Business adviser analyzing financial figures denoting the progress

The Seven Cybersecurity Misconceptions Every CIO Should Dispel

By Devan Parinpanayagam, Country Manager, VMware Malaysia

Breaches are rising, and so are their cost. As Southeast Asia’s digital economy continues to grow, the number of attacks and cost of a data breach will rise simultaneously – according to Ponemon Institute, the financial impact in the region has hit US$2.62 million in 2019, which is up from US$2.53 million in 2018[1].

The growing threat of cyberattacks is hindering the pace of digital transformation in the region, with as many as three in five businesses in Asia Pacific putting off digitalization plans out of fear of being targeted by cybercriminals. According to the Deloitte Cyber Smart: Enabling APAC businesses report[2], this could result in a potential loss of US$145bn in GDP growth in Asia Pacific over the next decade.

Despite increasing investment in security solutions, bad actors have the resources and the time to poke holes in any enterprise security strategy at any given moment. Furthermore, most approaches to cybersecurity today are still too reactive and too focused on chasing threats. For these reasons, it is critical for organizations to rethink security architecture across core infrastructure, applications, users and operations.

For starters, organizations need to debunk common security misconceptions that prevent enterprise-wide integration of cybersecurity into core business strategies. Below are seven misconceptions that every CIO needs to take note of.

Misconception #1 – A deep understanding of attack trends helps us protect more effectively 

Traditional approaches to security are largely reactive. They heavily emphasize processes and techniques to better understand attackers, prevent common-type attacks, and mitigate damage after the fact. However, this reactive mode is outdated—if it ever worked at all.

Instead of trying to understand an attacker’s intent, organizations should proactively examine their own environment and identify the apps and data that need the most protection. Understand those workloads and focus on an application’s intent. Then give those workloads specific parameters built on the concept of monitoring and enforcing “good” application behavior rather than identifying and mitigating “bad” behavior.

Misconception #2 – Security is primarily the responsibility of the security team

As data, systems, and applications touch every corner of the business, security should be an enterprise effort led by a spectrum of teams and functions across infrastructure, architecture, network, application, security, and lines of business.

Already, leading organizations are leveraging DevSecOps models to foster collaboration across development, operations, and security teams in application rollouts. A recent Forbes Insights security survey underscores the importance of collaboration across all IT functions. Unsurprisingly, cybersecurity trailblazers blow laggards out of the water when it comes to levels of collaboration within the organization (Figure 1).

Figure 1: Organizational collaboration in addressing security concerns

Once cybersecurity becomes a collaborative organizational priority, the dedicated security team can concentrate on tasks of higher value, such as testing new security innovations or working with the legal team to interpret and adhere to ever-changing regulatory and privacy laws.

Misconception #3 – Security teams are best placed to decide which digital assets to protect

Security teams, despite their technical expertise, need help understanding which digital assets are most critical across various parts of the business. Otherwise, they will attempt to protect everything equally—a costly and eventually fruitless exercise.

By implementing a Zero Trust policy, the team operates on the principle of trusting nothing and verifying everything that is trying to access systems inside or outside its perimeters. In an environment of distributed apps, users, devices, and networks, an enterprise-wide focus on a Zero Trust policy for application behavior, devices, and access will be critical.

Misconception #4 – Boards will not approve the necessary budget for security

Boards will respond positively to requests for security funds—but CIOs must frame such requests as risk-management exercises that directly impact the business, rather than additional technology investments. Boards are used to managing a myriad of risks—geopolitical, financial, and market risk. Adding cybersecurity to that list is a logical step.

While there is no silver bullet for cybersecurity, it is critical to explain to the board on the need for organizations to continue investing in this area. A recent VMware report unveiled that there is opportunity to grow GDP by US$145 billion for the entire Asia Pacific region over the next 10 years should enterprises adopt an intrinsic security approach that ensures business continuity while driving greater adoption of new technologies[4].

Misconception #5 – Organizations can best secure themselves by protecting infrastructure and the perimeter

Current approaches to protecting data and apps focus on protecting the actual IT infrastructure. However, with the advent of technologies—including cloud, distributed modern applications, and microservices architectures—app components can be scattered across multiple machines. By focusing on protecting infrastructure rather than the apps or data themselves, CIOs are operating with a disconnected—and flawed—security model. As such, it is imperative for CIOs to move to an application-focused security model.

Misconception #6 – Users are the biggest security problem

While sufficient—and frequent—training is still important and necessary, attackers today have become much more sophisticated. The reality is that users can get infected from just hovering over (not clicking) links. Attackers can get into mail servers and send attachments in response to existing email threads from someone a user knows and trusts.

Despite the evolving threat landscape, many organizations are still over-provisioning access rights to apps and data and do not have safeguards that monitor admin access. In this situation, having strong authentication and identity management safeguards in place should be a mandate. Identity should be verified using multiple factors, and authentication should be commensurate with the risk of the requested access or function for an individual application.

Misconception #7 – Security by necessity impedes business agility

While most businesses have moved on to Agile software development methodologies, the speed of security review for apps has not increased.

A huge opportunity to jumpstart innovation exists here. With today’s automation tools, DevOps teams can push out app updates to the security team in real time. Security teams then perform their review, and push the app out to production. Organizations are becoming more agile with robust, intrinsic security because security gets simpler, faster and more effective when framed around applications and data—as opposed to infrastructure. However, this requires shifting organizations’ thinking.

Although debunking these misconceptions is a good first step for organizations, but it is just a first step. Security is a never-ending journey and requires long-term commitment.

Enforcing security via application behavior is a radical, new approach to security, but it is also complementary to the frameworks that exist today. Intrinsic security does not mean abandoning your investment in existing perimeter and endpoint security solutions. It is an additive step that makes an organization’s security posture considerably more robust.