of Chief Information Security Officers (CISO) only “fairly confident” of managing their current threat exposure

24 May 2022 – London, UK – Crossword Cybersecurity Plc (AIM:CCS, “Crossword”, the “Company” or the “Group”), the cybersecurity solutions company focused on cyber strategy and risk, has today released a new report based on the findings of a survey of over 200 CISOs and senior UK cyber security professionals. Called “Strategy and collaboration: a better way forward for effective cybersecurity”, the paper reveals companies are more concerned and exposed to cyber threats than ever before, with almost two thirds (61 per cent) describing themselves as at best only “fairly confident” at managing their current cybersecurity threat exposure, which should raise some eyebrows around the boardroom.

Respondents also feared their cyber strategy would not keep pace with the rate of tech innovation and changes in the threat landscape. 40 per cent believe their existing cyber strategy will be outdated in two years, and a further 37 per cent within three years. Additional investment is needed to address longer term planning, with 44 per cent saying they only have sufficient resources in their organisation to focus on the immediate and mid-term cyber threats and tech trends.

The daily firefight

CISOs and cyber professionals report struggling to manage today’s cybersecurity risks across the board. Asked about the day-to-day aspects of securing their businesses on a scale including “a little, somewhat, or very challenging”, the following areas were ranked highest as at least somewhat challenging by respondents: (total challenging figures in brackets)

  • Detecting or identifying the occurrence of a cybersecurity event or threat – 56 per cent (85 per cent)
  • Third parties disclosing breaches in good time – 55 per cent (85 per cent)
  • Understanding and anticipating new or potential future strategies used by threat actors – 55 per cent (84 per cent)
  • Ensuring that the entire supply chain is water-tight in its ability to defend and recover against threat actors – 52 per cent (83 per cent)

Juggling cybersecurity priorities

Not only do organisations feel they are chasing their next cyber strategy, but they are struggling to deliver on the one they have now. CISOs highlighted the following key priorities over the next 12 months:

  • The cyber skills gap within organisations is the highest strategic priority (31 per cent). This has a been a perpetual problem facing the IT industry and cybersecurity teams can become quickly overwhelmed if the right expertise is not in place to manage the load. The effects of this can be devastating, creating risk vectors that can be exploited and may lead to human error under pressure, or a missed threat. Rather than hunting new people, the gap could in part be addressed by putting more resources into training and upskilling, but this is difficult when team capacity is already stretched.
  • The next most important priority highlighted by CISOs is the challenge of gaining consistent and reliable ‘threat intelligence’ (28 per cent), with many reporting they rely on informal information sharing networks.
  • Securing digital identity (27 percent) was also identified as key given the risks posed by hackers gaining credentials and impersonating users to access data and systems.

Stuart Jubb, Group Managing Director at Crossword Cybersecurity plc, commented: “The picture painted by our research shows CISOs are in urgent need of a strategic rethink. CISOs need to balance their cybersecurity operation’s daily load with managing the organisation’s long-term requirements. Boards must make sure CISOs have the budget necessary to get short-term issues under control and then begin planning a long-term business wide strategy. Such a strategy should be supported by a standard operating model with robust processes and policies for the company’s entire supply chain. Every month of delay leaves businesses open to potentially crippling cyber-attacks.”

The tech trends that matter to cyber professionals

CISOs were also asked about the technology trends that they saw as being the most important and relevant over the next 12 months. Several technology categories stood out with cloud transition and cyber in the cloud leading the way (41 per cent), followed by Cyber Security Mesh Architecture (CSMA – 35 per cent), and AI/Machine Learning (31 per cent).

Deciding how each of these categories will fit into the short-term cyber goals and longer term strategy of UK organisations will take serious consideration. However, respondents did report having a clear view on the most important technology components they want to address in their cyber security plans in the short term, compared to the next three or five years. Three quarters (75 per cent) said software verification, which helps to ensure a program is secure, 69 percent said cloud transition and 69 per cent said dealing with ransomware escalation, will be a focus immediately or over the next 12 months. A similar number (65 per cent) identified CSMA, a method for making cybersecurity products interoperable, as a key technology. Other technologies of note included:

  • Zero trust and identity security (62 per cent)
  • Quantum data stores / computing (55 per cent)
  • AI / Machine learning (55 per cent)

Jubb concluded: “Cybersecurity today is in a more tightly squeezed iterative cycle than it was in the past. It demands that organisations take a more strategic and collaborative approach – we recommend appointing a head of cyber security strategy, while leaving the CISO to deliver on the immediate challenges. Managing the day to day risks is a tough balancing act, but one that can be achieved if CISOs have the right resources to upskill their teams and tools that leverage AI to bring efficiency and automation to help protect their organisation and its supply chain against today’s threats.”

Professor Tim Watson, Programme Director, Defence & Security, The Alan Turing Institute and Director, WMG Cyber Security Centre, University of Warwick, commented: “Collaboration is especially important when it comes to protecting critical national infrastructure because it’s rapidly becoming a whole new theatre of conflict between Nation States. It’s also not particularly easy because there are so many private and public stakeholders.”

Muttukrishnan Rajarajan (Raj), Professor of Security Engineering and Director, Institute for Cyber Security, City, University of London, commented: “Tackling ransomware is a huge area of focus in the world of research, so I’m not surprised this scored highly in the survey. We are often commissioned to work on projects that focus just on this – an attack on one SME can cause a complete supply chain to grind to a halt as we saw with vulnerabilities introduced via the Log4J code libraries recently.

Appointments, News

Egress names Robin Bell as CISO to amplify security-first culture

Email security leader appoints CISO to partner with customers and advance security strategy.

London, UK – 13th April 2022 – Egress, the leading provider of intelligent email security, has announced the appointment of Robin Bell as its Chief Information Security Officer (CISO). This strategic internal move will see Bell transition from the role of Chief Information Officer (CIO) to expand the company’s security operations at pace with its rapid growth, at a time of heightened global cybersecurity risk.

In his new role as CISO, Bell will focus entirely on promoting information security. Partnering with customers across highly regulated industries and critical infrastructure, Bell will focus on building a culture of cyber resilience during this period of heightened risk.

“By appointing Robin as our CISO, we’re reaffirming our commitment to maintaining the highest level of cybersecurity across our business and for our customers,” Egress CEO Tony Pepper explains. “We want to ensure that security is ingrained in every aspect of our strategy as we continue to grow our global customer base. With Robin’s vast knowledge and his experience leading security teams, I’m certain that we can achieve this.”

Prior to Egress, Bell served as Head of Application Services Group at Vodafone and was responsible for delivering and managing NHSMail – one of the largest on-premise deployments of Microsoft exchange in the world, which has subsequently migrated to Microsoft 365.

“At this time of heightened cybersecurity risk, it’s essential for cybersecurity businesses to look inwards and constantly evaluate their own security posture.” Bell explains. “There’s a tragic situation going on in Ukraine which we’re all very concerned about. The ramifications of it are far-reaching and business leaders, CISOs in particular, need to take this war-time situation seriously. Russia has stated that they will unleash cyber-attacks, particularly focused on the U.S. We’ve previously seen Russia target energy companies and wouldn’t be surprised to see cyber-attacks on critical infrastructure as well as banks and other large corporations. As these attacks are likely to focus on the American population at large, CISOs need to be proactive in their own teams preparedness and keep a close eye on wide reaching ransomware and phishing attacks.

My move from CIO to CISO at Egress is a natural evolution to meet this need and it reflects the importance of security for all organisations. The company already has a mature security program, but good security is not a one-time exercise – and Egress will continually strive to achieve the highest of standards and keep security at the heart of everything we do.”