Asia-Pacific businesses must start thinking outside the box and transform their cybersecurity strategy, as the threat landscape is increasingly complex and the number of major data breaches escalating. Hackers’ tactics and focus also have become more insidious, so existing tools and approaches may no longer be effective in staving off attacks.
To further compound the problem, there currently is a lack of talent, with the global studies predicting there will be 3.5 million vacancies in the cybersecurity industry by 2021.
Following a year of several high-profile breaches in the region, including Singapore’s SingHealth breach that affected 1.5 million patients, chief information security officers (CISOs) in Asia-Pacific remained challenged in 2019 as regulatory uncertainties continued and economies showed signs of slowing down, said Jinan Budge, Forrester’s principal analyst for security and risk.
These executives already were caught in an “intensifying storm” where technologies were changing rapidly and businesses forced to move more quickly to keep pace with customer demands, noted Budge, who was speaking at RSA Conference in Singapore this week.
And while new technologies meant new opportunities, they also presented great risks, she said, adding that the impact of cyberattacks now could not only cause business disruption, they also could potentially result in the loss of lives. In addition, customer expectations about security and privacy had increased significantly in recent years, she noted.
Citing findings from a Forrester study, the analyst said the top two challenges Asia-Pacific CISOs faced were the complexity of their IT environment and the changing nature of IT threats. Another 26% of these executives pointed to concerns that other priorities in their organisation took precedence over security initiatives, while 24% were challenged by compliance with new privacy regulations.
Budge noted that the region’s regulatory landscape was inconsistent and complex to navigate, where each country had its own data privacy laws and there was a lack of common legislation framework similar to the European Union’s General Data Privacy Regulation (GDPR).
The good news was that the number of high-profile security breaches and new breach notification laws had forced CEOs to realise they needed to play catch-up, she said. CISOs finally were getting the attention from the boardroom that they had always wanted, she added, noting that 47% in Asia-Pacific expected their security budgets to increase this year.
However, security still was deemed primarily an IT issue, with 56% of senior security decision makers in the region still reporting into their CIO or IT head. This, she said, could cause real and perceived situations of conflict of interest, where CIOs might priorities areas that helped “keep the lights on”.
She said CISOs now would need to prove their value by leapfrogging to more advanced security capabilities. To do this, they needed to find the right talent and incorporate specialist security services into their portfolio, the latter of which would be essential as they would not have the time or people to integrate multiple security products.
They also must move away from being technically focused and adopt a more holistic approach that should encompass, amongst others, a risk, governance, and operating model.
CISOs needed to work towards removing the myth that security was just an IT issue, she said, stressing that the entire organisation must be involved in managing the risks.
Speaking at a media roundtable at the conference, RSA CTO Zulfikar Ramzan also urged the need to transform the role of cybersecurity leaders and look at what actually mattered.
For instance, with artificial intelligence (AI) and machine learning, there appeared to be significant focus on the algorithm when the more important component should be the data, Ramzan said. Without good and reliable data, organisations would not be able to extract meaningful insights, even if they had a robust machine learning algorithm, he noted.
To carry out AI and machine learning initiatives, enterprises also would need data scientists, said Kate Healy, Telstra’s principal cybersecurity strategist, who also was on the roundtable. In fact, she added, the industry would require new skillsets and roles to support the adoption of machine learning in cybersecurity.
Cybercriminals and attacks becoming more insidious
Acquiring the right capabilities and tools also would be critical as cyber attacks were increasingly insidious, with hackers choosing to be more stealth in their attack and to fight back when their presence was detected.
Carbon Black’s chief cybersecurity officer Tom Kellermann noted that there had been instances of counter-incident response, with 56% of respondents in an April study it conducted encountering such attempts. This was a 5% increase over the previous quarter.
Security teams that were reacting to adversaries were seeing these attackers fight back, which was not a common occurrence previously, said Kellermann, who was speaking to ZDNet on the sidelines of the conference. He described this trend, which had been manifesting for the past couple of years, as a shift from a “burglary” to “home invasion”, where the attackers infiltrated not just to steal but to take control of the infrastructure.
The objective here was to use the compromised infrastructure to move further along the information supply chain and onto more valuable assets, or what Carbon Black termed as “island hopping”. The security vendor said 50% of attacks for the first quarter were part of such modes of attack, tapping the compromised systems to launch attacks on others along the victim’s supply chain and in the victim’s brand, he said.
And with the rise of hacking tools and modes such as fileless malware and modular attack codes, most security products in the market today were ineffective, he noted, pointing to perimeter defence and traditional antivirus software as examples.
Kellermann said: “We need to do a better job identify a problem before it manifests and that requires regular threat hunting, not just on your infrastructure, but across your entire information supply chain.”
He called for a change in strategy and architecture paradigm, from one of defence in depth where companies aimed to build forted castles, to inverting this approach to that of a prison. This would ensure hackers were contained once inside, resource constrained, and not free to move laterally.
“We need to make it more difficult for them to leave your environment with what they have stolen,” he said, touting the need for a security strategy that encompassed capabilities to detect, deceive, divert, and contain–or a model that Carbon Black called, cognitive attack loop.