Analyst Chat #6: Five Key Topics for Cybersecurity

The KuppingerCole Analyst Chat podcast. I will be your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. We will focus on specific and hopefully interesting topics that we as analysts encounter in our daily work.

And this work that we do is mainly focused on the topic areas of cybersecurity, identity, and access management, AI, and much more can we do in depth research, but we also do advisory work with vendors and end users as clients alike in each edition, I will have one guest joining me often a fellow analyst or another interesting part that we will have a full 15 minutes or so chat around current topics. Today, we will talk about five key topics for cybersecurity. So really a basic and a very important starting point for defining your cyber security strategy.

My guest today is Martin Kuppinger, principal analyst that KuppingerCole. Hi Martin. Hi. Good to have you again. So we will talk about five key topics for cybersecurity. Where would you start your recommendations when it comes to five key topics? What is the main first key topic to start with? So what is the main topic? I would say generally speaking, it is keep your business alive. Cyber attacks can put businesses in danger today, and we should be very clear in our understanding that it's not just about protecting a system. It's about protecting the business because there's a risk.

If you're pissed, this is all for awhile, that you're bankrupt. So how long can you business survive without it running? How resilient is your it against targeted long running attacks might suppress across spread across your data centers. How can you restart your business quickly and fill gaps and data later?

So if you, you to stock from an older backup also is your crisis communication prepared up to the black suit. Communication about a CEO stands in front of suppressed us. They know what to say. Does he know how to start by the way, always start with pay Apollo trust. That's the best start at the crisis, cyber Security with a much bigger focus. So you include other aspects into your cyber security as well. So it's communication, it's business organization, it's overall processes.

So inside cyber security with a, with a bigger picture, Yes, it is modern cyber security or cybersecurity is more than it was that, that it, that it has been in the past. So it was very geeky technical thing. Then it become more widespread, but still very much it and cyber security right now is something which goes well beyond. It's a part of a business continuum. So looking at it broader, That was what I was thinking of. Really the, the way from this more it focused aspect of cyber security towards a business critical set of processes implemented in the overall organization.

I think if you're, if you understand cybersecurity like this, this is much more adequate for the 2020s than before. So if we focus on keeping the business alive, what would be then the next starting point for getting an overall picture of your it security of your cybersecurity? So another important thing is having something like a security operation center or a cyber defense center up and running, where I would define a cyber defense center as a bigger thing than a security operation center.

So the security operation center us frequently, our trust analyzing data, trying to detect attacks, but it's also about real-time reaction and response and recovery. And so a cyber defense center should go somewhat bigger. The big challenge here from my perspective is most businesses still have it. And many businesses are not capable of having it by themselves. So it will be about understanding where can I get services with whom to work in a combination of my own team and the managed service providers using new technologies as well.

But it's, it's an essential topic to have this defense center, this operation center for cybersecurity in place with a good combination of what you can do yourself as your own stuff and what you can do with support from others. A lot of SOC as a service right now, how Do you get the message out to your organization, to those who have the budget and the resources for creating such a SOC or CDC?

I think it's typically difficult to convince your organization to invest in something which in the ideal world can, will never be seen as a, an active factor because it prevents everything when it comes to cybersecurity, how to make the business case. Yeah, we already learned in the first on the first topic that it never will prevent everything. So there will be attacks. We are under attack. That's one part. The other thing is you have a physical security as well at the gates of your organization. Even if you moves, do most things virtual, you should have a security at the gates as well.

And you have to the people who are whatever, looking at from your factory, from the, from the borders of your factory, and you should have people who are looking at MDR stuff. So the more we do virtual and the more important it is, the more you can put our business at danger, the better we should align it. And I think also this alignment of forces is a good argument. So it's not necessarily about doing that many additional things. It's about training forces into the right, the right rules.

So to speak, to have your operations center here, instead of having disparate initiatives, that will be part of it. And then you need the partners, which support you. So I think it's relatively easy in these days to, to explain why you needed the bigger challenges to get it up and running, because there's a skills gap. So you need to find the partners, you need to do it, right. This is the big challenge, not to the budget. If Mentioned alignment. I think that leads us perfectly over to the third key topics of aligning what you have.

I think many organizations, especially those who are in existence for say 20 years or longer, they do already run lots of cyber security software, think of firewalls and web application firewalls and identity and access management. But moving that towards one unified SOC or CDC also requires really understanding what is there, what is required and would, could go away. So this optimization is something that really should be thought of. Yeah.

So, so I wouldn't move everything to an associate or CDCs if there are things for, I have to run in different places. But I think the main point is I rarely have seen her organization, which does not have far too many cyber security tools. So virtually every organization I know has far too many tools and many tools don't make things better. They might even make things worse because you feel safe, you feel secure, but you aren't because you spend too much time off managing these tools.

Instead of focusing on the real risks, you spend too much time for licensing license costs of old tools and maintenance of old tools. Instead of investing in new, better technology, you spend too much time for integrating these tools. So one of the key actions is optimize your tools. Landscape build a simple metrics. This is one of the, by the way, one of the advice thinks we are doing portfolio optimization, built metrics, which to look at what is the risk mitigating impact for total cost of ownership or other other dimensions, and look at what really delivers and then find the right mix.

Exactly. I think if you do such an analysis, there is also the chance that you gaps in your, in your defense. And I think that is something that is really worthwhile doing any way to understand, okay, I have four firewalls, but I don't have an aspect that really is of importance because it does not currently cover risks that I'm facing. So I think this portfolio design and portfolio analysis is really something that can help you in actually saving money or at least in spending your money more adequately when it comes to protecting your organization.

I would say at the end, that's free freeing up money. You can spend for these things, but you need additional budget. So at the end you will not save money in the sense of you have lower cost, but you will get more out of your investments and you need to get more out of your investments because the cyber security challenges are increasing and you need to work against it again to keep your business Right. You've mentioned the skill gap before. So hiring the right people might be an issue today, but also keeping your existing team up to speed. So have them educated adequately.

What do you recommend in that area? So, so first I, I would say have your keep up to speed means having every single person in your organization, which works with computers or smartphones or so up to speed. So regular continuous security training awareness training is essential. So people need to be aware of the risks, need to understand what to do, need to understand who to inform when, and then you need for, for the closer, for the more narrow cybersecurity team you need to spend into investment because there's always a skills gap.

So start with young people, educating them, making the, making the members of your team, try to find auto people and really dry to have expertise in house. Yes, you're right. Rely on external partners. You might rely on outsourcing on offering new shoring, but you still need to create a team and crew a team on premises.

Well, your headquarters failure, main premises are the, the, the highly skilled people. That's a, long-term, Trone the continuous security training and awareness for everyone. Some of them you should do all the time, which you can do virtually, which you can get from a variety of providers, including us. Exactly. I think we are in a situation where learning and executing trainings has become much easier than again, say 20 or 30 years ago, when you had to go to a five days training in person onsite today, you can add a 20 minute or five minute online session.

And that can be anything from starting from a simple YouTube video up to really dedicated and high profile, online training, online classes. I think education is so much easier, but today, but it's more challenging as well, But, but it can be done well, it can be done in really cool manner. Virtually we have a complete set of drinks, not another complete set foot. Yeah. We have to start off a set of trainings, which we call our KuppingerCole master classes. There are so many ways to do it today. Educate your team About educating and understanding security as a whole.

I think one aspect that is more and more gaining importance is the, the fifth topic that we want to talk about that is really expanding your cyber security focus beyond the traditional it security, and also including other devices, other areas of technology that are usually not immediately thought of. And that is operational technology on the one hand. So it's the factory floor.

And on the other hand, all the other devices that we are using, starting with camera, starting with sensors with, with, with your phones and your tablets, everything that people are using on a daily basis, and that are not directly connected to enterprise it. So OT and IOT, that is really a hot topic right now. Yes.

I think, you know, we are talking about smart manufacturing or how many views occur term in the three photo, which is connecting all these devices. And when we look at the digital transformation, it's about connecting.

So, so in, in smart manufacturing, it's more about operational technology. So the technology on the factory floor and IOT, the industrial internet of things, which becomes connected and for digital transformation. So when we build new digital services for many, many businesses, it's about connecting consumer IOT devices to their services, the quintessence in that cases, unfortunately, once you're connected, you're under attack. So once you start connecting your factory floor to the outer space, there's a new attack surface at it.

Once you connect IOT, consumerized, TDY, suspicious internal business systems, you expand the attack surface. So that means we need to look at this consistently, which is not easy because it are sometimes very different technologies. Consumer IOT is not owned by us. Usually while OT IOT are sometimes very, let's say mature technology. So phrase it friendly, which we need to connect, and we have different teams here. So it's a number of different teams which need to work together to make it really work.

So again, we've mentioned that in the beginning, so that cyber security is growing bigger and the focus is expanding. And I think the same is true. Also when we look at the, at the systems involved.

So it OT, IOT, IOT, all that you've mentioned before, that is really a huge change when it comes to, to defining and designing cyber security for an enterprise. It is so to say, maybe let me add one thing before you set up.

The, the most important thing to be successful here is talk with people, understand people, because when you talk with OT people, they will talk about safety. First, it, people talk about security. First at the end, we need both. We need safety and security. So conversation and understanding at eye level. And I eight is the starting point for successful work here. And it's the starting point for talking with OT IOT, as well as keeping your business alive, where you need to understand both of what happens to it in a tax. And what does it mean to the business?

Great, thank you. So these were five main insights into cybersecurity, and I hope that was also inspiring to our audience. Let's sum it quickly up. So five key topics with cyber security first is keep your business alive.

Second, get your SOC your CDC up and running third, optimize your tools, landscape more efficient, more complete fourth, educate your team and your complete team, not just the it guys and fifth beyond it. Security. Think of OT and IOT to get a full picture of cybersecurity.

So Martin, thank you very much for these insights. I'm really looking forward to having you once again in the future edition of this podcast. Thank you very much for your time and thank you very much to the audience for listening. Bye-bye Thank you, Mathias. And thank you to the audience. .