Request a Quote

Leading CISO Wants More Security Proactivity in Australian Businesses to Avoid Attack ‘Surprises’

We Keep you Connected

Leading CISO Wants More Security Proactivity in Australian Businesses to Avoid Attack ‘Surprises’

Leading CISO Wants More Security Proactivity in Australian Businesses to Avoid Attack ‘Surprises’
Your email has been sent
Rapid7’s Jaya Baloo says a deficit in Australian organisational IT asset and vulnerability understanding is helping threat actors, and this is being exacerbated by fast growth in multicloud environments.
The complexity and change experienced by organisations as they grow is one reason we are seeing similar cyber security risks to a decade ago, says Rapid7’s CISO Jaya Baloo. However, quantum computing is one emerging risk where we could stay ahead of the game.
Speaking on ethics in information security at the 2023 Australian Cyber Conference, Baloo said the Australian market has truly woken up to cyber risks in the last year due to a number of high-profile data breaches that have affected millions of Australians.
Baloo told TechRepublic proactive mapping of assets and vulnerabilities, consistency through times of organisational growth and planning ahead for risks like quantum computing could help Australian security pros step off what can feel like a “hamster wheel.”
Jump to
Despite talking to organisations about similar risks for a decade, Baloo said that many were “still surprised” when a lack of understanding of the assets they had and the vulnerabilities that were on those assets led to them being the victim of a cyber security incident.
“We still don’t have a full understanding of our footprint, a critical thing for an enterprise, and we wind up surprised if we have an exposed API, issues with credentials being made open or a dataset aggregated for an AI learning model that was open to everyone,” Baloo said. “It is not enough to have effective remediation.
“We should know ourselves, but we still don’t. For example we don’t understand our networks and systems, and we don’t deploy the same standards for internal products as we do to test environments — which we should, but we don’t.”
SEE: A definitive guide to evaluating cybersecurity solutions.
Old vulnerabilities were also creeping up into new products in new tech stacks, Baloo said, because, as an industry, “we haven’t done the security-by-design thing very well.”
Part of the problem is a lack of discipline in the way companies have grown. Baloo said this leads to companies or departments adding new services, for example, or taking them away, without necessarily documenting these changes or following a thorough process.
This often happens when companies grow through acquisition or become a part of a bigger entity themselves, creating a lack of documentation on total external and internal assets.
“We don’t do that well, we don’t execute through these changes in a consistent fashion,” said Baloo.
SEE: Take advantage of TechRepublic Premium’s change control policy.
Baloo said attack surface management automations in the form of third-party risk scores were also not always correct in estimating what belonged to a company.
“We have an imperfect third-party external view and internal view, which is the most important stuff,” said Baloo.
Cloud computing growth has exacerbated the risk of organisations losing track of their assets and vulnerabilities. Baloo said the ease of spinning up cloud assets, often not taken down, and slightly different services for logging, identity and monitoring added to overall complexity.
“Identity, for example, is set up differently (in different cloud environments), and that is the prerequisite for all the other stuff we do,” Baloo said. “If you are not doing that right from the get go and harmonising that across cloud stacks, it can be easy to screw everything up.”
Organisations should ask themselves what they are putting in the cloud and why, Baloo said. Pure “lift-and-shift” operations — which would see old applications just “flopped down somewhere else,” even when using some cloud native features — would be best avoided.
“In a multicloud environment, you need to ask how you harmonise the different cloud environments you are using,” Baloo said. “You should have a baseline for what you want on different platforms, how they are set up, then pull that back to centralised or native monitoring. We need to find a way to do this without it being incredibly complex.”
SEE: Here’s everything you need to know about multicloud.
If data is being shared cloud to cloud, Baloo said IT needed to know what that flow looks like.
“Even there can create points of failure,” said Baloo. “What are those from a topological point of view?”
Quantum computing is one area where proactivity could put IT ahead of the game. With the first quantum computer potentially five to 10 years away, there is time to invest in replacing existing encryption algorithms before they are made redundant for defence by quantum computers.
SEE: Australia is looking at an “assume-breach” approach to combating cyber attacks.
Baloo said the question that should drive action is what data we want to protect and for how long. If Australian organisations want to be able to protect healthcare data for the lifetime of a patient, or even intergenerationally, Baloo said quantum computing now means “we don’t know how to do that.”
“Quantum computing is an area that I am worried will be just like AI,” said Baloo. “It won’t be prioritised as super important until it actually hits us. It is coming, so I would like to see us plan ahead. Let’s not be chickens with their heads cut off when it does hit us.”
The solution will probably be a combination of both quantum communication networks, like those being developed in China, and post-quantum algorithms, Baloo suggested. However, the important thing is having enough time to undertake the transition before it is too late.
“We suck at change; we are terrible at it,” said Baloo. “Getting everyone in the same place and to the same level of understanding to invest in that transition is going to be a difficult thing to do. But if we wait until there is a quantum computer, then we are screwed.”
Stay up to date on the latest in technology with Daily Tech Insider Australian Edition. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that are most relevant to AU markets that will help you stay ahead of the game.
Leading CISO Wants More Security Proactivity in Australian Businesses to Avoid Attack ‘Surprises’
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
Stay up to date on the latest in technology with Daily Tech Insider Australian Edition. We bring you news on industry-leading companies, products, and people, as well as highlighted articles, downloads, and top resources. You’ll receive primers on hot tech topics that are most relevant to AU markets that will help you stay ahead of the game.
Payroll is an essential part of almost every business, whether you have one part-time employee or a staff of thousands of people. Payroll is a complex topic that involves specialized vocabulary and numerous government acronyms that can be hard to decipher. TechRepublic Premium presents this quick glossary of key concepts to help your understanding. From …
Procuring software packages for an organization is a complicated process that involves more than just technological knowledge — there are financial and support aspects to consider, proof of concepts to evaluate and vendor negotiations to handle. The purpose of this policy from TechRepublic Premium is to help the IT department ensure that all necessary information …
Every operating system should be appropriately secured, especially end-user workstations, which often contain or permit access to company data and upon which most employee job duties are based. Here is a checklist from TechRepublic Premium for getting the maximum security protection out of your Windows 10 deployments. The download comprises a six-page PDF and Word …
Planning and successfully implementing changes to company software, services, processes and hardware can be quite onerous. Critical operations can be adversely affected by changes which are not properly planned out, reviewed or approved. This can result in lost revenue or damage to the organization’s reputation if external clients are affected, and careers might be at …

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE