Sergey Nivens - Stock.Adobe.com
The intersection between business and technology has always fascinated Tony Buffomante, the global head of cyber security and risk services at Wipro. It necessitates a careful balancing act, weighing innovation against security.
The rapid pace of technological development means organisations constantly need to innovate. Likewise, the security sector has a constantly evolving threat landscape. As new vulnerabilities are discovered and patched, malicious actors seek new ways to circumvent security systems, which in turn need to be updated before they are exploited. However, these systems need to be simultaneously robust and secure. Security needs to be right all the time – but hackers only need to be right once.
“I have been an auto racing driver for over 30 years,” says Buffomante. “I’ve raced multiple different types of cars. When you qualify, you’re maybe within a 10th of a second of someone else, but if you come back the next year and do that exact same time, instead of being first, you’re probably 10th, because everybody has innovated and upgraded. This is the exact same phenomenon we have in cyber security.”
The disruption caused by a network breach can be massive; according to Wipro’s State of cyber security report 2023, a ransomware attack usually results in downtime of between 11 and 30 days, which can be devasting. There are also financial costs associated with needing to restore the system and potential penalties for exposing sensitive data, as well as the reputational harm that comes from being hacked.
Clear communication is key
Being able to clearly communicate security risks to executives in an easy-to-understand format is an essential skill for cyber security teams. There can be an overwhelming amount of information regarding the security landscape that needs to be understood. It is therefore incumbent upon security professionals to present this information in a way that is pertinent to an organisation’s industry and business.
“We love to talk about these massive volumes of attacks that we’ve stopped. People think it’s impressive, because the numbers are big, but it’s not an effective way to communicate at an audit committee or board level,” says Buffomante. “We should say things about the security programme that is monitoring the most important assets of a company, whether it’s customer information, intellectual property or financial information.”
Buffomante advocates using a ranking system for highlighting key areas that need to be addressed within an organisation’s security posture. This could be a colour-based traffic light classification that ranks systems in red, amber or green, or it could be graded in tiers, such as high to low.
Although details can sometimes be missed when presenting security information in an abridged format, this is not a concern. What is vital is presenting information in a clear and transparent way that highlights to the board where an organisation is most vulnerable, what is needed to mitigate the risk and the budget required.
Focus on business needs
Understanding an organisation’s needs is essential for effectively managing their security posture, which necessitates liaising with the wider organisation to understand the vital infrastructure necessary for continued business operations.
“When you set up a security strategy for a global airline, people immediately want to talk about credit card data. If you look at the CEO strategy, the number one thing on the list is passenger safety,” says Buffomante. “What is most important isn’t necessarily the credit card data, but keeping hackers out of air traffic control. Being able to tie the security strategy to not just the IT strategy, but to what’s important to the business, is where the training and the soft skills come into play.”
“We love to talk about these massive volumes of attacks that we’ve stopped, but it’s not an effective way to communicate at an audit committee or board level. We should say things about the security programme that is monitoring the most important assets of a company”
Tony Buffomante, Wipro
Instead of the cyber security team being gatekeepers, Buffomante believes they should become an intrinsic part of business development, with involvement in project development. In this way, the product or service can be made secure by design.
Security guidance and training is a vital part of this engagement. Department-focused training courses can be used to ensure that the information being presented to the teams is relevant to their needs. For example, the finance team may not need to understand secure coding techniques, but an awareness of the latest phishing techniques will be valuable.
“Security training needs to be acceptable and fit for purpose. By bringing security testing right into the development pipeline, you could have real-time pop-ups that say, ‘You’ve developed this code and here are the vulnerabilities in this code’,” says Buffomante.
“They don’t need high-level generic training. What they need is specific training in tune with their role and the just-in-time environment. Identifying those particular hotspots in the organisation will make a marked difference in developing and implementing security controls and is where organisations should focus.”
Cyber security training should not just be focused on the development or operations side, but on all parts of an organisation and at all levels. An awareness and understanding of the threats at the appropriate level will enable organisations to develop appropriate business strategies that are cognisant of their particular risks.
“Only 27% of the simulation exercises that companies do involve the board,” explains Buffomante. “How does a board member get more appreciation for what’s actually happening and how we would react to it as an organisation in a breach, when only 27% of them are participating? We find these things are important for organisations to be on that continual learning journey.”
Role-focused training can be combined with feedback from security assessments to highlight the areas of training that require focus. As such, the security training can be used to target areas that need improvement. This targeted approach is both cost-effective and more engaging for each role, thus leading to a more robust security posture.
Collaborative teams achieve more
When security teams are collaborating with the wider organisation, it not only helps the communication, but enables security to be embedded in solutions, rather than being a checkpoint at the end. When security teams collaborate with development teams at the outset, costly revisions to meet specific security requirements can be avoided, thus saving time and resources.
Tony Buffomante, Wipro
“In security, we often risk being the ‘no’ guy or girl, but we never want to be that way. If we’re not early in that collaboration, we typically see some of these business initiatives and IT initiatives too late, and then we need to evaluate the security and the risk and regulatory considerations of this,” says Buffomante. “It could risk slowing down business innovation, and that’s not what we want to be, as practitioners and as an industry.”
There are also opportunities for security teams to enable new revenue streams. For example, complying with the Federal Risk and Authorization Management Program (FedRAMP) in the US, or the UK’s MoD Cyber Security Model framework, offers opportunities for companies to work with government departments. However, this is only possible when product development is working alongside the security team.
“It’s not just about protection, it’s ‘How can we help open up a new revenue stream?’,” says Buffomante. That’s where we feel really valuable.”
Automating the threat response
The past few years have seen a dramatic increase in malicious actors online, as well as new and disruptive technologies, from 5G to generative artificial intelligence (AI). Many of these technologies carry risks, but they also offer unique opportunities. However, to be forewarned is to be forearmed, and an understanding of these risks means that they can be mitigated.
With the appropriate policies in place, these technologies can be used responsibly and securely, enabling all of the advantages while still protecting sensitive data and network security.
For example, with new technologies offering greater interconnectivity than ever before, there is an increased risk that devices could be usurped by malicious actors, but with user and device network permissions defining their acceptable usage, as well as network monitoring scanning for anomalous behaviour, this potential danger can be mitigated.
Despite the multifarious threats online, Buffomante remains optimistic about the future. For example, AI and machine learning can be used to automate tasks that reduce the workload of security teams, as well as enabling them to respond faster to emerging threats. Likewise, having security teams collaborating with all departments and developing a security training programme that is appropriate for each member of the organisation will engender a culture of security by design and, in so doing, a wider robust security posture.
“We have a greater ability to see and react to bad activity faster than we ever had before. Just months ago, it would take hours to detect something that now takes minutes, because of this technology,” concludes Buffomante. “The arms race continues, but I hold a lot of hope, because we can develop security solutions that are incredibly data-driven and automated, and lead to self-healing networks.”
Read more Computer Weekly Security Interviews
- In a world of information sharing and 24-hour news cycles, the Defence and Security Media Advisory Committee has to balance national security and data privacy with freedom of the press.
- There is growing demand for offensive security testing, but it needs a multi-layered skillset that can be hard to quantify. Bishop Fox’s CEO and co-founder explains why and shares some potential mitigation strategies.
- Complying with the vast swathe of data protection legislation around the world is complex, especially for smaller organisations without the necessary expertise. Could the compliance process be simplified, and if so, how?