Analyst Chat
Analyst Chat #63: The Need For New Drivers to Improve Cybersecurity
The press, security vendors, politicians and analysts alike currently often focus only on the recent SolarWinds security incident and its exceptional features and effects While this is in fact an extremely important topic to learn from and to clean up, the shadow of this hype causes that at the same time it is often neglected that even very basic cybersecurity aspects are poorly addressed in many organizations. Alexei and Matthias look beyond the hype and discuss the need for new initiatives to achieve an actual adoption of proper measures to improve basic cybersecurity hygiene in essentially all organizations.
Welcome. So the KuppingerCole analyst chat, I'm your host. My name is Matthias. I'm not, I'm an analyst and advisor at KuppingerCole analysts. My guest today is Alexei Balaganski, lead analyst with KuppingerCole focused on cybersecurity and all the topics around that. Hi Alex. A great to have you again.
Hello, Matthias. Thanks for having me again.
Great to have you. And it's really important that we continue our conversation that we started two weeks ago, where we talked about awareness regarding risk and risk in cyber security architectures. We talked about cyber supply chain, risk management, and about a secure software development. And we ended up with talking about the proper tools and having them in place and what you've mentioned as a final thought, actually using them according to proper strategies. I want to start with that again. Um, what is your approach towards having proper policies in place and implementing that?
Well, first of all, just let me quickly remind to our listeners that you were talking about that our dreaded solarwinds scandal, Richard, by now, I would say two months in the past, if not longer, and it's probably still or been pretty hotly discussed, uh, among, uh, cybersecurity specialists and forensic analysts, and they are still uncovering new details, uh, which is of course for us is extremely important and interesting, but our, we ended up last time or on a slightly negative note kind of mute and about that's always while still exciting to us as experts. It's probably not that relevant anymore for the general public. The general public is usually not looking for technical details. They look for solutions to the burning problems, right? Those companies, which actually understand that their problems are infect risks and has to have to be treated as such are not the majority.
The majority of those companies usually are just looking for simple answers and at best they are already armed with the cybersecurity hammer. And they're looking for nails, right? If you mentioned in the last discussion though, that the term of the cargo cult of cybersecurity you've discussed it earlier, but it's even that thing. When our companies basically buy their security tools, put them on the shelf and believe that they are safe from threats and the risks have been mitigated well, that's kind of cult of cybersecurity. The problem is that what we observe now is even the worst scenario of lack of basic understanding of even the lowest and primitive cybersecurity hygiene rules. And the reason I decided to talk about it today in that, uh, interesting story published in the beginning of January about ticket master. I'm not sure if you remember, it's a really old story in a few words suggested that few years ago in like 2013 or 14, a person came to ticket master from a competitor company.
And that person brought with them a massive database of stolen user accounts and passwords. And for years, Ticketmaster employees used to go to the information systems of that competitor and named company in the same business. And they basically stole the customer data, observed the business strategies, had all the numbers. And apparently according to some publications by Scalia discussing in business meetings, how they better use this information to drive their competitors from the market. And when I read about it, I understood. Yeah, it's an old story. It's by far overshadowed by solar winds and other crazy sophisticated, interesting things happening at the same time, but it actually indicates the overall state of it security in the world, much better than salaries. What should
Organizations then take away from this old incident in comparison to what's going on and what is a pattern that remains the same? Where have things really not changed? Well, I
Believe it's not the, the end users sort of innovations that have to think about it really hard. It's us and by us, I mean, analysts, uh, the technical press, uh, the vendors, the cybersecurity experts, basically those people who are driving the industry nowadays, the problem is that our industry is driven by hype and buzzwords again, or for two months, people have been talking about the Solomon scandal, which is pretty sophisticated and it's really interesting and hot and has political implications and, and all that stuff. But it does not absolutely represent the typical tailor job of a security analyst, right? Things like solvents happen once in a few years, things like Ticketmaster happen daily. So maybe just maybe we year analysts have to leave our ivory towers for a day and go talk to the, those poor small businesses, which have no proper trained it teams and security specialists and understand their daily needs. And maybe just maybe a little bit focused on those. Instead, things
Have changed also in the area of the actual companies providing it services. If we think back say 15 years or so then the organizations that were doing it and maybe even customer facing it, or at least it, that was under massive threats, right? Because being exposed to public networks, et cetera, these were organizations that were, as you described, they had most, probably a proper it security team that at least partially was in the situation to deal with these threats today. Many organizations are startups are organizations that are in this ubiquitous, digital transformation process. They have never been facing these risks before. They most probably don't even know of all of them or many of them. And they are actually in the situation that they have are facing new challenges. What can then the industry, the analyst, uh, the consulting companies, the system integrators actually do for them, should they provide more best practices? Should they take the security in their hand as being some kind of cybersecurity managed service providers? What are the ways to move forward rather than just throwing a box with a security software over the fence and let, letting them deal with it no matter if they are able to do so or not?
Well, if there is one thing that the solar bins incident has taught after that, even the greatest and biggest experts in cybersecurity can fail. I mean, solar winds itself is a major software development company and other victims. Some of the scandal included like FireEye and Microsoft like major security vendors themselves, right? Unfortunately we, as an industry, tend to focus on those exciting high-profile cases in state. I believe we have to focus more on the, on the long tail, if you will, and forgive me for crude analogy, but it really reminds me of this whole idea of throat immunity and vaccines for COVID, which are still on the way. But the problem with that, if you only fix individual problems like solar beans or FireEye or Microsoft being hacked, you are not increasing the overall level of security of the society as a whole, right? You have to start much, much lower with the lowest common denominator, because I mean all that are there without fixing those smaller companies, which are still living in the stone age of cybersecurity, a funeral, you are not raising that level of herd immunity nearly enough. And only when you raise that level, you can actually start thinking about preventing botnets from spreading or ransomware from those are exactly the types of malware, which depends on having a huge substrate for spreading. So yeah, absolutely. We as an industry have to completely cut the free focus, our development and marketing the framing the way or the strategies. The question is like, what should be the proper driver behind it because there is no money in it at the moment. So the question is, should it be the government?
Yeah, I think government is an important starting point because when I think back to my early days here at KuppingerCole one important message that we were trying to convey and to spread and to raise awareness was the topic of the GDPR being and just at the horizon at, at that moment. And we really wanted to make sure that organizations understand that UTS and also the benefits that they gained from being compliant with this really, really harsh regulation, which, which made many organizations invest heavily into something that would otherwise not have done. That is the protection of, of PII, of personally identifiable information or personal data. Uh, that was really something that, that could only be forced from the outside and each and every one of us. You and I ask customers as employees, as citizens are now really benefiting from a higher level of privacy, of security, of governance, of our personal data. I think that should be at least an example to look at when it comes to protecting any other kinds of data and having the right measures in place. It's
Almost, you're absolutely right comparing to GDPR because it really, it took the company synchronization in the world. What this year in the European union, the tangible risk of losing 20 million euros as a GDPR fine, they're sort of, kind of sit up and start taking all this that they actually have to invest into this very specific area of protecting what a specific subset of their business information. The question is, what threat, what risk does a government should, uh, hail upon an organization for them to start investing in basic cybersecurity hygiene? Right? So
If we look at the areas of vendors, I mentioned that earlier in that episode, do you think that this is also something that could be a business model so that external vendors, integrators managed service providers, um, do that on behalf of their customers, which is then the end user corporation providing services towards that their own customers. Is this something that can be made much easier for the organization in general when your provider, your vendor does that for you, at least on behalf of partially and the missing link then is raising awareness, having training and teaching by best practices. Would that be something where there's money? Yeah,
This absolutely has to be led by the business because we aren't even in a capitalist society, unless there is money in Thompson or nobody will move their finger. Right. And, or we have some pretty successful examples of whole industries created by combining this kind of punishment and reward, but it has to be a combined effort from the governments on one hand kind of issue in the regulations from the businesses on the other hand, promoting their solutions. And of course us and the price for the independent source of information and again, awareness and guidance, all it has to be a combined effort. And then again, the problem with that, well, going back to this whole Ticketmaster incident, that company, which is of course a name, it is obviously a massive cybersecurity problems. I mean, if an employee which has left the company was able to use their old credentials about password for years and noticed which mean that they had absolutely no identity management processes in place.
So that's when she left his account was not disabled. They had absolutely no interest monitoring in place. So his continued logins were not monitored detected. And of course they had probably absolutely no tools or process in place to watch the market and look for threat intelligence indicating that someone, that data has been leaked and all those tools they have existed for decades. I mean, we have very successful standard-based solutions for multifactor security, Fido Alliance, for example, over a broad range of solutions and hardware tools and software and guidance to implement it. The question is like, why hasn't that company adopted those solutions? What had to be that final push for them to even realize that those solutions already exist? Exactly
Not usually when we close down our episodes, we give some recommendations on some good reading that we provide. I think this time we should do it somewhat differently. We should end up this, this episode with this food for thought that you have given us on the one hand for the individual organization, rethinking their own risk management approach, their own security architecture, their own way of judging the business in comparison to two threats. And on the other hand, um, food for thought for the, for the cybersecurity industry, for us as analysts for the, as I said, system integrators, consultants, managed service providers to use this real opportunity to increase and to improve the security posture for many organizations by building security into the services. Ideally by making sure that the security by design that you mentioned, um, is really also built into their services. As many organizations are more and more providing services from the cloud as a service prebuilt and pre secured, and maybe, um, that is creating some business opportunity on the one hand and increasing the cybersecurity posture for all organizations. And by that benefiting all of us as end users and as customers and as citizens. So this food for thought is maybe something that I take with me for today, because I think there's money in that. And there's really opportunity in that. Do you agree? Yeah,
That's, that's exactly the biggest problem. There is opportunity of there is money. There is potential for some really interesting or government led or developments, which would, I would even argue be mutually beneficial for both the public and politicians themselves, and yet nothing is happening because those drivers and opportunities are siloed. They're not connected to each other. People just are unaware that they can successfully collaborate on this. And I'm not even sure where to start, but someone or something has to give this initial push for all these parties to finally start noticing each other and talking and collaborating who would be the final push, no idea. I would really love to know that, but any
One of us can start with their own initiative. And I think that's a great point in that episode to close down and to leave the audience with these, um, for me, very challenging, um, thoughts, thank you, Alex, for being my guest today and for elaborating on these topics even more, and we will continue that discussion because there's more to come. Um, we have lots to follow up, um, in the aftermath of the solar winds incident and, um, in preparation for most probably, and hopefully more secure and safe 2021. Thanks again, Alex. Say bye-bye bye-bye,.
Hello, Matthias. Thanks for having me again.
Great to have you. And it's really important that we continue our conversation that we started two weeks ago, where we talked about awareness regarding risk and risk in cyber security architectures. We talked about cyber supply chain, risk management, and about a secure software development. And we ended up with talking about the proper tools and having them in place and what you've mentioned as a final thought, actually using them according to proper strategies. I want to start with that again. Um, what is your approach towards having proper policies in place and implementing that?
Well, first of all, just let me quickly remind to our listeners that you were talking about that our dreaded solarwinds scandal, Richard, by now, I would say two months in the past, if not longer, and it's probably still or been pretty hotly discussed, uh, among, uh, cybersecurity specialists and forensic analysts, and they are still uncovering new details, uh, which is of course for us is extremely important and interesting, but our, we ended up last time or on a slightly negative note kind of mute and about that's always while still exciting to us as experts. It's probably not that relevant anymore for the general public. The general public is usually not looking for technical details. They look for solutions to the burning problems, right? Those companies, which actually understand that their problems are infect risks and has to have to be treated as such are not the majority.
The majority of those companies usually are just looking for simple answers and at best they are already armed with the cybersecurity hammer. And they're looking for nails, right? If you mentioned in the last discussion though, that the term of the cargo cult of cybersecurity you've discussed it earlier, but it's even that thing. When our companies basically buy their security tools, put them on the shelf and believe that they are safe from threats and the risks have been mitigated well, that's kind of cult of cybersecurity. The problem is that what we observe now is even the worst scenario of lack of basic understanding of even the lowest and primitive cybersecurity hygiene rules. And the reason I decided to talk about it today in that, uh, interesting story published in the beginning of January about ticket master. I'm not sure if you remember, it's a really old story in a few words suggested that few years ago in like 2013 or 14, a person came to ticket master from a competitor company.
And that person brought with them a massive database of stolen user accounts and passwords. And for years, Ticketmaster employees used to go to the information systems of that competitor and named company in the same business. And they basically stole the customer data, observed the business strategies, had all the numbers. And apparently according to some publications by Scalia discussing in business meetings, how they better use this information to drive their competitors from the market. And when I read about it, I understood. Yeah, it's an old story. It's by far overshadowed by solar winds and other crazy sophisticated, interesting things happening at the same time, but it actually indicates the overall state of it security in the world, much better than salaries. What should
Organizations then take away from this old incident in comparison to what's going on and what is a pattern that remains the same? Where have things really not changed? Well, I
Believe it's not the, the end users sort of innovations that have to think about it really hard. It's us and by us, I mean, analysts, uh, the technical press, uh, the vendors, the cybersecurity experts, basically those people who are driving the industry nowadays, the problem is that our industry is driven by hype and buzzwords again, or for two months, people have been talking about the Solomon scandal, which is pretty sophisticated and it's really interesting and hot and has political implications and, and all that stuff. But it does not absolutely represent the typical tailor job of a security analyst, right? Things like solvents happen once in a few years, things like Ticketmaster happen daily. So maybe just maybe we year analysts have to leave our ivory towers for a day and go talk to the, those poor small businesses, which have no proper trained it teams and security specialists and understand their daily needs. And maybe just maybe a little bit focused on those. Instead, things
Have changed also in the area of the actual companies providing it services. If we think back say 15 years or so then the organizations that were doing it and maybe even customer facing it, or at least it, that was under massive threats, right? Because being exposed to public networks, et cetera, these were organizations that were, as you described, they had most, probably a proper it security team that at least partially was in the situation to deal with these threats today. Many organizations are startups are organizations that are in this ubiquitous, digital transformation process. They have never been facing these risks before. They most probably don't even know of all of them or many of them. And they are actually in the situation that they have are facing new challenges. What can then the industry, the analyst, uh, the consulting companies, the system integrators actually do for them, should they provide more best practices? Should they take the security in their hand as being some kind of cybersecurity managed service providers? What are the ways to move forward rather than just throwing a box with a security software over the fence and let, letting them deal with it no matter if they are able to do so or not?
Well, if there is one thing that the solar bins incident has taught after that, even the greatest and biggest experts in cybersecurity can fail. I mean, solar winds itself is a major software development company and other victims. Some of the scandal included like FireEye and Microsoft like major security vendors themselves, right? Unfortunately we, as an industry, tend to focus on those exciting high-profile cases in state. I believe we have to focus more on the, on the long tail, if you will, and forgive me for crude analogy, but it really reminds me of this whole idea of throat immunity and vaccines for COVID, which are still on the way. But the problem with that, if you only fix individual problems like solar beans or FireEye or Microsoft being hacked, you are not increasing the overall level of security of the society as a whole, right? You have to start much, much lower with the lowest common denominator, because I mean all that are there without fixing those smaller companies, which are still living in the stone age of cybersecurity, a funeral, you are not raising that level of herd immunity nearly enough. And only when you raise that level, you can actually start thinking about preventing botnets from spreading or ransomware from those are exactly the types of malware, which depends on having a huge substrate for spreading. So yeah, absolutely. We as an industry have to completely cut the free focus, our development and marketing the framing the way or the strategies. The question is like, what should be the proper driver behind it because there is no money in it at the moment. So the question is, should it be the government?
Yeah, I think government is an important starting point because when I think back to my early days here at KuppingerCole one important message that we were trying to convey and to spread and to raise awareness was the topic of the GDPR being and just at the horizon at, at that moment. And we really wanted to make sure that organizations understand that UTS and also the benefits that they gained from being compliant with this really, really harsh regulation, which, which made many organizations invest heavily into something that would otherwise not have done. That is the protection of, of PII, of personally identifiable information or personal data. Uh, that was really something that, that could only be forced from the outside and each and every one of us. You and I ask customers as employees, as citizens are now really benefiting from a higher level of privacy, of security, of governance, of our personal data. I think that should be at least an example to look at when it comes to protecting any other kinds of data and having the right measures in place. It's
Almost, you're absolutely right comparing to GDPR because it really, it took the company synchronization in the world. What this year in the European union, the tangible risk of losing 20 million euros as a GDPR fine, they're sort of, kind of sit up and start taking all this that they actually have to invest into this very specific area of protecting what a specific subset of their business information. The question is, what threat, what risk does a government should, uh, hail upon an organization for them to start investing in basic cybersecurity hygiene? Right? So
If we look at the areas of vendors, I mentioned that earlier in that episode, do you think that this is also something that could be a business model so that external vendors, integrators managed service providers, um, do that on behalf of their customers, which is then the end user corporation providing services towards that their own customers. Is this something that can be made much easier for the organization in general when your provider, your vendor does that for you, at least on behalf of partially and the missing link then is raising awareness, having training and teaching by best practices. Would that be something where there's money? Yeah,
This absolutely has to be led by the business because we aren't even in a capitalist society, unless there is money in Thompson or nobody will move their finger. Right. And, or we have some pretty successful examples of whole industries created by combining this kind of punishment and reward, but it has to be a combined effort from the governments on one hand kind of issue in the regulations from the businesses on the other hand, promoting their solutions. And of course us and the price for the independent source of information and again, awareness and guidance, all it has to be a combined effort. And then again, the problem with that, well, going back to this whole Ticketmaster incident, that company, which is of course a name, it is obviously a massive cybersecurity problems. I mean, if an employee which has left the company was able to use their old credentials about password for years and noticed which mean that they had absolutely no identity management processes in place.
So that's when she left his account was not disabled. They had absolutely no interest monitoring in place. So his continued logins were not monitored detected. And of course they had probably absolutely no tools or process in place to watch the market and look for threat intelligence indicating that someone, that data has been leaked and all those tools they have existed for decades. I mean, we have very successful standard-based solutions for multifactor security, Fido Alliance, for example, over a broad range of solutions and hardware tools and software and guidance to implement it. The question is like, why hasn't that company adopted those solutions? What had to be that final push for them to even realize that those solutions already exist? Exactly
Not usually when we close down our episodes, we give some recommendations on some good reading that we provide. I think this time we should do it somewhat differently. We should end up this, this episode with this food for thought that you have given us on the one hand for the individual organization, rethinking their own risk management approach, their own security architecture, their own way of judging the business in comparison to two threats. And on the other hand, um, food for thought for the, for the cybersecurity industry, for us as analysts for the, as I said, system integrators, consultants, managed service providers to use this real opportunity to increase and to improve the security posture for many organizations by building security into the services. Ideally by making sure that the security by design that you mentioned, um, is really also built into their services. As many organizations are more and more providing services from the cloud as a service prebuilt and pre secured, and maybe, um, that is creating some business opportunity on the one hand and increasing the cybersecurity posture for all organizations. And by that benefiting all of us as end users and as customers and as citizens. So this food for thought is maybe something that I take with me for today, because I think there's money in that. And there's really opportunity in that. Do you agree? Yeah,
That's, that's exactly the biggest problem. There is opportunity of there is money. There is potential for some really interesting or government led or developments, which would, I would even argue be mutually beneficial for both the public and politicians themselves, and yet nothing is happening because those drivers and opportunities are siloed. They're not connected to each other. People just are unaware that they can successfully collaborate on this. And I'm not even sure where to start, but someone or something has to give this initial push for all these parties to finally start noticing each other and talking and collaborating who would be the final push, no idea. I would really love to know that, but any
One of us can start with their own initiative. And I think that's a great point in that episode to close down and to leave the audience with these, um, for me, very challenging, um, thoughts, thank you, Alex, for being my guest today and for elaborating on these topics even more, and we will continue that discussion because there's more to come. Um, we have lots to follow up, um, in the aftermath of the solar winds incident and, um, in preparation for most probably, and hopefully more secure and safe 2021. Thanks again, Alex. Say bye-bye bye-bye,
Video Links
Stay Connected
Related Videos
How can we help you