Chief information and security officers aren’t being rigorous enough in their strategies to protect their organizations, says the CTO and co-founder of Palo Alto Networks.
“CISOs don’t drive their organization based on specific outcomes,” complained Nir Zuk in a phone interview Tuesday from Calgary, where he spoke at a customer event. On Wednesday he’s in Toronto for a similar event.
“I see a lot of security organizations going through the motions and just doing the same thing over and over again, and buying the same products and going through the same evaluation cycles and using the same architectures and same processes,” he said, “which might be OK, but [they’re] doing it just by inertia, and not by outcomes. CISOs don’t think about outcomes, they don’t measure outcomes and they don’t really drive outcomes in terms of security.”
He suggested two reasons why: It’s what they’ve done for years, and many aren’t schooled well in cyber security.
“There are a lot of smart CISOs out there, but there are a lot of people out there that ended up in their position accidentally.” They started off on the network side and got promoted over the years, Zuk said. “And there’s a challenge with education. A lot of CISOs [only] get education from vendors.”
Many security vendors, he added, don’t look for disruptive technologies and are very conservation.
The only thing that will change these CISOs is when they suffer a data breach, he said.
“I used to ask security professionals, ‘Who’s your adversary?’ and I would get five different answers from three different people in the room. They never sat down and thought who is their adversary. And then when you ask, ‘What are they [adversaries] going after. What are the crown jewels?’… Same thing. If you have three people from the same company you’ll get six different answers.
“So it’s very evident to me that security organizations are going through the motions.”
By that he means they do want to buy the best products in individual categories. However, he said they should be thinking how to make it hard for an adversary to go after these specific resources to increase the cost of a cyber attack.
When it was suggested that some CISOs see their organization as under attack from a wide range of adversaries, he shrugged. “Then you’re going to be a jack of all trades and master of none.”
The organization has to list the biggest threats it faces and start addressing each one, Zuk insisted. Better to do that than try and solve all problems with the same solutions on the limited budget most security teams have.
Interestingly, while some expert regularly repeat that infosec teams could close the door on a lot of potential breaches by following security basics, Zuk isn’t one of them.
Some breaches could be avoided, he concedes. “But it would be very hard to find a single data breach that could be stopped by the vast majority of the technology enterprises use today to defend themselves. In some cases they have done something really dumb that got them breached, like leaving SSH open from the outside to the inside, which happened to a very large U.S. bank.
“But in some cases it doesn’t matter what they would have done. None of the technology they had would have protected them, no matter how well it was configured. And the difference between the two is the cost of the attack to the attacker. The assumption should be everyone can be breached. The question is how much it’s going to cost the attacker to breach, and how much they are going to gain. It’s a simple financial question.”
In talking to customers here this week Zuk and CMO Rene Bonvanie are touting the coming changes to Palo Alto Networks’ platform, including an application framework that will allow customers to buy security apps as a SaaS (software as a service) service built by the company, third-party developers, managed security service providers or their own teams that can leverage sensors on Palo Alto Networks devices and customer data stores.
More than 30 vendors have committed to developing apps, including IBM, PhishMe, Proofpoint, Hewlett-Packard Enterprises’ Aruba division and Splunk.
The framework will be released early next year.
The two execs are also talking about the just-launched cloud-based logging service, which allows customers to amass large amounts of their own data from Palo Alto devices for machine processing and analytics. It is expected that SaaS apps bought for the application framework will be used to analyze that data to help automate security decisions.