How do changing user expectations shape our approach to security?
An interview with Chris Roberts from Cisco to discuss the impact of our fast-paced culture on an enterprise’s network security measure.
We live in a global culture that drives an unprecedented rate of technological development.
When coupled with humanity’s growing expectation for seamless connectivity across domestic and professional applications, how can security teams keep pace and protect users’ ever-changing vulnerabilities?
We talk to Chris Roberts, Cisco Security Service Creation & Portfolio Manager about how the expectations of today’s society are influencing the way enterprises approach security.
Question: What are the hot topics coming out of your work with global enterprise clients at the moment?
Enterprises are increasingly faced with larger network environments and an ever-increasing number of clients connecting to them. In order to maintain relevance to both customers and employees, there is little choice but to both embrace and operate within them. It stands to reason that we need to understand the drivers that are creating that environment. I believe the primary driver is the expectation from users that flows into the businesses that support them.
We live in a world where a continuous flow of ever-increasing processing capability combines with humanity’s inquisitive and demanding nature to drive a rate of technological development that, I believe, has never been seen before.
Everything appears more complex than previous years — partially driven by this increasing computational capability. Add to this the variety of consumerist driven societies that reinforce our desire for constant acquisition and change, and you’ve got a perfect storm that feeds our expectations with no end in sight.
Annual product refresh cycles, automated home environments, digital assistants, connected TV’s – all of these and more drive behaviour and expectation. As an example, the first iPhone was only released 12 years ago and yet the latest version is a world away from it in terms of potential usage, speed and user experience. We must remember that version one was a revolution in its contemporary market.
Users of this technology often adopt it without fully understanding the implications and the level of background interactions that occur to deliver the functionality they expect. Think of any voice assistant and the mechanisms by which a verbal command can instruct multiple systems to alter their state. The desire to simplify everyday tasks and life in general is blinkering many of us to the increasing risk and privacy landscapes.
Everyday technology is increasingly being weaponised against us. The ability of connected devices to listen in to us and TVs with ever-increasing processing capabilities are just scratching the surface. Our modern expectations of an improved user experience, combined with increasingly short product cycles and built in obsolescence, continue to force us forward.
Globalisation, an increasing world population driving more ideas and more available connectivity, are other contributing variables. Such innovation is fantastic but must also be addressed in a risk aware manner to ensure the benefits that come with it are managed in a way that businesses can successfully adjust to.
With this consumer demand brought into the workplace, enterprises are constantly looking to embrace and understand this world in order to create security solutions that can deal with the challenges.
Question: How is expectation impacting professional environments?
Today’s workforce is increasingly made up of Millennials and the newly termed Gen Z’s — digital natives that have grown-up in this age of constant connectivity. This workforce generally expects a faster, more connected work experience capable of evolving with them and adapting to their usage styles.
Such expectation can be intrinsically tied to user behaviour. This often translates into a potential threat to the business which, if exploited, can become a major issue for an enterprise’s security and its customers.
People can so easily be socially engineered or psychologically manipulated into giving away information to attackers. Tie this with the constantly growing attack surface, and we see an ever-increasing problem for companies looking to protect their assets.
The challenge for all organisations is providing anytime, anywhere, any device access to relevant work applications and resources in a way that supports connectivity and availability but minimises risk. This challenge is further exacerbated by the fact that users want everything to work quickly and efficiently at all times — bringing user patience to an all-time low.
Question: In a society of high expectation, what should security teams be focusing on right now?
Long gone are the days where reasonable cyber security was more a case of installing a firewall and deploying web and email filtering with no automation or correlation across all aspects.
Now, because we expect to be able to consume everything on the internet from any device and location at any point in time, enterprise’s networks are growing increasingly complex and difficult to protect. Humans simply don’t have the mental capacity to monitor and process the detail necessary to constantly protect business assets across such vast connectivity and transactional mass.
IT departments won’t be able to keep pace with the rate of technological change and the speed with which threats can develop without finding a way of ensuring that the systems they’re responsible for managing can uphold the agreed security standards on a regular, repeatable and consistent basis.
Automation is a key component in the solutions required. Automated systems are built on repeatable, controllable characteristics — they’re not emotional and don’t get tired — they’re logical and controllable.
By intelligently automating, you can significantly reduce the possibility for human error and thereby free up time to focus on innovating policy, driving risk assessment and feeding information back into the cycle to keep your protection consistently valid and appropriate.
Another aspect of this approach focuses on the intelligent use of managed security services: further enabling businesses to define service levels and concentrate on their core business, whilst handing off operational risk to those generally better equipped to deliver it.
Without this level of coordination between the business, the security and risk teams, the service providers, the connected devices and the users we cannot hope to build a sustainable platform to deliver lasting security to the masses.
Question: How will automation be built into the security models of the future?
The industry is moving towards adopting a zero trust approach. Indeed, at Cisco it’s an essential component of our core security strategy. It’s a fundamentally different way of understanding risk and adapting to user and attacker behaviour that removes the assumption that some users are safe simply because of their location or device.
The zero trust model focuses on understanding the user, their behaviour, their location and device, to ensure that risk is grasped in a much more granular way. This way, the potential gaps and how attackers might exploit them are factored into the working practices deployed. By taking this angle, you don’t waste resources on policing all the borders and paths across the network but focus instead on defining protections across the valuable systems and applications.
Zero trust allows us to understand the risk at every point of the user’s journey — be it internal or external. If we need to stop the journey, we can do it at the right point. This way, we’ll keep our risk profile low whilst upholding the high expectations of our users and ensuring that the business can respond appropriately and in a consistent and timely fashion.
Question: From your viewpoint working with a global leader in IT, networking and cybersecurity solutions, what challenges lie on the horizon?
The important thing to remember going forward is that the security threats of our modern age are cyclical. They won’t go away. Just as Moore’s law effectively implies that computing power will continue to double every two years or so, so too will user expectation, and then technological developments and, inevitably, the forces that threaten them.
Enterprises’ best method of defence for the future lies in re-evaluating their existing approaches and adopting a security model that can keep pace with the speed of change. This means building adaptive, integrated, automated and controllable security that begins at product level but extends into an adaptable solution delivered by sustainable resources.
Cyber security continues to be a never-ending game of cat and mouse — businesses need to embrace a model that pushes one step ahead and consistently keeps risk to a manageable level.