New technology deployment opens cyber-threat vectors and makes security operations more complex I just read a good Wall Street Journal blog by Ben DiPietro titled, Speed of Tech Change a Threat to Cybersecurity. His main point is that while organizations are adopting new technologies like cloud computing, mobile computing, and applications based upon the Internet of Things (IoT), they continue to address cybersecurity risks, controls, and oversight with legacy tools and processes. This creates a mismatch where cyber-adversaries have a distinct offensive advantage over a potpourri of assorted legacy enterprise security defenses.I couldn’t agree more Ben but it may be worse than you think as this discrepancy has been going on for years. In a 2012 research survey, ESG asked security professionals to describe the impact of numerous new IT initiatives on infosec operations and management at their organizations (note: I am an ESG employee). The research indicated that:69% of organizations said that cloud computing initiatives made security operations and management much more difficult or somewhat more difficult.62% of organizations said that mobile computing initiatives made security operations and management much more difficult or somewhat more difficult.56% of organizations said that remote worker initiatives made security operations and management much more difficult or somewhat more difficult.51% of organizations say that server virtualization initiatives made security operations and management much more difficult or somewhat more difficult.47% of organizations said that BYOD initiatives made security operations and management much more difficult or somewhat more difficult.Now many enterprise organizations have embraced a number of these IT initiatives so there is also a cumulative negative impact here. And while enterprises have implemented new technologies at a faster pace since 2015, they continue to maintain security strategies from around 2005 as the WSJ blog correctly points out. As they say in Texas, “that dog don’t hunt.”Of course there are countless VC-backed startups trying to bridge these gaps with new technologies for securing discrete IT initiatives but this is mirrors the problematic legacy model. In the past, enterprises addressed new threats like SPAM, web threats, and advanced malware with individual threat management gateways and software. This led to an operational infosec nightmare where enterprise security defenses and oversight were based upon point tools, manual processes, and patchwork visibility. Things will only get worse if large organizations plug cloud, mobile, and IoT holes with one-off countermeasures that exacerbate operational chaos. CISOs need to think about new security requirements based upon an old cybersecurity concept, the “attack surface.” In other words, the entire expanding internal and external IT infrastructure should be viewed as a holistic attack surface and addressed accordingly. So risks should be assessed across the complete attack surface while risk mitigation should include central policy management and security controls for distributed policy enforcement that cover the whole attack surface enchilada. This is critical because multi-dimensional threats will pivot from partner IT infrastructure to endpoint devices, to networks, to cloud-based sensitive data so policies and controls must cover the attack surface and the kill chain. Finally, security analysts need real-time end-to-end visibility for threat detection and response.DiPietro is right, technology proliferation is outpacing cybersecurity defenses and oversight but this is not a new phenomenon. Ten to fifteen years ago, security professionals were concerned about rogue WLAN access points, thumb drives, and iPods. The difference is that we could finesse cybersecurity risk mitigation a decade ago but this is no longer possible. Let’s face it – the overall attack surface is really big and only getting more expansive each day. CISOs must accept this reality and stop addressing cybersecurity as a series of discrete problems. The only way to address the growing attack surface is with a comprehensive strategy, integrated controls, and end-to-end security data collection, processing, and analytics. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe