Late last year, news broke that millions of systems around the world were at risk due to a security vulnerability in the logging software Log4j. The incident provides important lessons for CISOs, according to security leaders at Accenture and VMware.
Once the Log4j vulnerability was publicised, organisations worked to protect their systems. But the complex nature of their IT environments resulted in some companies needing significant time to figure out what to do next, says Accenture's AAPAC Cyber Defence Leader, Mark Sayer.
"This vulnerability wasn't something in those early days that you could just go and scan for with a vulnerability scanner. It took quite a bit of effort to understand what applications each organisation had and how they were impacted," Sayer explains.
"It required security to work hand in hand with application development teams and also supply chains, because there were a lot of commercial off the shelf tools that were potentially impacted as well,” Sayer adds.
This demonstrated that security teams need to work closer with their business colleagues, Sayer says.
“It's not like the old days where you could be in a room in the dark on the security tools and not have to talk to anyone. It's really integral now that security is actively engaging with the business, with technology, with application development teams and with third parties and supply chain providers,” he says.
But there is still a disconnect between business leaders and their security counterparts, in Sayer’s view. Boards and directors are becoming more educated about managing and governing cybersecurity risk, but in Sayer’s experience they’re not always getting the information they need from CISOs.
"The board is interested in governance questions around whether they have the right security controls in place and whether those controls are effective. What we're seeing is some CISOs are reporting on very traditional metrics around how the tools are working and how many security incidents they're seeing,” Sayer comments.
Some CISOs are starting to change what they report to boards, telling them about lag and lead indicators that demonstrate the performance of their security organisations over time, measures of the maturity of their security organisations and its security controls relative to peers, and processes their security organisations use to stay abreast of the changing threat landscape and the steps they take to respond to those changes.
Sayer shares that “CISOs are also trying to better understand the needs of boards by attending courses such as those provided by the Australian Institute of Company Directors”.
But there are also other important steps Sayer and his counterparts at VMware predict will put companies on the front foot against cyber-criminals.
A "step change" in security
Cybersecurity defenses have become so complex they have made it harder for security teams to deal with incidents like the Log4j vulnerability, points out Rob Dooley, Senior Director for VMware’s Security Business Unit in APJ.
"Previously, as a new vulnerability or a new attack technique would present itself, there'd be a new technology that customers would buy and deploy. Now, customers have really complex environments which they've stitched together. And when you've got multiple tools that have to work together and you have misconfiguration, that means there's potential for a breach," Dooley says.
He predicts “a step change in how security is delivered over the coming years”. A key shift, in his view, will be consolidation of security technologies within organisations. This will happen as companies’ main IT vendors build security into their offerings, reducing the need for bolting-on and integration of security by CISOs and their teams.
That will require an open technology ecosystem connected through the use of APIs, as is common in VMware environments. Embedded security will move with applications and workloads as they traverse multiple cloud platforms.
More joined-up security will give organisations greater visibility of activity in their IT environment, from the underlying infrastructure to applications.
And more automation of Security Operation Centres (SOCs) will help operators move faster to understand and articulate whether their business is at risk. “That’s everyone’s greatest fear, not knowing,” Dooley comments.
This will be accompanied by a move away from perimeter security to zero trust architecture. "Previously, organisations would spend a lot of money building really strong perimeter security. But these days, what is the perimeter? Your workload or your device may be located in a user's home or another office, the applications might be SaaS based and some might be on premise,” Dooley points out.
The Accenture VMware Business Group is working with some of Australia’s largest organisations to implement these principles. Dooley argues it makes more sense for CISOs to work with existing partners like this, than further complicate things by going to market to find independent security vendors.
“With VMware, you're able to do multicloud transformation where security is native to what we do. And our partner Accenture has got the skills to bring all this together,” Dooley says.
Reality check for CISOs
It seems many companies are yet to follow the principles outlined by Sayer and Dooley. Nearly a quarter of respondents to an Accenture survey in 2021 said security was not part of their cloud transformation journeys.
“This is this is staggering when you think about it,” Sayer says. “There's a cultural perception that security people are there to slow things down.” Security by design should in fact save companies time and money by reducing problems later.
Meanwhile, security spending keeps rising. “What we're seeing with the new legislation coming in for critical infrastructure here in Australia, plus all of the risk work we've seen with ransomware attacks in recent times, security budgets have gone up substantially – in the order of 10 to 15 percent of IT spend at the moment. Now, that isn't sustainable in the long term,” Sayer says.
Find out more about how the Accenture VMware Business Group can help you operationalise your transformation journey efficiently by contacting us or visiting us online.
