Assume Breach, Trust Nothing, Verify Everything
I recently attended the Forrester Security & Risk conference and gained some good insights while there. While many keynotes were memorable, one of my favorites was on opening day of the event referencing trends we’ll observe in 2024, especially the arrival of Gen AI. Conversing, such as via ChatGPT, is the new interface and norm. For example, at least one out of 10 Gen AI projects would be operationally deployable in production. And Gen AI will be the IQ of the organization, which shall continually increase over time.
However, Gen AI is a critical concern for Chief Information Security Officers (CISO) since it is democratizing fraud or “cyberattacks as a service," frictionless experience for "amateur" bad actors, and lowers their barrier of entry. Gen AI's interface is NOT controllable, employees and/or customers may input highly sensitive information or disturbing information such as how to build a device that's life threatening or committing violent acts.
Best Practices for Zero Trust Access
Zero Trust Access (ZTA) was a red hot topic as well. It’s basically any account access that is granted based on identity, not the network you connect from. Severity zones defined within your ZTA protect the crown jewels, customer information and company IP. The new corporate adage is “Assume breach, trust nothing, verify everything.”
Zero Trust is not a destination, it charts the path to intermediate maturity. Cloud-native, remote work, and sophisticated actors are making the traditional approach to security obsolete, deploy MVS, minimum viable security. A few best practices were discussed:
- Perform a discovery exercise of your technology landscape, encrypt all data, select key management, defining RBAC for keys.
- Start with MFA across the organization, use passwordless, and perform identity attestation at least semiannually.
- Detect and prevent device threats using device posture management.
Establishing a Cybersecurity Framework
Today, cybersecurity is an enabler for revenue and can nurture a deal, or prevent it, such as noncompliance and regulatory requirements. Regulatory compliance is really the minimum standards to operate, it’s the floor, not the ceiling. Compliance does not equate to security, it’s mandatory, and a journey that’s iterative in nature. As Security Leaders, we should strive to shape the regulatory framework, influencing regulators, policymakers, and not impose too much cost to our business, while making tradeoffs on what’s most important.
Establishing a data loss prevention (DLP) program is not a one-size-fits-all approach and ideally should be outcome-driven. Regarding Gen AI, threats and risks are not equal across the use case spectrum, and data security controls should enforce policies for access, use, and lifecycle management.
Transforming your SecOps Team should involve detection engineering, enabling agility with iterative playbook development, and achieving higher quality of detection. Agile methodology for SecOps accelerates detection to mitigation of potential threats, while providing a nurturing career path for engineers.
Managing Risk from Insiders
It’s no surprise that insider threats have escalated, especially in the last couple years and are manifested from different forms, such as employees, contractors, partners, and vendors. The typical motivation for insiders includes financial distress, disgruntled employee, entitlement, announcement or fear of layoff, revenge, work conflict, ideology, and outside influence. While challenging to detect the insiders, Forrester defined a 10-step approach for risk management (gated).
Overall, it was an illuminating event that covered the entire spectrum of security issues and best practices. It will be interesting to see how many of these security risks evolve over the next year.