Story image

Monitoring, measuring and secure design patterns the future of cybersecurity

02 Nov 16

A rebirth in monitoring and measuring of security threats isn’t enough to guarantee companies are secure, says one security expert who says that’s leading to a new movement in secure design patterns.

Ron Gula, Tenable Network Security co-founder and chairman of the board, says there has been a ‘rebirth’ in monitoring and detection of bad guys, leveraging new technology, and of measuring risk via frameworks such as the NIST Cybersecurity Framework, or even things like PCI.

“There are a lot more organisations and boards who want to know if they’re secure and if they have a gap, where it is and how they compare against their peers,” Gula says.

“I’m really happy with those two things,” the 20 year information security veteran says.

However, he adds: “You can do all that, but you will never be guaranteed that you’re secure.

“So there is a new movement in secure design patterns that leverage things like outsourcing, applications to the cloud, rewriting applications with containers and microservices, and repeatable use.”

Gula says risk frameworks should be used as a ruler, or lens, for organisations to evaluate their own internal defences and risks in a way that is vendor neutral and allows them to compare their controls against others in their industry.

He used the example of two security officers golfing.

“One is an IBM shop, one is a Symantec shop, one uses Microsoft laptops, one uses Apple laptops. They can’t speak the same language if they talk about the security controls for the vendors they bought, but if they speak in terms of the ASD or the Nist Cybersecurity framework or even the ISO framework there is a lot of commonality and they can talk about the benefits there.”

Gula says the frameworks will also be critical for cyber-insurance.

“You can’t figure out if one company or organisation is more secure, or a bigger cyber-risk than another one with vendor specific ways of measuring it, there are too many vagaries.

“But doing it under the lens of the new cybersecurity framework or the ASD can give cyber insurance people a lot more opportunity to make a better judgment call on whether cyber insurance is a good deal or not.”

Gula says the frameworks also enable companies to quickly scope out where quick wins can be achieved.

“Whether you start with ASD or the NIST Cybersecurity Framework, everyone of these controls in the framework is going to have a quick win and a long term value.

Once you do your assessment under that same sort of lens, looking at where your gaps are, as a business, your board, your executives, can make a decision about what is best for your organisation.

“And it shouldn’t be an overnight thing. It should be as they think about IT in general, what kind of services are they buying, what kind of commercial solutions, or open source solutions they need to have to monitor and enforce those kinds of policies.”

Channel side

Unsurprisingly, Gula says the role of the reseller is ‘really changing’ with resellers no longer just fulfilment agents, but also key advisors.

“The reseller is really an advisor, especially for small market.

“If you’re not Fortune 200, you’re probably working with resellers as your trusted advisor. And you have a limited amount of cyber people inside an organisation. You have a limited number of vendors they can use. And when you do buy a vendor, whether Tenable or whoever, chances are you don’t use 100% of the features.

“A reseller can help a customer design, deploy and do health checks and make sure the latest features are being used.”

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
How SMBs can use data to drive business outcomes
With the right technology, companies can capture consumer, sales, and expense data, and use it to evaluate and construct future plans.
Survey shows that IoT is RoI across Asia Pacific
A recent Frost & Sullivan survey across Australia, Hong Kong and Singapore shows that IoT deployment improves business metrics by around 12%.
IDC: Aussie spending on IT Services to hit $23.5B by 2023
the project-oriented market which is predicted to achieve the highest CAGR through to 2023; though no market is expected to decline
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.