10 Questions With Chase Cunningham On Cybersecurity

Enterprises are placing a higher priority than ever before on cybersecurity with a specific interest in Zero Trust. In recent conversations with CIOs in banking, financial services, and manufacturing, the most common question is how to get started. To get the CIOs’ questions answered, I turned to Dr. Chase Cunningham of Forrester with the top ten questions I’ve heard during my monthly meetings with CIOs. He offers insightful, practical advice to anyone looking to improve their cybersecurity strategies and learn more about Zero Trust.

As Principal Analyst at Forrester, Chase contributes to the research and advisory firm’s offerings for Security & Risk Professionals. His research guides client initiatives related to a security operations center (SOC) planning and optimization, counter-threat operations, encryption, network security, and Zero Trust concepts and implementation. He helps senior technology executives with their plans to leverage comprehensive security controls and the use of a variety of standards, frameworks, and tools to enable secure business operations. His research focuses on integrating security into operations; leveraging advanced security solutions; empowering operations through artificial intelligence and machine learning; and planning for future growth within secure systems.  You can find Chases’ Forrester Profile here. Be sure to download two guides he’s written on Zero Trust,  Revolutionize Your Security With Forrester’s Zero Trust Model and Five Steps To Zero Trust Security.

One of cybersecurity’s greatest paradoxes today is that despite billions of dollars invested in securing IT systems, hackers are gaining access to more systems and exfiltrating a record number of records. Where did all those investments in cybersecurity go wrong, and what can we do to protect enterprise systems better?

I don’t think that anyone or any company ever really did anything wrong per se.  I think what has happened is that we did what everyone does in technology we went too fast.  Businesses don’t make money with security unless they are a security provider that is.  But what happened is that with the explosion of the online world being the area we all live and breathe speed to revenue outpaced planning and strategy for security and we all collectively created this giant interconnected network of weakness.  And we build the whole thing where the password is the one lynchpin in almost everything, for nearly half a century we have been clawing at gaining ground here, but it’s all been for naught because speed trumps strategy in security and tools trump tactics.  As long as that is the mantra, this failure cycle will continue.

When you meet with C-level executives, and they want to know the essentials of Zero Trust Security, what five key points do you share with them?

Be granular – fix one thing first, whatever is “smallest” and has the most binary fix.  Do that first.

Be realistic – accept that this is going to take a while, Rome wasn’t built in a day, and you have decades of misconfiguration to fix.

Think like the bad guy – why try some crazy AI-enabled whatever when you have admin creds that aren’t managed properly.  Security is good blocking and tackling first, then the sexy stuff comes.

There is no technical “solution” – no single provider has everything you need, period.  Some have more than others, and functions differ, but no vendor has the one thing that will fix this.

Act – be decisive.  Don’t mull around and try and look for a silver bullet, you need to move.  Pick something that you can fix and get to it.  Having meetings and discussions about things is not why you get paid to be the leader, lead.

The other thing I talk about that resonates with non-security folks is that this is no different than sales.  Think about it.  In sales your company hires a sales leader, they establish a plan/strategy, they assign metrics to that plan, they get the sales team on board with it and align their actions, tooling, and requirements, and then everyone goes out and does the work.  If it is all done correctly, that leads to more sales and everyone is good.  Things get better, maybe incrementally, maybe exponentially, but things progress.  Or they don’t, and something needs to be fixed or modified, and then the cycle repeats.  Security is the same sort of thing, we just have different tooling, metrics, and marching orders, but if you can understand how sales leverage that approach security is doing the same thing.

You’re the only industry analyst who dives in and creates security architectures that are invaluable in making concepts real. Where did you learn how to do that and what lessons have you learned in creating security architectures to instruct Forrester clients in the nuances of creating their own?

I actually learned how to do that when I was doing pen testing and red teaming training for the DoD and the Intelligence Community (IC).  We had to build systems that were fully functional networks so we could break them, that’s how we learned to do our operations.  I personally think this is how anyone gets better is to design, test, and then try repeatedly in virtual systems, that’s what it is there for.  Blow it up and fix it, then you get better, and you know what works and what doesn’t.  It takes the fear out of going live with a tool or technology.  We have the technology now to do iterative architecture development, and we should.  I think of it as Object-Oriented Infrastructure.

How can organizations design their Internet of Things (IoT) networks to make sure every endpoint is protected using a Zero Trust framework?

Know what is up and running and have a really good inventory of the asset that is on the network.  Also, make sure the functions of those devices are doing what they are supposed to.  Most IoT devices have way too much functionality, and it’s usually enabled by default.  Make IoT do IoT, limit anything else.

How can Zero Trust Security be used to battle fake news, modified videos, and the spread of propaganda, especially in major election years?

I personally think this is the greatest are of threat in the future.  We have a handle on the ways to secure infrastructure but now with social media, deep fakes, and exploitationware coming into play the next few years are going to rough.  It’s imperative that we have knowledge of what is and isn’t fake and be able to respond.  The worst thing that can happen is to allow fake news or images to fester on the internet.  Companies have to be able to respond and do so fast.

Which advanced encryption technologies do organizations need to be monitoring today?  Which one of them is the most important to know about now and in the future?

I think the most important thing here actually is to be able to see what is taking place inside of encrypted traffic.  If your company can’t see inside of the encryption that is running in the network you are missing insight into 50% of the traffic, would you get on a plane that has one wing and expect it to fly?

With so much hype swirling around Zero Trust Security, which questions and advice do you recommend your clients use to separate Zero Trust fact from fiction?

Has the vendor shown legacy understanding and alignment to zero trust for the last few years?  Or did they suddenly start saying zero trust everywhere, that’s the clearest indicator that they are just jumping on the gravy train and that they don’t actually care about the strategic benefit here, they just want to gain sales.

What’s the most harrowing story you can share publicly of how vulnerable an organization who relied on a “trust but verify” model of enterprise security?

I did a red team on a network that had public facing servers that had unchanged admin passwords, which were “admin” and was unpatched for 11 years.  This system connected on the backend to about 1000 miles of piping for natural gas systems.  Bad.  When I asked them why this happened, they seriously said: “we forgot about it.”

What’s the future of Zero Trust Security and how can organizations get prepared today for that reality in the future?

I think it’s to understand the concept and strategy and know that there is a decade worth of knowledge behind this movement.  I also understand that security is a business enabler, not a detractor.  Users and consumers expect your business to operate in a secure manner; it’s a competitive differentiator.  If you don’t have a good long term strategy in place, not a vision statement, not a fluffy wordy thing about security, a strategy you will fail.  And ultimately your company will pay the price.

How can organizations keep up to date on your extensive work on Zero Trust Security?

Very soon I’m launching a YouTube channel for DrZeroTrust.  That will be me.  Haha.  We will be discussing the major news, staffing issues, and misconceptions in the cyberspace and also demoing vendor tools and products and breaking down where they align with this strategy and where there may be gaps.  It will be a place to get real ground truth on this whole cyber thing, and I hope a lot of folks will benefit from it.

originally posted on forbes.com by Louis Columbus