“Ruthlessly prioritize what’s critical”: Check Point expert on CISOs and the evolving attack surface
Adopting a dynamic security strategy and developing internal talent is key if CISOs want to get a handle on their increasingly intractable remit
Chief information security officers (CISOs) face threats every day, but new developments require them to adopt a more aggressive approach to attackers.
The obstacle CISOs face is not just the scale of new attacks, but the complexity. As the attack surface expands, the openings that threat actors exploit to compromise devices, accounts, and services are also changing.
New devices are introduced to the IT estate all the time, in parallel with the ever-evolving software stack, bringing new vulnerabilities that demand the attention of CISOs.
Speaking to Check Point president Rupal Hollenbeck on stage at Check Point Experience 2024, HPE CISO Bobby Ford explains why the constantly expanding attack surface is one of the primary concerns for security leaders in the coming years.
“In 2020 we had less than 10 billion devices connected to the internet, by 2030 we will have more than 30 billion”, Ford explains.
In addition to the growth of Internet of Things (IoT) across the world, feeding what some have termed an 'IoT arms race' for security teams, the amount of data being generated has also skyrocketed. Ford says that globally we created 64 zettabytes of data in 2020 – and this is expected to triple by 2025. Deryck Mitchelson, Check Point’s head of global CISO and C-Suite advisor for EMEA, tells ITPro that the scope of the systems CISOs need to protect makes the role increasingly demanding.
“It’s no longer a small perimeter-based infrastructure they need to protect. It is now everything from every cloud, every device, every server, every piece of connectivity, so yes it’s a demanding role at the moment.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Ford argues that CISOs need to face the fact that they cannot secure everything and question how they can best spend their finite resources on attack surface management. This attitude has been reflected in the rise of strategies such as zero trust and Ford says in 2024 CISOs will continue to struggle to secure an increasing number of devices and data and contend with a landscape that is evolving in real time.
“I think you have to do two things really well: the first thing I think you have to do is truly identify what’s critical and ruthlessly prioritize what’s critical. The second thing is you have to deploy lasting and intelligent solutions”, Ford argued.
“[Businesses] have to deploy solutions that grow and contract with the business and can grow and contract as the threat landscape grows and contracts.”
Mitchelson offers some examples of what this sort of deployment might look like in the future, arguing the most potential lies in using technology to realize this elastic functionality. “Internally within the structures of the organization, it could be a matrix type structure whereby you’re actually able to expand and contract internal resourcing within teams as to what you do”, Mitchelson suggests.
“But the more interesting piece is when you start to understand what the technology can do around making that job much easier.” The public cloud is a perfect example of one such technology, says Mitchelson, as it can scale and shrink according to a company’s needs.
“So many people have probably moved into the public cloud by now and that’s what it offers. It’s taking resources, capabilities and that are available without having to go big, you pay as you grow … As your attack surface grows, if you do your security right you should grow with it.
CISOs as ‘talent makers’ not ‘talent takers’
A second aspect of how Ford thinks CISOs can address the difficult task they are faced with is by digital skills through a serious commitment to upskilling within organizations.
Ford argues the security skills shortage does not stem from a dearth of talent, but a serious lack of experience among IT professionals, which CISOs should look to address to meet soaring demand for these proficiencies.
“I don't believe that we have a talent shortage, I believe we have an experience shortage … Rather than going out and searching for talent, what I’m doing is looking within my organization at how I can create opportunities to get people from diverse backgrounds more experience.”
This approach means businesses can start to address the wider talent shortage by creating talent, rather than displacing it from one organization to another, and it also helps the business’s bottom line, according to Ford. Internal efforts could see workers being trained through cyber security courses or cyber security certifications.
“I don’t want to just poach talent from different organizations because I think that wage inflation is a real thing … and so with that in mind, I’m looking how we can identify roles where we can actually educate, upskill, train people, so that we can actually create more talent than we take.” Mitchelson says this was the approach he took in his previous role leading a networking team for NHS Scotland.
“When I was chief information officer (CIO) for NHS Scotland that was how I grew my security team because it was the public sector we couldn't compete with the salaries of the financial sector, the digital startups within Edinburgh. So the best way of doing this was to look inwards.”
A strength of this approach is that it fosters diversity in security teams, which Mitchelson says was a priority for him, looking for staff with adjacent skills that can be translated into the specific aptitudes he requires.
“I wanted to have a diverse team so that means I don’t want everyone to come from a networking background … we’ve got some staff from big data and analytics, that’s a fantastic skill because it transforms nicely to do things like threat hunting”.
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.