Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. And in each edition of this podcast, I talked to one special guest, often a fellow analyst or another interesting partner, and we have a 15 minutes to shut off. So my guest today is, and I'm happy to have him again. Alexei Balaganski is lead advisor in the areas of cybersecurity for cooking a call here in Germany. Hi, Alexei.
Hello, Matthias. I'm glad to be here again on this podcast. Good to have you where to start. I had, I only had an
episode together with our common colleague, John Tolbert from Seattle, and he was talking about when is a cybersecurity product, not a cyber security product. And he was looking at intrinsic deficiencies of these solutions. So when it comes to the fact that those solutions should provide security, but actually are not secured themselves, that was the starting point for that episode. And there are lots of these products around and today. Title of today's episode is the cargo cult of cybersecurity. I think we want to dig a bit deeper in that area. Where should we start? I think first of all, we should explain the term cargo called. What does that actually mean?
Exactly? Well, historically of course they still have nothing to do with cybersecurity. Or if you remember, or don't personally remember about the bicycle adherence or time of the world war two? Well, the United States in Japan had fought over the Pacific ocean. And for that, they had to build lots of temporary airfields and supply points for the armies and navies. And of course they did it on those tiny Pacific islands, still inhabited by those native people who are to this day. I'm not very familiar with the model simulation and those people come up the road of strange foreigners coming into an island, building an airfield planes, flying by and dropping lots of crates with useful supply for them disappearing again. And they believe that this is some kind of divine intervention that gods were sending those cargoes precious cargo to them, sort of the white people. And later when the war ended, they were trying to build the same airfields plane through straw and sticks, hoping that more cargo arrive from the gods. And they believe that this illustrates perfectly the situation in the cybersecurity market nowadays, both in terms of the way some vendors approach a security software design. And of course, how quite a few companies are the end users of cybersecurity products still behave, unfortunately.
Okay. Can you, can you give a simple example? I'm really trying to get, get that connection between the cargo condensate cybersecurity.
Oh, I would not give you any specific names. Of course, marks you do realize that the spending on the cybersecurity tools is growing amazingly, like billions are invested in these tools over a year, but we still see that the overall level of security though, isn't really going up. There are still the data breaches and hacks. And even though the most basic cybersecurity hygiene rules are violated by ransomware, that's really the question. That's the wet all, where does all this money go? And the answer is that sometimes the companies would just procure a cybersecurity tool with they'll buy a box and we'll put the box into the shelf and say, okay, now with this magic emulate, we are secure it. They didn't did not care about properly deploying the tool, incorporating all the devices and systems into the management, operating it or monitoring it. And so on. It just felt like back in their fields, over the plane built from wooden sticks, right?
So it's this fire wall approach. We have a firewall, so we must be secure.
Yes. Even though that firewall probably doesn't even block anything anymore because it's 10 years too old.
Right. So keeping up with configuration, deploying it adequately, running it with maybe a skilled team of experts, that is the aspect that's missing because that cannot be simply procured by just spending money and buying a box.
Right. Right, right. And of course, unfortunately, the software with a cybersecurity vendors themselves sometimes don't do their homework as well. There are many examples. John addressed earlier cybersecurity tools, which, or secure multifactor authentication, which means that anybody can basically hack into your cybersecurity tool and receive it or disabled completely other windows might. For example, we use a simple, my SQL database and encrypted and protected to store their findings. And of course it can be manipulated and erased at any time. We're talking about compliance for example. And there are many, many examples of are designed in a cybersecurity software as if it's not a part of your critical infrastructure, but a game or office software, which can break all the time, no problems.
Okay. But with the move to the cloud, when maybe also again with the situation that we are all still in many organizations, moving to the cloud, that even has a much higher or much, much more open attack surface because when you're doing things not right in the cloud, that it's much more visible and the attackers are already
There or moving more into the cloud, introduces its own share of new security challenges. And these challenges are sometimes so different from those which you have to do on premises because you're no longer have control over the infrastructure and the services, but you're still a retained for responsibility for your sensitive data, for example. And obviously you have to neuro about our challenges. And I guess this is probably like the primary reason for this cargo cult. You know, that people just don't know or their responsibilities. They do not have the necessary expertise to make a proper decisions. I'm not even talking about operating the system because it's a totally different story about the skills gap in the industry. I'm talking about basic cybersecurity, common sense. If you will basic understanding of what technologies you need to address, which challenges, if you are lacking this basic understanding, you will never make a reasonable security decision, right? So
I'm, I'm usually somebody who is talking often about this, this dev ops approach with the developers, also being the ones being responsible for operating the overall system. And I think these are often also over challenged just with applying the right level of security on top of doing development and doing operations. I think that is goes hand in hand with what you've described. So I have a secure solution because I bought something. I have a highly talented developer who's working on that solution. And he also deployed the machines to the cloud. There, there needs to be some, some area where there are,
Yes, they've ops are originally had nothing to do with security at all. It's basically on our approach, nothing on the technology, it's really kind of conventional approach. What's bring in your software products faster to the market, right? Developers tend to not think about security at all. It's usually not their responsibility and the security people tend not to know how to talk to developers properly, right? So this is why this whole or DevSecOps movement is emerging at the moment. How do you make security not only accessible and intrinsic to your application, but to make everyone engaged in this because security is a process. It's not the point in time. You have to do, you have to think about security all the time and you have to involve everyone. And this is probably one of those groundbreaking changes, which have to become commonplace in software industry and then it around the world to break with this cargo cough, if you will. So when
We do understand that as an issue, and we see that in the news all the time, when we find unprotected Mongo, DB databases, somewhere in the cloud, and somebody did not just apply common sense within the cloud because it's not protected as protected as it would be in a, in an on-premise data center. But what would be then the overall set of recommendations that you would like to give when it comes to first of all, avoiding this cargo call, but then getting to a much more adequate approach towards cybersecurity beyond the tools?
Well, obviously a one has to realize that our cybersecurity is not an it thing. It's not a tool thing first and foremost, it's, it's a way of thinking. It's a way of organizing your business processes. It's software developer to just a normal quote unquote usual business. So security is not something you have to adopt kind of a bolt on something. It just has to become your part of daily life, daily business, just like hygiene. If you will, this is the fourth thing, which has absolutely nothing to do with tools. It's just, you have to change the way you are thinking about your business. And then of course, as soon as you understand that you have this problem, you have, you are starting to look for solutions. And obviously the most ideal, if not idealistic approach would be so-called secure by design. So yeah, it would have been awesome if every piece of software just did not contain any bugs, right?
Then you should not be, you wouldn't need to care about any potential security problems because there won't be any, of course, in reality, such thing doesn't exist. So the next, I think would be what sometimes is called secure by default. I mean, that's when, whenever you buy in deploy tool, if a specialized security to, or just a piece of software, it should come with the best in the most secure configuration already. Pre-applied you remember for example, that sometimes the home wifi routers come a fixed password, which is the same for every customer. So this is a bad example of secure by default inside, you should expect that every a router comes with its individual safe passwords and maybe even forces you to change it as soon as you deploy it at home. Right? So this is secure by default and the same approach applies to enterprise software and of course, to the cloud services as well.
But we then of this approach of cybersecurity vendors and service providers really pre applying this high level of security, as far as that is possible, that is a good starting point for organizations, but how can they then keep up with the changing challenges over time? You mentioned the skill gap, how can we, or how can they really get to an adequate level of security over time? And also in that layered approach scenario, when you have more than one security component contributing to, to a general approach for security?
Well, what I say now might be somewhat unpopular, but I am actually a strong believer in strict government regulation in cybersecurity. We have already seen the fruits of regulations like GDPR, and they are really harsh and the fees are abysmal, but they work. And it seems that for many companies, this is the only way to actually force them to start thinking about security because they want their life or being secure is not just a nuisance. It's actually a method of saving a lot of money. So
If the, if the skills are not available on the market, so we end up with training,
Oh no, I'm not talking about skills yet. First of all, I mean, first of all, you have to understand that security has to be in your product, right? Because as long as there is no or requirements in the regulation, what's the point of building in a security feature. If you don't have any responsibility for your software failing in cybersecurity, but as soon as you do, whether you are a software vendor or a software consumer, if you will, then of course, it will be your best interest to find a solution. And then you would start looking for experts, those skilled people. And of course you won't find any because they are already way too scarce. So yeah, I guess again, cloud and secure by default are great opportunities because you don't have to deal with each deployment individually. You just say it as a service managed by a relatively small group of experts somewhere.
And of course, if it's properly certified, if it's properly covered vari installation and third party assessments and you are more or less fine, and of course, or there are some promising future developments in this regard, this whole idea of AI and machine learning, taking over the job of a security analyst, we are still far from being there, but the industry has already made great strides. So we have really interested in examples of nearly autonomous AI powered security solutions in specific areas like network security or database protection, for example. And we are looking forward to seeing more of that in the cloud security and hopefully in other areas of cybersecurity as well. Okay.
What we are doing in advisory often is what we call portfolio management or portfolio analysis to understand which types of products our end user customers or entrants to organizations have in place. And when we look at cyber security, we often identify that there are overlaps and, and more than one solution to actually solve the same problem. But what you mentioned then is we should think of, of a bigger picture, not only at the products, the tools, but also the availability of expertise and the availability of operations in a way that this all works together and that we should include that as well.
Absolutely. So, yes, first of all, I would really urge anyone to stop thinking about products and start thinking about risks and mitigation controls for those risks. So as soon as you understand what risks are, are the most relevant and most important to the riskiest, if you will, for your specific environment for your specific organization, you can start focusing on capabilities, you need to address those risks. And as soon as you identify the necessary capabilities, you can start that process of minimizing overlaps. You only get those capabilities once and not thrice from different vendors, for example. And of course, that's your do not have uncovered areas, blind spots because many companies are, and they know it from our own experience, tend to believe that what they did for the risk assessment and cybersecurity infrastructure 10 years ago is still relevant. It's not, there are so many new risks or many new blind spots. So yeah, it's definitely the time now to reevaluate those areas and re-evaluate your cyber security portfolio. So
That would be also some kind of continuous improvements are really trying to be as mature, moving along with changing technologies, to be on par with the changing environments that you
Deal with. Again, that's the ideal, but probably very few companies are already there. The others should only strive to be the start of their journey. Now it's doing first small steps, right?
So, so keeping up with the, with the development is one aspect. The other, and you've mentioned it quickly is having security provided as a service by a cloud service provider by, by a managed service provider. I think that is an interesting topic that we should cover in a separate episode. And, but if the audience is interested in learning more about these more modern, more adequate offerings, when it comes to providing security, is there something that we already can provide us input to them or is that information available at Kuppinger
Cool? Oh, first of all, of course we are continuously covering the latest development or most interesting products and services without regards. And we will find a lot of on our KC plus platform where we publish our findings or what, of course you mentioned the advisory, that's what we do. We help companies to not just answer their cybersecurity questions, but to help them identify their questions first, because as long as they do not know what they don't have, they cannot ask the right questions. And when we start with this guidance, they might realize, wow, we actually far more behind than we thought, but that's good because this is the first step towards doing cybersecurity properly and not to the cargo cult.
Yes. And that was a perfect final word for this episode. So really understanding where you actually are making an assessment where the risks are, are you really up to date with what's going on outside and what the bad guys are already doing? I think that is a good closing for this episode. And I think we should follow up on that when it comes to more modern platforms for providing security as one building block of your overall cyber security strategy. So again, thank you very much annex for being part of this podcast. Okay.
Well, thanks Martinez for having me again and looking forward to talk to you about all this interesting stuff in the future
To that as well. Thank you very much. And bye-bye, .
