Once or twice a year I sit down with one of Cegeka's topical experts. During the summer, I had the chance to meet Fabrice Wynants, Cegeka’s Global Director of Cybersecurity. Here are some of the topics we discussed:
- the impact of COVID-19 on the security landscape;
- how Belgian companies are doing in terms of “cyber hygiene” (spoiler alert: not so well);
- what all this means for current and future CISOs;
- what low-hanging fruit companies still tend to overlook;
- the biggest challenge for a successful security set-up;
- and the secret of a functional response roadmap.
In all, quite a few topics! So let’s roll.
Fabrice, when we spoke last year, you had just joined the company and the COVID crisis erupted shortly afterwards. What has changed in the last year and a half?
Fabrice Wynants: “A lot of things – but if I had to pick one, it would be the huge increase in projects around Endpoint Detection & Response (EDR). The number of poorly secured endpoints has increased dramatically due to the growing number of remote workers. In most cases, working remotely means logging in through potentially insecure home connections to all kinds of systems and applications, both on the corporate network and directly to applications in the cloud.”
“Making these endpoints as secure as possible, in an affordable and easily scalable manner, is the main priority now. And that makes sense, because flexible, hybrid working is here to stay. You cannot boil the ocean, I always say. But EDR is the logical and practical first step in when you want to start tackling endpoint security. At Cegeka we also offer Managed Detection & Response (MDR), where all the steps – from monitoring to response – are carried out by our Security Operations Centre. There is high demand for this, too, as EDR tools are usually quite complex. That means you really need experts to get the best out of them.”
“Cyber hygiene” is a term that denotes cybersecurity best practice – so does this mean that companies generally have good cyber hygiene now?
Wynants: “I wish I could say yes, but it's not what we are seeing in the field. Why is that? Security operations are going through a maturation process, moving away from the purely technical narrative. Security has long focused on implementing point solutions to address specific problems. This has resulted in a system with too many point solutions that interact with each other, are not used to their full potential and give rise to a complex and expensive environment that is hard to manage.”
Security has long focused on implementing point solutions to address specific problems.
“Rationalising that security landscape is an important task for CISOs. In a recent report, Gartner even identified vendor consolidation as one of the big trends for 2021. That means replacing various tools with a single tool – such as EDR – but also identifying which functionalities in existing tools are underused. The challenge here is that consolidation projects are often complex and can take a long time. This too is an area where Cegeka can help to speed things up.”
What impact does this have on the CISO? Because they have to speak the language of the business, right?
Wynants: “Absolutely. Gartner also mentioned this as a trend for 2021: more cyber-savvy boards. And that means more business-savvy CISOs. Nowadays, cybersecurity is important at all levels; it really permeates throughout the entire organization, both in terms of infrastructure and applications. CISOs must be able to pinpoint exactly where the organization's most important assets are located and what the impact of an incident or breach would be at different levels: operational, financial, regulatory and reputational. That's what the board is interested in, not the tooling or technology.”
Gartner mentioned this as a trend for 2021: more cyber-savvy boards. And that means more business-savvy CISOs.
What are the most common mistakes organizations are making today? Is there any low-hanging fruit that they are missing? Or pitfalls that they should avoid?
Wynants: “As I mentioned earlier, it is important for companies to pay sufficient attention to their cyber hygiene, which is not always the case right now. Patching, vulnerability management, multi-factor authentication... you'd be surprised how many companies are still lagging behind in these fields. And to return to the topic of EDR: to pay sufficient attention to the “R” in that story, i.e. the response part. Companies typically focus on early detection of potential incidents or breaches. But you also have to set the right response parameters, and people sometimes seem to forget that. It's like installing a fancy surveillance system with infrared cameras everywhere, but without functionality to alert the police.”
“One area of concern is the increase in public cloud-based workloads, with organizations often making the mistake of not giving security enough thought. They do implement traditional infrastructure-based security measures, but they are nowhere near enough. With hybrid and multi-cloud environments – something we’re very familiar with at Cegeka – it is crucial to add the integrated security capabilities of the cloud environment itself. Azure Cloud, for example, has very specific security features which offer a higher level of integrated security.”
What do you think is the biggest focus in cybersecurity right now?
Wynants: “The growing lack of skills. This has an impact on both companies and their suppliers. On the one hand, there is a need for people with business-savvy security skills – which often means senior profiles – in other words, a limited group. On the other hand, you can also ask yourself if your technical staff still have the right technical skills. So it's a race on two fronts: firstly to find and retain talent, and secondly to ensure that people are kept up to speed through continuous learning.”
“At Cegeka, we tackle this challenge in different ways – for example, through highly targeted recruitment and intensive learning paths for everyone, from young graduates to senior managers. Another solution is to use security automation, especially for relatively standard and/or repetitive tasks that are time-consuming. Many of the actions in the context of Detection & Response can be automated, which gives your people the flexibility to focus on the more sophisticated analyses.”
One solution to tackle the lack of skills is to use security automation, especially for standard and repetitive tasks.
Is cybercrime inevitable? Will everyone have to deal with it sooner or later? And what can companies do to minimise the risks?
Wynants: “It's not inevitable, but it's becoming a bit of an unfair battle. Cybercrime is big business: it's professionally managed, with different teams for different steps – even a help desk – and big budgets. They usually only need a small gap to enter a system and do damage. Companies are not always prepared for this, and even large corporations that throw a lot of money at security are not invincible.”
“My advice is always this: focus on the stuff that matters. Or to come back to what I said at the start of this conversation, you can't boil the ocean. In other words, it is crucial that you know exactly what your critical processes and assets are and that you use a well-organized Detection & Response programme, whether or not managed by an external SOC. With that and a decent cyber-hygiene set-up, and you are well on your way.”
“And last but not least: simulate, simulate, simulate! From targeted phishing simulations for your internal staff to fully developed exercises that thoroughly test your response roadmap. Then everyone knows what to do, what actions to take, who to call, how and when to communicate and what steps to take in case of recovery: it really makes all the difference.”
Finally, what is the secret of a successful response roadmap?
Wynants: “The difference between IT operations and security operations – if any difference still exists – is getting smaller and a good response plan hinges on how quickly you can act on the spot and implement the right expertise across a wide playing field, both in terms of applications and infrastructure and in a hybrid or multi-cloud environment. Security and IT have to cooperate at lightning speed and with absolute precision whenever a response is needed.”