At the 2016 Structure Security conference, Rally Ventures' Art Coviello gave an overview of the threat landscape and provided best practices for security professionals and developers.
Despite billions in spending on cybersecurity, enterprise IT is less secure than it was 10 years ago, said Art Coviello, a venture partner at Rally Ventures. On Tuesday, at the first annual Structure Security conference in San Francisco, CA, Coviello explained the threat landscape facing enterprise IT and what needs to change.
Growth of web apps, mobile, and big data have meant our attack surfaces have increased dramatically. As users sacrifice privacy for rewards, these threats are often increasing quicker than we can keep up, outpacing the ability of IT to respond.
Coviello quoted Winston Churchill who said: "Evils can be created much quicker than they can be cured."
SEE: Network Security Policy Template (Tech Pro Research)
There are more attackers than ever, including less sophisticated hackers who can purchase exploits online. Additionally, IoT will make it even worse. Coviello said that we need a layered approach to be able to stay ahead of new threats.
Today, the world is a "ball of confusion," Coviello said. The perimeter no longer exists, he said, and organizations need a security posture that is intelligence-driven and dynamic, and leverages new technologies to stay current. Organizations also need better leaders, more resources, and a more defined budget to remain strong in the future.
According to Coviello, the standard chain of defense starts with preventing and deterring attacks, then preventing and detecting intrusions, before preventing damage and loss, and then automating a response.
IT and security leaders must seek to understand that there are risks associated with adopting transformative technologies. Every piece of technology you adopt will have unintended consequences, Coviello said, and you must seek to understand those before implementation.
While CIOs straddle between having direct responsibility for security, or working with security leaders, the CISO bears the burden of creating an in-depth defense to protect their organization. Coviello said that he's never met a CISO who wasn't in high anxiety or didn't think his or her approach was best. CISOs have a lot going on, but they have to navigate through more than 1000 vendors, many of whom are arguing that they have the most mature offering.
"Maturity is often a euphemism for obsolete," Coviello said, and vendors must be doing one or more of the following to be worth pursuing:
- Exponential improvement over existing control
- Add value to existing control
- Increase cost effectiveness and efficiency
The 3 big takeaways for TechRepublic readers
- According to Art Coviello, enterprise IT is less secure than it was 10 years ago because of the proliferation of new technologies and their related threats.
- The perimeter no longer exists and enterprises need a layered approach to handle new security problems, along with stronger leaders and a more defined budget.
- CISOs bear the burden of defense and must appropriately vet new vendors before adopting new technologies.
- Which political party is more cybersecure? (TechRepublic)
- US senator asks SEC to probe Yahoo hack (ZDNet)
- Yahoo confirms 500M accounts leaked in massive data breach (TechRepublic)
- Oops. Apple has seriously weakened iOS 10 backups against password hackers (ZDNet)
- Report: The top 6 industries hit by ransomware (TechRepublic)