Sylvain Cazard, VP SDDC EMEA, VMware
The castle walls have fallen, the enemy is within. This isn’t a history lesson, but a description of IT security today. Whenever I speak to CIOs at enterprises across Europe, Middle East and Africa, they tell me how security is the thing that keeps them up at night, above everything else. This isn’t just anecdotal evidence either – our survey with Forbes, “Enterprises Across Europe, the Middle East and Africa Slowly Embrace Cybersecurity Challenges”, shows that only 21% of these sorts of businesses are confident in their infrastructure’s security.
Why is that? Because the old ways of protecting IT – with those ‘castle walls’ – are being overwhelmed in two ways.
Firstly, by the sheer scale of today’s ever-expanding threat landscape. We live, work and play in an increasingly complex world, populated with more interactions, connected devices, sensors, dispersed workers and the cloud. These are all contributing to create an exponentially larger attack surface, which is being exploited by sophisticated cyber criminals, foreign states and other hostile parties. As the EU notes, “despite the growing threat, awareness and knowledge of cybersecurity is still insufficient: 51% of European citizens feel uninformed on cyber threats; 69% of companies have basic or no understanding of their exposure to cyber risks.”
This correlates with what I hear from CIOs, and what our own study revealed – the most common security issue experienced over the past three years in Europe is password phishing, cited by 36%. Identity and access issues were also cited by 25%, followed by socially engineered malware (23%) (Fig. 4). As the executive summary points out, “these are all vulnerabilities that may be just as effectively addressed by a more aware employee population as through technical screening of incoming traffic.”
Educating organisations is vital, but there is another challenge that enterprises also need to come – the issue of modern applications moving to the cloud. It’s a critical shift to enable them to meet their evolving business requirements. It means that everything, more than ever, is on the move: apps, the devices they connect to, the data it all generates, all shifting from cloud to on-premises, from cloud to cloud and back again.
How can you secure that with traditional perimeter-style defences? Can you even define where the perimeter is any longer? What happens when there is a breach (and it is a case of when, not whether, it will happen)?
In my conversations with CIOs, they tell me that their go-to response is simply to spend more and more money on increasingly ineffective traditional security solutions. Alternatively, to invest in a wide range of hard-to-manage point solutions, to try to address the many emerging cybersecurity gaps. This is at odds with their approach to almost any other type of solution – if I speak to them about storage, or networks, they will tell me they have two or three vendors for each. When it comes to security, because of those niche solutions for individual threats, they can have tens or even hundreds of suppliers. It makes a complex scenario even more complicated, and urgently needs to change.
Put simply, the old model just isn’t fit for purpose any longer, at least not as the only line of defence. We have to move to a model where security is built into every element throughout the infrastructure, and not just at its edge. This way, we can deploy services confident that their intrinsic security – and that of everything surrounding them – will keep them safe, in turn protecting the enterprise. I like to think of it as the cybersecurity equivalent of herd immunity – if the app, network and storage have all been inoculated (or made intrinsically secure), then the chances of malware infecting the wider organisation and having any significant effect is minimised. That’s the principle of intrinsic security.
It also means a change in the way we invest in security. It needs to be focused far more on simplification, prevention and risk reduction, rather than just on reacting to threats. It means having a single strategy that will not only help reduce duplication but will also ensure a consistent measure to protect corporate assets.
The business risks enterprises face have changed radically as the threat landscape becomes almost exponentially worse. It is clear from both my ongoing conversations with decision-makers, and from the results of our study, that the enterprise approach to security needs to evolve. What I’ve suggested is just a brief overview of our recommendations – I urge you to read the full report to find out what you need to do in more detail.