Inside F5’s cyber security playbook

Like any business, cyber security suppliers have had their fair share of cyber attacks from cyber criminals and other threat actors. The stakes of falling prey to a successful attack, however, are deemed higher as cyber security is the bread and butter of these firms.

As such, chief information security officers (CISOs) at cyber security companies have to be at the top of their game, employing ways to stop cyber criminals amid digital transformation efforts that potentially expand an organisation’s attack surface.

But rather than rush in to implement controls, F5 Networks’ CISO Mary Gardner prefers listening and understanding the business as a first move, so that she can address the risks that the business cares most about.

In an interview with Computer Weekly, Gardner explains her approach towards cyber security, the role of threat intelligence in the fight against cyber attackers, and her thinking around the need to deliver security without slowing down the business.

What is your general approach towards cyber security at F5 networks? How does this approach shape F5’s product strategy?

Mary Gardner: We live in an era of digital transformation – today’s modern business is entirely dependent on applications. Every application, regardless of its design or purpose, has one thing in common: they are the doorway to data, which is the target of the cyber attackers. At the same time, companies, both old and new, are facing mounting pressure resulting from the constantly evolving regulatory complexities and compliance requirements in the Asia-Pacific (APAC) region.

My perspective is that applications are the gateway to data. At F5, we aim to keep applications and data safe across a multi-cloud environment by ensuring we have three essential security elements – visibility, context and control.

We can’t secure what we can’t see, so visibility is a must-have. Context allows us to differentiate normal from abnormal behaviour and prioritise our efforts. Finally, the ability to apply the right security controls at the right time in the most efficient way.

The rhythm of the business dictates we move at speed, and sure, we can easily deliver security if we unplug everything – but organisations can’t do business that way

My team works with our products on a daily basis and we use that experience to help make our products better. We give feedback to the product teams on what is working well and where we have opportunities to improve.

We also share our experiences as practitioners to the product teams to help them as they develop new and better security tools and offerings.

Can you provide some perspective on the scale and types of attacks that F5 faces each day, given that it is in the network security business?

Gardner: In today’s environment, phishing and social engineering are the most pervasive attack vectors, and this is true across every company, not just security companies.

Distributed denial-of-service (DDoS) attacks are also common, and we have controls in place that significantly reduce their impact. We do see targeted attacks, but they are generally less frequent. The targeted attacks do have the potential to be much more impactful when they happen.

What is the role of threat intelligence at F5, and how is that intelligence being applied?

Gardner: Malicious communications and ever-evolving attacks threaten businesses across environments – on-premise, cloud, and hybrid. Our threat intelligence is a cloud-based service that incorporates external IP reputation and reduces threat-based communications.

By identifying IP addresses and security categories associated with malicious activity, this managed service integrates dynamic lists of threatening IP addresses with the Silverline cloud-based platform, adding context-based security to policy decisions.

How do you ensure your team and different lines of business are not complacent about cyber security?

Gardner: At F5, we believe in a zero-trust model – always verify and never trust – and we encourage our customers to use the same approach. This approach enables enterprises to revalidate access decisions every time an access is requested. This reduces the threat of insiders being granted more access than required or from employees whose access needs change due to changed job responsibilities.

The other aspect of encouraging better cyber security practices in any organisation goes beyond the technical. In my experience, the security team has an obligation to understand the organisation, not the other way around. Information security teams must speak the language of the business and its culture.

Without this, a lot of time can be wasted on fruitless efforts to mitigate risk and implement control processes. This can mean taking the time in the beginning to get the lay of the land and learning to speak to the organisation in a manner that is most familiar.

Some CISOs would prefer to rush in and implement controls, but I think that listening and understanding is a better first move. This allows us to build relationships and address the risks that our business cares about most. The more we partner and build that trust the better positioned we are to keep cyber security top of mind.

As a global organisation, F5 engages different suppliers with potentially different attitudes and maturity levels when it comes to cyber security. How do you mitigate the security risks associated with your global supply chain?

Gardner: We assess our vendors’ security posture through a series of questionnaires, Service Organisation Controls (SOC) 1 and 2 reviews, audits and policy reviews. We do this based on the risk the supplier could have to the organisation.

After we assess the risk, we work with legal and the business owner to ensure we have the right contractual provision to address the supplier risk. We then monitor the supplier to ensure they are meeting those provisions.

What keeps you up at night?

Gardner: Right now, the biggest thing I’m concerned about is ensuring that my team can deliver security without slowing down the business. The rhythm of the business dictates we move at speed, and sure, we can easily deliver security if we unplug everything – but organisations can’t do business that way.

I see security as an enabler. We should help the business move faster by reducing risk in a way that also reduces business friction. That’s a hard balance to strike.

The consequences if we can’t strike that balance is decreased business productivity on one side and increased risk on the other. In a world of digital transformation, security professionals have to be agile and help the business move at speed, safely.