For every threat reported in the news, there are a great many that remained undisclosed. In many cases, the threat or the attack also goes unnoticed until it’s too late.
The problem is asymmetry. Hackers are constantly improving their arsenal of attack tools, focusing on ransom by targeting the most vulnerable and those with privileged accounts, shifting to credential theft and disruption on top of monetary opportunities, and targeting new industries that remain unprepared (and sometimes unaware).
The X-Force Threat Intelligence Index 2022 offers some clues to the evolving attacks. It found that North America’s manufacturing industry faced more attacks that led to supply chain issues (28%) than finance and insurance — a first in the past five years. This is terrible news for companies who see IoT analytics and smart manufacturing as solutions to overcome razor-thin margins and unpredictable macroeconomic factors.
Attackers are also dialing up their sophistication. A recent Achore survey showed that three out of five companies suffered supply chain attacks in 2021. Meanwhile, the Log4j vulnerability in open source libraries showed how vulnerable all companies are across all industries.
“The threats are getting more sophisticated, the time to detect and respond is increasing, and vulnerabilities continue to rise. This demands a new way of delivering security, with zero trust emerging as a set of architectural standards and practices being advocated within NIST,” says Mukul Mathur, vice president for IBM Security in Asia Pacific and China.
The idea behind zero trust, which Forrester first introduced as a model in 2010, is not revolutionary, nor is it new. But it does require a break from conventional thinking.
Here’s why: conventional security practices establish security perimeters. For business leaders, this castle-and-moat approach made sense. Anyone verified as an employee can work safely within intranets protected by rings of firewalls. All you have to do is make it someone’s responsibility to keep those perimeter defenses up. That became the CISO’s primary remit.
However, the pandemic blurred work-personal life boundaries and poked holes in existing perimeters. And supply chain attacks and zero-day exploits of open source libraries showed that cybercriminals were becoming better at sidestepping perimeter security algorithms by infiltrating the code before becoming backed into software apps.
Enter zero trust. Its “never trust, always verify” approach turns the conventional approach upside down. There are no more security zones or perimeters; it advocates mutual authentication for checking and verifying the integrity of devices and apps regardless of location or whether they’ve been approved before.
“Zero trust is about implementing (a) least privilege (b) continuous verification, and (c) assuming breach. This requires a policy framework that achieves (a), as well as an appropriate analytics capability to achieve (b). The final question they must be able to answer is what they would do in the case of a detection of an anomalous activity (c). Keeping these three elements in mind in all decision making, whether system-wide or at the function level, helps standardize an approach across an environment ecosystem,” explains Mathur.
This is where a mindset shift needs to occur. While vendors like IBM have made it easier to adopt zero trust with technological leaps in security products, it is not a product. Instead, it’s a concept that needs cooperation across all functions. CISOs alone cannot enforce zero trust if the principles are not inherently adopted and recognized for their usefulness to business success.
It is why Mathur believes that zero trust requires cybersecurity to become a C-level and boardroom concern.
Starting the board-level conversation
When adopting zero trust principles, the biggest challenge is making other business leaders and the board members see it as on par with organizational or financial risk. Bridging the gap between a technology risk and a business one is not easy. Mathur believes business use cases can help.
“The application of zero trust demands a methodology that can be applied to products, technology, and people across the organization. The key is that efforts to implementing zero trust should be focused on the business use cases commiserate to the risks that an organization might face. While products need zero trust oriented features, a product is just one part of an overall capability that reduces threat risk,” says Mathur.
Developing such business cases requires intimate conversations with other department heads and C-levels. And since each business is inherently unique and works within a global ecosystem, it requires a solid top-down mandate that begins with the board.
Besides, there are other reasons for making cybersecurity a business conversation. “Firstly, executives are often targeted because of the upside in breaching corporate systems. However, most important is that zero trust comes with a heightened sense of awareness that can translate through the culture of the organization. The advance in analytics capability has made the implementation of zero trust possible across many business use cases, so it’s important to recognize the ability to implement these methods as key,” Mathur points out.
IBM is helping to make this conversation easier. It produced blueprints that focus on business scenarios, including security hybrid cloud, customer privacy, reducing ransomware risks, and remote access.
Still, for zero trust to work, the board needs to get on board as key champions and not just budget sponsors as cybersecurity continues to impact top and bottom lines.
“Technology underpins almost every company’s operations. Inherent in its use is the risk of cyber incidents, and therefore boards must be able to quantify this risk to their organizations so that it can be appropriately managed like any other. Board level visibility gives rise to investment and governance and therefore should improve cyber outcomes with time,” says Mathur.
Partnering for knowledge
You cannot deploy zero trust alone. By its very definition, the concept mandates collaboration with key C-levels to be effective and the involvement of other stakeholders (e.g., partners, customers, etc.) to become encompassing.
A good technology partner with decades of experience can help frame this conversation in business terms. They can also help to improve the ROI of existing security investments by adding them to the zero trust framework. This is where Mathur sees IBM as having an advantage.
“IBM takes an open approach to security, and that means we work with your existing technology investments to deliver business scenarios to benefit the client. This approach helps IBM focus on the process improvements that will raise cyber maturity against a zero trust model. Naturally, this approach then lends itself to optimizing the investments that have been made to increase automation and speed and reduce overall cost,” says Mathur.
Joining forums and discussions like the upcoming IBM Zero Trust Forum on May 26, 2022, can further broaden knowledge.
“We need to recognize that cyber security is a global problem, felt locally to every organization. Through shared experiences and adoption of consistent practices, we are able to raise maturity together,” he adds.
Mathur believes that companies need to fast track their maturity quickly as they continue to be hammered daily by asymmetric attacks.
“This [conversation] is important because you are only as strong as the weakest link, and that could mean exploitation of any member of supply chains that interlink many of our everyday systems and processes. Being open is about ensuring that we address these shared challenges in a way that reduces overall vendor lock-in, enhances intelligence sharing, and ultimately delivers cyber security at speed across the participating communities,” he concludes.
Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity neophyte, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].
Image credit: iStockphoto/solarseven