Security and new technology: How one company faced the unknown

New technologies promise to make companies more competitive and efficient, or to better enable new strategies. There is no shortage of them: distributed ledgers (blockchain), cloud-based infrastructure and services, and artificial intelligence-enabled automation to name a few. That new tech is great for business managers looking for an edge or a solution to a problem.

Things look a bit different through the CISO’s eyes.  

The CISOs’ role is to support the business, but they can’t help but see new and unknown threats with the introduction of every new technology. It’s their job to mitigate risk — even if that risk is not yet widely understood.

As CISO for the London Stock Exchange Group (LSEG), Adrian Asher understands this challenge well. “I’m here for security of business, not the business of security,” he says. That means taking security measures that support the business and align with the risk and value of assets being protected. For Asher, those assets are far-flung in major cities in Europe, North and South America, and Asia.

CSO spoke with Asher to learn how he evaluates new technology and develops strategies for mitigating the risks they might present.

Move to cloud and the “death of infrastructure”

Although LSEG is using emerging technology like blockchain, the main challenge for Asher is a move to a pure public cloud infrastructure. “I banned the hybrid cloud,” he says. They are targeting 80 percent of the LSEG’s infrastructure on the public cloud. The rest will remain on-premises due to regulatory or technical requirements.

The London Stock Exchange Group

The consequence of the move to the public cloud is what Asher calls “the death of infrastructure.” Before the cloud, “Everything was done at the infrastructure layer. [Security] was all done below the app,” he says. Without things like firewalls to defend the perimeter, the cloud is “leaving it up to the app to defend for itself,” Asher explains.

From a personnel perspective, protecting the app directly rather than building security infrastructure around it requires a very different mindset for the LSEG’s security team. “There are people who design and build applications and those who build infrastructure,” says Asher, adding that it’s rare to find someone who can cross that divide. “We need to train people to understand how to protect the application layer.”

Asher sees training of security staff on new technology as the biggest challenge. “They are moving up to the app layer where they were really focused on infrastructure before,” he says.

IT and development teams also need to change how they approach their jobs. “All developers have to care about security,” says Asher. “Developers need to know how to write secure code.” He notes that he is seeing positive change in this area at LSEG with both security and development teams, thanks in part through proper training programs.

Assessing new technology risks

Devising a plan to secure the deployment of new technology can be a guessing game for security teams, but Asher believes you can take much of the guesswork out of the process with a methodical approach. That starts with identifying the attack surface that the technology might present—e.g., the interfaces in and out of the system, vulnerabilities presented through web pages.

“Profile where the risk lies,” he says. “Make sure you have a commensurate control [to the risk] and do it all through a threat model. I’ve seen companies spend millions of pounds for a 100s of thousand pound risk. Make sure the solution fits the purpose.”

Another way that new technology might introduce additional risk is through developers writing poor code, perhaps because they don’t yet fully understand the technology and its associated risks. Asher suggests performing a strategic code analysis. Based on the assumed risks, what should the security architecture patterns look like?

Once that’s determined, it’s a matter of training developers and putting the proper governance in place. Take a balanced approach, Asher recommends. “All things aren’t security risks,” he says. Make sure what you implement “meets your requirements for data protection, both business driven and regulatory.”

Assessing technology vendors and partners

When a company like LSEG does a large-scale deployment of new technology, it has to rely on outside vendors and service providers to acquire, implement, and maintain that technology. Each of those providers presents its own security risks.

Asher is confident that the large providers, such as the leading cloud hosting vendors, do a good job of mitigating risk. It’s the smaller companies that might have an interesting or promising technology but are less mature when it comes to overall security that worries him more.

To address that concern, Asher is first careful to assess whether the technology is necessary. “Where does it fit in the ecosystem? What does it complement or replace? What problem is it solving? Does the problem even need solving? Is it solving the problem in a different way than other solutions?” he asks. “You need to make a decision about whether it gives us value.”

Once a decision is made, LSEG evaluates the technology in a test environment. The company’s move to the cloud has made that simpler. “It’s easy to spin up [the technology] in the cloud and test it,” Asher says. “The cloud gives us the opportunity to evaluate a lot quicker. We can make a decision within a week.” During that testing, LSEG is making sure the technology lives up to the vendor’s claims and gaining an understanding of how it does reporting and plays with standards. 

Sometimes LSEG works with very small providers with perhaps two or three employees. “They often don’t know how to do service management,” says Asher. “They don’t understand how large enterprises work.” Smaller companies might not adhere to the same security standards as larger companies, too.

Rather than reject them, Asher chooses to work with and educate those small companies. “Their tech might be great, but they need to learn [how to support a larger organization],” he says.

A new approach to endpoint protection

New technology often requires new tools to detect threats and protect assets. With a tried and true IT infrastructure in place, CISOs know what kinds of tools will work in their environment. Move everything to the cloud, and all bets are off.

One area of concern for LSEG was endpoint protection. A rules-based solution wouldn’t work, because with an ever-changing and dynamic threat, it is not certain what those rules should be. Asher says that the performance impact of the endpoint protection tool was also a concern. So, compute-intensive artificial intelligence-based solutions were not a good option, either.

After evaluating a number of solutions, the company chose Morphisec, which protects the runtime environment — applications, browsers, and operating systems — by altering how it’s processed in memory. This approach makes those elements difficult for an attacker to access directly.

“We weighed the impact [of Morphisec] on everything versus capabilities,” says Asher. “There was no trade-off — zero percent impact on performance. He adds that Morphisec has blocked attacks they or indeed anyone has not seen before.

Ultimately, that’s the goal of any CISO: Be prepared to stop attacks you expect and those you don’t expect. “It’s a cat and mouse game,” says Asher. “It’s good to be the cat.”