Many organizations are finding it harder to manage the increasing pace and sophistication of security threats these days. But the right technologies and strategies can help, according to security experts who shared their tips at a recent ITWC briefing.
“We’re seeing a lot of transformation as organizations adopt more cloud and with people working from home,” said Chris Ruetz, AVP and Country Manager at CyberArk. “The complete landscape of cybersecurity has transformed dramatically for a lot of organizations.”
WATCH WHOSE CREEPING INSIDE YOUR PERIMETER BRIEFING ON DEMAND
The big change over the past couple of years is that the attack vector is scaling, said Barak Feldman, PAM & Identity Security with CyberArk. “Even the most security-focused organizations can be breached,” added Ruetz.
The pandemic has tested our resilience, said Ben Sapiro, VP of Technology Risk and CISO with Canada Life. “It has shown that we needed to be able to scale our security operations so that we can deal with things far more quickly.”
The panel members discussed three key ways to achieve that.
Automate as much as possible
There is a movement toward automating the production process and reducing the access by humans, said Feldman. ”By making sure that it’s all based on AI, machine learning and behaviour, we can define the access points and be a lot more efficient and, quite frankly, a lot more secure,” he said.
Organizations should make sure their vendors are investing in automation, said Ruetz. “Find out if they’re building the necessary integrations and automations to manage the flow of information, from access management to privileged access, for example,” he said. “This will help in the whole automation process.”
Automating repetitive tasks is the only way to achieve the necessary scalability to deal with security threats, said Sapiro. “This allows people to do amazing things rather than boring tasks,” he said. “I want to save people for the high value human intelligence tasks that only people can do.”
Organizations should review how they govern and manage security, said Sapiro. IT leaders can start by having a “brass tacks” conversation with management to understand how much risk they’re willing to tolerate.
The next step is to identify the most important business processes and consider the potential risks and the rewards of measures to protect them. “Then all of the decisions that come out of it, about where we should fund what we should do, what risks we should accept become a lot easier. The ultimate goal is to simplify security by setting a limited number of clear priorities and allocating resources accordingly.
Move beyond password access
Cybercriminals are increasingly finding ways around multi-factor authentication. As a result, there is a move toward using biometrics or mobile phones to verify identity, rather than passwords and six-digit tokens, said Feldman.
It’s also vital to make security as natural and easy as possible for the users, said Sapiro. “If people have to be reminded to do things a specific way, you risk a degradation of control. I think making the user experience frictionless or almost invisible and as automated as possible is the right way to go,” he said. “Then you are guaranteed the outcomes that you want from a security perspective.”