Whether cloud migration is a cause or effect of digitalization, it is nevertheless a major part of the journey currently being taken by business. Cloud cybersecurity has different issues from on-prem cybersecurity – and may well introduce new or adjusted pain points for CISOs.
Salt Security surveyed (PDF) an international selection of 300 CISOs and CSOs to examine the cybersecurity ramifications of digitalization – and it is worth noting that almost 90% of them said that digital transformation introduces unforeseen risks.
The survey is not an attempt to understand all security challenges, but rather to focus on those challenges that are new or expanded through digitalization. These challenges can loosely be divided into functional, personal, direct cybersecurity, and general.
The biggest functional challenge is qualified staff recruitment. The underlying skills gap is not new – but it is exacerbated in the cloud. Book learning (it takes a long time to research, write, publish, distribute, and learn from a new book) cannot keep up with new technology. And the alternative to book learning, experience, is not yet available for new technology.
“Because digital services introduce new types of cybersecurity attacks, its defense demands new knowledge and capabilities, making the hiring of qualified talent essential,” notes the survey report. Ninety-one percent of the respondents said that hiring qualified talent is a significant issue in business transformation.
The top personal concerns are “personal litigation stemming from breaches (48%) and increased personal risk/liability (45%).” This is potentially a growing concern for all CISOs but is again exacerbated with digital transformation. The underlying problem, central to almost all the challenges, is the increased need for speed that comes with business transformation. The faster you go, the more likely you will make a mistake.
In May 2023, former Uber CSO Joe Sullivan was sentenced to three years’ probation for covering up a data breach that happened in 2016. CISOs have always been aware that their role can be the company scapegoat for security failures, but there is increasing concern over legal rather than just company liability.
Michelle McLean, Salt Security’s VP of marketing, suggests there may be a linkage with one of the respondents’ primary cybersecurity concerns: API security. “We talked about Shadow IT for years. Now we have Shadow APIs,” she told SecurityWeek. “People are building services and they’re not necessarily following all the common best practices around those services. So, I do think that the concerns over personal litigation are accentuated in a world focused on digital initiatives because these services and these products that we’re building, they’re all about sharing sensitive data.”
The top three cybersecurity challenges coming from digitalization are supply chain (38%), APIs (37%), and cloud adoption (35%). “As the delivery mechanism for sharing data across digital services and applications, APIs represent the key component of digital transformation,” notes the report. “APIs also play a particularly critical role in CISOs’ first and third concerns – supply chain/third-party vendors and cloud adoption.”
Whatever way we look at it, API security is a major concern for cybersecurity. Partly, the problem is again seated in the need for speed. Digitalization is a business decision – and business needs results from the process immediately. No developer sets out to create insecure code, but the demand to build the code quickly means that mistakes or omissions can and do happen.
McLean sees a further problem for the CISO. “I think most of the time when we build a new app, we change the attack surface, but not the attacks themselves.” When Kubernetes arrived, it didn’t change the nature of the attacks, just the attack surface to be defended.
“A lot of what you would look for as a security gap in a container in a cloud configuration is very much rooted in the structure of what you built,” she continued. “APIs are different. It is in the running of the APIs. It is in the tweaking of the calls and the manipulation of the process. Can I abuse it in this way and pull back different information. You can’t test for that. You can’t look at the code and see that gap. It’s all rooted in a business logic flaw – and that’s what makes API security so difficult.”
The primary general challenges specified by the respondent CISOs are the rapid rise of AI (94%), macro-economic uncertainty and the geopolitical climate (both at 92%). There is little that can be done about the last two, but the CISO can at least use defensive AI to counter adversarial AI.
This is particularly important in defending APIs. “The bad guys are going to tap AI to get better at attacking,” said McLean. The attackers will use AI to seek logic flaws in APIs long before there is an actual breach – so the defenders need to be able to recognize that reconnaissance phase. This can only be done with defensive AI. “There’s no way for humans to keep up – there’s simply too much traffic to parse,” she continued. “So yes, it will be used as a weapon. And yes, AI also needs to be used as a defense.”
The big takeaway from this report is that CISOs should not engage in a digitalization process believing that it’s just business as usual. Digitalization brings new challenges, new concerns, and new threats. One of the biggest dangers is that business leaders may consider the project to be purely a business project. Since the company already has a CISO, a security team and a security budget, they may easily feel that security is already handled. But both business and security must recognize that this is new territory, and should not in any sense of the phrase be considered just ‘business as usual’.
Related: The VC View: Digital Transformation