Cybernews met with Michael Petrov to talk about the importance and benefits of properly implemented cybersecurity management systems.
How did the idea of Digital Edge come to life?
Digital Edge went through an e-Commerce bubble crash, a financial crisis, and all the global technology shifts from client/server, to the Internet, to virtualization, to the public cloud. Each technological evolution influenced cybersecurity requirements and compliance.
Can you tell us about what you do? What are your main areas of focus?
We help people create and operate cybersecurity systems based on standards and/or legal requirements. Each company is unique and may be regulated by different laws or regulations. Some of them are not regulated, but even non-regulated companies must meet their legal “duty of care” requirements. Implementing cybersecurity standards is not much harder than implementing the software/hardware solutions that companies usually use for cybersecurity defense, and I find that it is easier to implement these systems when we follow a blueprint. Implementing standards and going through a proper certification process give our clients two significant advantages.
First, they can confidently prove that all the necessary safeguards were implemented. Second, they can prove that their “duty of care” responsibilities were duly considered. So, in cases of a breach, our clients can mount very strong defenses against negligence claims. Another advantage – our clients can demonstrate proven maturity in their business processes. In the current business environment, when companies must control their supply chains, such proof of maturity becomes a sharp competitive edge and a moneymaker for our clients.
You often mention the importance of risk management. Why is this practice crucial?
There are two reasons, one is legal, and one is technological. Courts use risk assessments to determine the “reasonableness” of the implemented cybersecurity measures. Risk Assessments demonstrate that a company thinks, plans, and executes on potential risks. The government doesn’t require us to divert all hacking attacks, and risk analysis will not guarantee full protection. However, risk analysis goes to prove that a company has met its “duty of care” obligations.
As for technological reasons, risks are a series of informed hypotheticals that we can create. It is important to do this analysis every year and make sure to assign realized incidents to those risks. Then we can have a clear picture of what is happening in real life. Some of the risks may be realized multiple times a year, and so we know we must pay special attention to them. Risk management also allows us to allocate proper budgets and implement sufficient technologies to control the risks. If IT security is not risk-driven, how could businesses assess whether the cybersecurity budgets requested are reasonable or not?
I think all cybersecurity professionals have a problem with visibility within the business. When nothing happens – you are an expense. When something bad happens – you are guilty. Risks, incidents, and analysis of the effectiveness of risk mitigation give an excellent way of reporting the state of cybersecurity to boards and executives.
How has the pandemic changed your organization’s approach to cybersecurity? Were there any new features added to your services as a result?
The pandemic affected the IT industry in many ways. I think we would have eventually gotten where we are now if the pandemic had never happened, but it would have taken much longer.
Here is what we see. There are two types of businesses from an IT infrastructure standpoint.
One type is legacy businesses that had a “Perimeter” in the past, and their whole security scheme was organized with the assumption that “everything in the perimeter is trusted, and that all applications and users were residing in that perimeter. Those businesses are making their way to extend those perimeters, making them wider and more open, creating more paths to them. Basically, they are trying to figure out how to “globalize” their perimeters while keeping security intact at the same time.
The second type of business is the new “decentralized” business. These businesses use outside services from the get-go. While they use the same utilities that perimeter businesses were buying and placing inside their perimeters, these new businesses implement them in the form of internet-based SaaS platforms. These decentralized businesses are working in the opposite direction of legacy businesses. They are trying to put some centralization and governance on top of their de-centralized collection of SaaS services while figuring out the necessary centralized cybersecurity controls along the way.
In both cases – today, the infrastructures, the problems, the efforts, and the plans look totally different from what we saw 2-3 years ago.
What issues can a business run into if it doesn’t have appropriate compliance certifications in place?
As we discussed earlier, certification is a result of implementing a framework that prescribes business processes and controls around cybersecurity. If controls are not implemented properly, there is a greater chance that some aspects of a company’s IT infrastructure will stay vulnerable. At the same time, the certification is an attestation that the business in question implemented the process by the book.
Today, nobody is surprised that if you are building something in, for example, the aviation industry, you need to comply with certain standards. If you make medical equipment – there are other standards.
Surprisingly, some people think that cybersecurity is different. They think that they can trust the opinion or the experience of an individual or a vendor. Imagine you build an aircraft and only go by the opinion of your head engineer. That would obviously be a dangerous approach, and in reality, if you do build a part for the aviation industry, nobody will deal with you unless you provide a quality certification. The same thing is needed with cybersecurity. The IT industry is going that way.
Since many companies are turning to cloud solutions to enhance security, are there any details that might be overlooked?
Absolutely. There is a common but wrong perception that the cloud will handle cybersecurity. Even though cloud providers may take responsibility for some of the controls, they also add to the difficulties in ways. It is true that public clouds add agility to IT infrastructures. But in some cases, businesses enjoying this speed and convenience are not looking properly at the risk of that speed and convenience. For example, today’s developers are getting too much freedom from the compartmentalization of IT. They can do so many things without system administrators or interdepartmental bureaucracy, and it increases the risk of mismanagement. Gartner has predicted that by 2022 most of the cloud security failures will be the result of an organization’s mistakes, i.e., misconfigurations in the cloud. A single misconfiguration has the power to expose several thousand systems and sensitive data to the public internet.
It shouldn’t surprise anyone by now that there are standards on how to configure things in public clouds and how to stay in compliance. Unfortunately, we see a lot of cases where businesses enjoying the abilities of the public cloud rely on programmers and DevOps to implement the security. But it is not their profession, concentration, or concern. Their mission is to build. In fact, considerations of cybersecurity might be in conflict with development prerogatives. Again, IT as an industry needs to mature and follow in the regulatory footsteps of older industries. For example, in the construction industry, there are oversight agencies, and acceptance processes. Government and businesses do not rely solely on architects and builders for public safety.
Why do you think certain organizations struggle to keep their cybersecurity up to date?
This answer is the same as the answer to most questions - the money. For most businesses, cybersecurity is an expense. Executives want to minimize expenses. This is why detailed risk analysis is so important. It has the ability to show the executives exactly what they are risking by not maintaining their cybersecurity system.
Some businesses, even regulated ones, were thinking: “We take a risk not following the requirements. However, if we are not audited, we save money; and even if we are audited, it is possible that the penalty is lower than the cost of implementation”.
In effect, businesses were thinking of cybersecurity like insurance. However, cybersecurity should be thought of more along the lines of taking cholesterol medicine to prevent a heart attack. I think understanding the necessity of managing cholesterol comes with maturity, just like understanding the necessity of cybersecurity.
In your opinion, what cyberattacks can we expect to see more of in the near future? What actions can individuals take to protect themselves?
Most future attacks will have their opportunities based on misconfigurations, just as Gartner predicts. I believe that we will be in a position where we would know how to secure infrastructures to be impenetrable if it weren’t for two destabilizing factors: vulnerabilities introduced by changes and human mistakes. Both are inevitable. Both should be closely monitored.
Share with us, what’s next for Digital Edge?
We see our mission in educating organizations, in simplifying and standardizing IT security processes. Given the challenges ahead, we need to maintain our aggressive posture against Advanced Persistent Threats.
Cybersecurity is not just a set of tools. Imagine a fortress with lots of weapons but no soldiers. Or with soldiers, but no training. The strength of an army has as much to do with its training and organization of troops as it does with its technology.
We are confident that with the proper focus, sufficient resources, and adequate training, we will remain a leading defensive force for decades to come.