The cybersecurity world never stops evolving. Technology is central to any cybersecurity leader’s day-to-day, but in today’s environment, having the right personnel and culture in place is just as important as the right tech. We’re all familiar with the “people, process, and technology” mantra for a good reason: without any one of those three legs, the stool falls over.
I recently spoke with Hiroshi Honjo, Head of Cybersecurity and Governance, NTT DATA, Steve Williams, Enterprise CISO, NTT DATA Services, and Markus Künzler, CISO for NTT DATA EMEA, about issues on their radar in the coming year and beyond. Not surprisingly, people and processes hold their focus just as much as emerging technologies.
Top priorities for 2022
“Operationally, our biggest priority is the continued integration of our ecosystem into the Zero Trust “fabric” we’ve been weaving,” says Williams. “The goal is to let machines handle machine-level decisions at speed while bubbling anomalies up to our (human) security teams for additional review and action when needed.”
“Our priorities this year are around continuing to do the foundational elements correctly and in line with current best practices,” says Künzler. “That means maintaining our CMDB (configuration management database) and ensuring that we have a comprehensive and real-time view of all of our assets. After all, you can’t manage or protect what you can’t see. Continuing to refine our approach to holistic risk management is key, as is continuing to develop our incident response and forensic capabilities. All of these are part of our overall priority of continuing to increase service resilience while maintaining compliance with the regulations we face globally.”
NTT DATA is looking beyond its business operations to its responsibility as a global security leader. “From a broader perspective, my top priority for 2022 is to continue to drive a cultural change around security,” says Williams. “Security isn’t something you do from 8 to 5 — it has to be a part of all aspects of your organization’s culture. Almost everything we touch or interact with is technology-driven these days. From self-checkouts at the grocery store to payment kiosks at the table of your favorite restaurant to the social media apps we find ourselves immersed in; security can’t just be a day job. And it can’t be limited to those of us who focus on security full-time.”
“We need to foster a culture of constant security awareness. We need to continue encouraging and enabling our employees to understand the risks they face at home and educate their children and their families. We need to remove the shame for not knowing or understanding something about cybersecurity or technology and help educate the general public in security hygiene. The more we as security experts spread that knowledge outside of our circles, the better off we’ll all be.”
“NTT DATA is known as a trusted global innovator,” says Honjo-san. “And trust is at the center of everything we do. Perhaps it is a bit ironic, then, that one of our most significant assets in continuing to earn our customers’ trust is our Zero Trust program. One of our top priorities will continue to be developing and integrating our Zero Trust program globally and helping our clients in their own Zero Trust journeys.”
Trends and developments
“As always, we need to keep an eye on the evolving use cases for SIEMs and XDR platforms and look to how we can make our SOCs as effective and efficient as possible,” says Künzler. “We’re also keeping a close eye on developments in the threat intelligence space to keep our operations informed and up to date.”
“I am keeping my eyes open for solutions that put user experience (UX) at the heart of the tools that we provide,” says Williams. “I’m always happy to displace a solution with frustrating or confusing UX for one that’s easy to use — even at a higher cost, within reason. Too often, we (as security leaders) put security systems in place that demand major procedural or behavioral changes from our users. And we expect that — just because something is more secure — we will instantly get people to change years of muscle memory and training.”
“This disconnect between what technologists want people to do versus peoples’ natural behavior is the single greatest driver of risk in any organization. The reality is that people will spend countless hours searching for workarounds for anything disruptive to their natural flow. That doesn’t just waste valuable productivity, but it introduces huge opportunities for risk. The successful CISO will embrace this disconnect and challenge themselves to use this pandemic-induced opportunity for a hybrid work environment to provide security that minimizes friction wherever possible.”
“With the security market being as talent-starved as it is, with hundreds of thousands of roles going unfilled every year, training is a key focus area for us,” says Williams. “Part of the training is geared to upskilling people to advance our security program, and part is on reskilling people who show interest (and aptitude) but currently are not in a security position. Security is a fast-paced and constantly-changing field, so the most successful security professionals are those who stay hungry to learn and don’t shy away from the unknown.”
“My hiring philosophy has always been 70% team fit (behavior-based) and 30% skill (aptitude-based). That is because as long as people are hungry to learn, we can teach them the technology, but we cannot change people’s desires or personalities. Teams must work very well together, often under extreme stress, so team fit is essential to a high-performance team focusing hiring on soft skills versus hard skills can reap benefits long term.”
Recommended budget priorities
“Automation is a clear need across the industry,” says Künzler. “Security leaders need to do everything they can to make their operations as efficient as possible and keep our people focused on the tasks to which they’re best suited. As Steve said, let the machines focus on machine-level tasks, which both frees up our people to focus on the anomalies and mission-critical issues and drastically speeds up how those everyday tasks can be handled.”
“Compliance also remains a focus worldwide, particularly here in Europe. Security leaders need to make sure our organizations are staying in line with the requirements of all the markets in which we operate.”
“For me, Zero Trust investments should be the main focus area,” says Williams. “So depending on where an organization is on their Zero Trust journey, the budget targets will vary. If a CISO is starting out, I highly recommend investing in a proper Identity and Access Management solution and building a project to address the inevitable cleanup that must proceed such an implementation.”
“In my opinion, the best Zero Trust programs are identity-based, so without a rock-solid foundation, they are doomed to fail. If a CISO has a Zero Trust program in flight, I recommend investing in awareness, training, and education material to keep the culture and the program aligned. Lastly, since skilled security resources are in short supply, I recommend finding either a local university or college to build a feeder program with or finding a trusted security partner to augment your program.”
Williams is keeping his eye on data protection. “Data protection is the main area I am watching, as literally, no one has it right. This space is dying for a quality solution that can meet today’s hybrid working model without the level of friction today’s solutions all introduce. We will continue to see an increase in both cybersecurity and data privacy regulations around the world, so this is a critical space to watch.”
“I’m continuing to watch the development and evolution of security regulations, such as DORA (Digital Operational Resilience Act) in Europe. Regulators are responding to the proliferation of attacks across industries, so we’re keeping our eyes on regulations being imposed on at-risk industries like finance, constantly ensuring our practices are in line with the regulations, and always looking for ways to improve our operations.”
As we move into 2022 and beyond, security leaders must empower their teams to have the flexibility and awareness to tackle challenges in this rapidly changing environment. CISOs can never take their eye off the technologies that dominate our field, but it’s just as essential to continue to nurture the people and processes to get the most out of those new technologies.
Post Date: 1/10/2022