Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Panel: “Security is not a ‘Thing’ – it’s a Goal that Requires a Layered Approach”

Security is not a “thing” – it’s a goal and a business enabler that, to be done well, requires a layered approach based on an understanding of risk and an organization’s IT environment.

Security is not a “thing” – it’s a goal and a business enabler that, to be done well, requires a layered approach based on an understanding of risk and an organization’s IT environment.

This was one of the main takeaways from an Oct. 6 panel discussion on cyber-security hosted by Kaspersky Lab in New York, where security experts laid out the challenges facing businesses and governments as attackers continue to evolve. One of those challenges is a basic level of situational awareness – something many IT shops don’t have, said Steve Adegbite, director of cyber innovations at Lockheed Martin. For example, organizations need to be able to identify if an employee is logging in at an unusual hour, or from a suspicious location.

Panel Discussion: Peter Firstbrook, Gary McGraw, Eugene Kaspersky“We have to advance technology, but we have to layer the people, process and what we call looking at the sequence of events,” he said. “There are key events that every attacker needs to go through in order to be successful. If you can layer your defenses along with your advance technology on that and basically disrupt the key events that they have to go through, you can find a lot of attacks, and that’s what we’re seeing inside our environment.”

Adegbite was joined on the panel by Gartner analyst Peter Firstbrook, Cigital Chief Technology Officer Gary McGraw, and Eugene Kaspersky, CEO of Kaspersky Lab. Though security has traditionally been layered on afterwards, security professionals are now realizing they can be a business enabler, Adegbite said, and at Lockheed, security pros are being brought in earlier as the company starts building products.

Still, while discussing Stuxnet, McGraw noted that security is still viewed by many as a “thing.”

“We all know that security is a property, and not a thing,” he said. “It’s a goal and a process.”

While the industry is improving is some respects, the government is way behind – making their role in battling cyber-threats problematic.

“If we rely on the government to regulate this stuff, we’re first going to have to teach them what that means, because they frankly just don’t know,” he said.

Kaspersky said stronger regulation has a role to play in improving security, though it still needs to be in conjunction with improvements in technology. “(The) good news is that governments already understand that,” he said. “Finally, after the Estonia incident, Stuxnet, other incidents related to security, governments…want to do something. But they don’t know what to do.”

Advertisement. Scroll to continue reading.

But if statistics on malware infections are any indications, businesses do not know what to do either much of the time.

“I am from an IT security company,” Kaspersky said. “I must think about threats. If you are from business or government, you better think about risk. But our job is to explain your threats to let you manage the risk.”

If businesses develop a myopic focus on threats as opposed to risk, it can actually make security efforts less efficient, Adegbite said.

“You’re not going to stop a hundred percent of the threats or the attacks,” he said. “But you need to stop the ones that are going to critically impact the percentage (of assets) that you need to do your business.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.