In his keynote speech at the Securing the Enterprise 2018 conference in Cambridge, MA, BT Security president Mark Hughes said that when it comes to the threats enterprises and government are facing, the global network is telling us that old strategies don’t work.
In the face of ongoing cyber-attacks, mounting privacy concerns and daily data breach announcements, the current cybersecurity technologies fall short, according to Howard Shrobe, associate director, cybersecurity at MIT Computer Science & Artificial Intelligence Lab (CSAIL), and principal research scientist, MIT CSAIL. In order to effectively move forward in the direction of "where we need to go," the industry needs to develop a more formalized approach that combines design and analysis methods.
“Our approach is based on three key elements,” Shrobe said. “Collaborating closely with industry for input to shape real-world applications and drive impact. Leveraging the breadth and depth of CSAIL security researchers to approach the problem from a multi-disciplinary perspective. And creating a test-bed for our industry partners to implement and test our tools, as well as have our researchers test tools developed by our partners.”
To enable security transformation, enterprises should first assess their structure, said Hughes. “Put the team responsible for delivering change at the forefront of your strategy.” Given that there are lots of threats, those threats turn into risks, which have a very tangible bottom-line impact.
“Those risks are changing rapidly, so much so that in a matter of weeks, the risk profile changes. Using known, well-understood risks and putting those into a cyber context is extremely useful,” Hughes said.
Given that the risks are changing all the time, one key to building an effective security strategy is adaptability. “Prepare to constantly evolve,” Hughes said, but it’s also important to realize that there is no endpoint or perfect solution. When organizations realize that protecting everything all the time is ineffective, many turn to red teaming, which Hughes said yields interesting outcomes that allow organizations to assess and then prepare to evolve.
The next step in enabling security transformation requires internal engagement so that you are building knowledge and advocacy of security at all levels of your organization, said Hughes. From there, the company is well positioned to understand its risk and take the necessary steps to fully assess its security landscape and prioritize and protect the areas that would be most impactful in the event of a security incident.